Second Life Forums Archive - Detecting group key

Pedro McMillan

SLOODLE Developer

Join date: 28 Jul 2007

Posts: 231

03-17-2009 06:46

Hi all,

I've got a bit of a security challenge question here.

We've been discussing some changes to our SL-web security/authentication system over at SLOODLE, and the use of SL groups came up as a potential security measure. The principle is that if an object is deeded to a particular group, you can be certain it was setup by an authorised agent. It's been proposed (and I am dubious about this) that the object simply uses "llGetOwner" to find the group's UUID key, and sends that key out to our webserver as a kind of password. (The webserver will have been previously informed of the the 'correct' key.)

We are wondering how secure that would be. People could obviously make fraudulent requests to our webserver if they ever found out the group's UUID key.

So, the question is, short of random guessing (which would take ages), can a person discover the key of a group, even if they are not a member of it?

Thanks,
-Pedro

Dora Gustafson

Registered User

Join date: 13 Mar 2007

Posts: 779

03-17-2009 07:26

If they can spot some land owned by your group they probably can with: llGetLandOwnerAt()

_____________________

From Studio Dora

Jack Abraham

Lantern By Day

Join date: 11 Apr 2008

Posts: 113

03-17-2009 07:30

Or they can do llGetOwnerKey() on a group-owned object. Your group key is not a secure password.

Very Keynes

LSL is a Virus

Join date: 6 May 2006

Posts: 484

03-17-2009 07:45

Or they can get the group name and do a SL Search on it, that will return the group key too.

_____________________

House of Keynes http://slurl.com/secondlife/Seopophang/237/151/104

Romantica Yacht Club http://slurl.com/secondlife/Jeffrey/58/227/26
Salsa Romantica http://slurl.com/secondlife/Seopophang/77/91/94

Pedro McMillan

SLOODLE Developer

Join date: 28 Jul 2007

Posts: 231

03-17-2009 07:52

As I suspected. I've never done anything with groups but the occasional "llSameGroup" query, so I wasn't sure.

Thanks for the input everyone. Very helpful.

Hewee Zetkin

Registered User

Join date: 20 Jul 2006

Posts: 2,702

03-17-2009 09:06

You don't need to have the object explicitly send the owner key. The 'X-SecondLife-Owner-Key' HTTP header added by llHTTPRequest() will be the group's key if the object is deeded. And there's no way to spoof that (yet) provided you CAN verify that the request is coming from an LSL script. That part IS a bit of a trick. You should check both that the request has the expected custom HTTP headers and that it comes from the set of IP addresses owned by Linden Lab.

The best way I know of to do this is to use the ranges found in http://wiki.secondlife.com/wiki/Simulator_IP_Addresses and make sure that you check now and then to synchronize with any changes. Can't hurt to do a WHOIS on at least one address in the range to verify as well, and possibly keep track of addresses in any denied requests to do WHOIS checks on them and modify your ranges for any addresses missed as well. You can do a domain check against 'secondlife.com' and 'lindenlab.com' instead or in addition, but I've found that particular reverse domain name lookup to be less than reliable.

Oh. Remember to caution anyone using group ownership in this way to be careful about which members have the ability granted that lets them deed objects to the group.

Very Keynes

LSL is a Virus

Join date: 6 May 2006

Posts: 484

03-17-2009 12:30

From: Hewee Zetkin

... and that it comes from the set of IP addresses owned by Linden Lab..

That is easy at the moment, just query Spamhaus, if the address is blacklisted its probably a LL server

sorry couldn't resist.

_____________________

House of Keynes http://slurl.com/secondlife/Seopophang/237/151/104

Romantica Yacht Club http://slurl.com/secondlife/Jeffrey/58/227/26
Salsa Romantica http://slurl.com/secondlife/Seopophang/77/91/94

Lesheran Odriscoll

Neko Taco Pirate

Join date: 24 Dec 2007

Posts: 27

04-02-2009 17:15

From: Pedro McMillan

Hi all,

So, the question is, short of random guessing (which would take ages), can a person discover the key of a group, even if they are not a member of it?

Thanks,
-Pedro

Group keys are displayed at the bottom of the group info when you look at them in search.

Like this
Link to this page: http://world.secondlife.com/group/69f6fbe9-8aab-ac4f-1f74-09db84a84bed

Osprey Therian

I want capslocklock

Join date: 6 Jul 2004

Posts: 5,049

04-02-2009 17:17

/me joins the taco group.

_____________________

http:www.atomic-raygun.com
Combat Cards in Europa
[url=http://slurl.com/secondlife/grignano/118/116/]The Photography Studio in Grignano[/url]

Mud! Mud! Glorious mud! Nothing quite like it for cooling the blood.
So, follow me, follow, down to the hollow, And there let us wallow in glorious mud.
Flanders and Swan

Detecting group key
Pedro McMillan SLOODLE Developer Join date: 28 Jul 2007 Posts: 231	03-17-2009 06:46 Hi all, I've got a bit of a security challenge question here. We've been discussing some changes to our SL-web security/authentication system over at SLOODLE, and the use of SL groups came up as a potential security measure. The principle is that if an object is deeded to a particular group, you can be certain it was setup by an authorised agent. It's been proposed (and I am dubious about this) that the object simply uses "llGetOwner" to find the group's UUID key, and sends that key out to our webserver as a kind of password. (The webserver will have been previously informed of the the 'correct' key.) We are wondering how secure that would be. People could obviously make fraudulent requests to our webserver if they ever found out the group's UUID key. So, the question is, short of random guessing (which would take ages), can a person discover the key of a group, even if they are not a member of it? Thanks, -Pedro
Dora Gustafson Registered User Join date: 13 Mar 2007 Posts: 779	03-17-2009 07:26 If they can spot some land owned by your group they probably can with: llGetLandOwnerAt() _____________________ From Studio Dora
Jack Abraham Lantern By Day Join date: 11 Apr 2008 Posts: 113	03-17-2009 07:30 Or they can do llGetOwnerKey() on a group-owned object. Your group key is not a secure password.
Very Keynes LSL is a Virus Join date: 6 May 2006 Posts: 484	03-17-2009 07:45 Or they can get the group name and do a SL Search on it, that will return the group key too. _____________________ House of Keynes http://slurl.com/secondlife/Seopophang/237/151/104 Romantica Yacht Club http://slurl.com/secondlife/Jeffrey/58/227/26 Salsa Romantica http://slurl.com/secondlife/Seopophang/77/91/94
Pedro McMillan SLOODLE Developer Join date: 28 Jul 2007 Posts: 231	03-17-2009 07:52 As I suspected. I've never done anything with groups but the occasional "llSameGroup" query, so I wasn't sure. Thanks for the input everyone. Very helpful.
Hewee Zetkin Registered User Join date: 20 Jul 2006 Posts: 2,702	03-17-2009 09:06 You don't need to have the object explicitly send the owner key. The 'X-SecondLife-Owner-Key' HTTP header added by llHTTPRequest() will be the group's key if the object is deeded. And there's no way to spoof that (yet) provided you CAN verify that the request is coming from an LSL script. That part IS a bit of a trick. You should check both that the request has the expected custom HTTP headers and that it comes from the set of IP addresses owned by Linden Lab. The best way I know of to do this is to use the ranges found in http://wiki.secondlife.com/wiki/Simulator_IP_Addresses and make sure that you check now and then to synchronize with any changes. Can't hurt to do a WHOIS on at least one address in the range to verify as well, and possibly keep track of addresses in any denied requests to do WHOIS checks on them and modify your ranges for any addresses missed as well. You can do a domain check against 'secondlife.com' and 'lindenlab.com' instead or in addition, but I've found that particular reverse domain name lookup to be less than reliable. Oh. Remember to caution anyone using group ownership in this way to be careful about which members have the ability granted that lets them deed objects to the group.
Very Keynes LSL is a Virus Join date: 6 May 2006 Posts: 484	03-17-2009 12:30 From: Hewee Zetkin ... and that it comes from the set of IP addresses owned by Linden Lab.. That is easy at the moment, just query Spamhaus, if the address is blacklisted its probably a LL server sorry couldn't resist. _____________________ House of Keynes http://slurl.com/secondlife/Seopophang/237/151/104 Romantica Yacht Club http://slurl.com/secondlife/Jeffrey/58/227/26 Salsa Romantica http://slurl.com/secondlife/Seopophang/77/91/94
Lesheran Odriscoll Neko Taco Pirate Join date: 24 Dec 2007 Posts: 27	04-02-2009 17:15 From: Pedro McMillan Hi all, So, the question is, short of random guessing (which would take ages), can a person discover the key of a group, even if they are not a member of it? Thanks, -Pedro Group keys are displayed at the bottom of the group info when you look at them in search. Like this Link to this page: http://world.secondlife.com/group/69f6fbe9-8aab-ac4f-1f74-09db84a84bed
Osprey Therian I want capslocklock Join date: 6 Jul 2004 Posts: 5,049	04-02-2009 17:17 /me joins the taco group. _____________________ http:www.atomic-raygun.com Combat Cards in Europa [url=http://slurl.com/secondlife/grignano/118/116/]The Photography Studio in Grignano[/url] Mud! Mud! Glorious mud! Nothing quite like it for cooling the blood. So, follow me, follow, down to the hollow, And there let us wallow in glorious mud. Flanders and Swan

Welcome to the Second Life Forums Archive

Detecting group key