Second Life Forums Archive - Secure communications

Homer Antler

Registered User

Join date: 21 Oct 2006

Posts: 105

12-08-2006 10:52

Hi:

What is the best way to have secure communications between an in-world object and an external database server (i.e. PHP website). I know that we can use HTTP request /response to send back and forth data. But how secure is that?

In this thread, I am just trying to find from some of the Gurus that may have do this in the past. Is there a way that we can be cetain that the information that I send back and forth is secure. Do you have an example or a method?

Also, has there been any hack in the past into an object in-world? I mean did anyone ever break into the scripting of an in-world object? Do I have to worry about that?

Thank you.

-Homer

Script Su

Professional SOA Designer

Join date: 23 Aug 2006

Posts: 79

12-08-2006 11:52

There are only 2 methods HTTP and RPC. RPC is clumsy and unnessarily complicated for lsl scripts as there is no way to send an object a request. I use HTTP and it is SSL so it is secure and people cant sniff to find out whats going on because it is HTTPS. TO use HTTP send the HTTP request to the PHP server with a seperator that you dont use very ofte (such as a pipe | or double ||). Then do

CODE


$raw = $_REQUEST['raw'];
$seperator = "||";
$response = explode($seperator,$raw);

Then you will have the array numerical array $response you can then extract it like so

CODE


// foo|bar
$raw = $_REQUEST['raw'];
 $seperator = "||";
 $response = explode($seperator,$raw);
$foo = $response[0];
$bar = $response[1];

It is just as simple as that.

_____________________

The LSL Repository @ sf.net. The LSL Repository is dedicated to bring open source lsl programmers together and develop the best service oriented scripts. Gridworks gives you the whole package. We also have in-house builders, scripters, web programmers, and salesmen. Premium Account||Age Verified||Gridworks Executive

Homer Antler

Registered User

Join date: 21 Oct 2006

Posts: 105

12-08-2006 13:29

Thanks Su. I thought that we may have to worry about this some loop holes. Since it is https I am sure it is secure just like any other web transaction.

Kitty Barnett

Registered User

Join date: 10 May 2006

Posts: 5,586

12-08-2006 19:21

There have been some full permission exploits in the past, so there is some risk that someone might be able to read the source of your script and figure everything out.

It's not very likely that this will happen, but it's a good idea to keep it in mind, especially if you're storing or accessing highly sensitive or important data.

[Edited to point out that they need to be able to get a copy of your object. If it's something only you own and noone else will ever have, then even a new full permissions exploit won't have any effect on you]

Zack Hicks

Registered User

Join date: 14 Apr 2006

Posts: 5

Apache Configuration

12-28-2006 07:55

I have been trying to get a secure connection (https) from SL to an apache server but it seems to be unable to connect further but it works with a web browser. Are there any special configuration for the certificates to use and do they have to be signed by a valid certificate authority? Any pointers would be appreciated. I get no messages in my apache logs; it seems to fail in the ssl module.

Peekay Semyorka

Registered User

Join date: 18 Nov 2006

Posts: 337

12-28-2006 08:23

If it's a certificate issue, you can bypass it by setting the HTTP_VERIFY_CERT parameter to false:

request_id = llHTTPRequest(URL, [ HTTP_VERIFY_CERT, FALSE ], ""

;

Otherwise you'd get a 499 error response code.

-peekay

Zack Hicks

Registered User

Join date: 14 Apr 2006

Posts: 5

12-28-2006 08:40

Hi Peekay:

Thanks for your reply. I am doing what you suggested but I'm still getting a
499 error response code. I'm pretty sure it's a configuration issue on the kind
of certificate SL expects. Maybe someone could post the the commands they
used to generate their keys and certificates?

Peekay Semyorka

Registered User

Join date: 18 Nov 2006

Posts: 337

12-28-2006 09:07

CODE


openssl genrsa 1024 > myhost.key
openssl req -new -x509 -nodes -sha1 -days 365 -key myhost.key > myhost.crt

-peekay

Zack Hicks

Registered User

Join date: 14 Apr 2006

Posts: 5

12-28-2006 09:59

Hello again:

I've tryed it again using these key generated from your commands but I'm still getting the same error.
I've confirmed this from someone in SL and he was also able to connect using his own web browser outside
my firewall. Should I post my Apache configuration? Thanks again.

Peekay Semyorka

Registered User

Join date: 18 Nov 2006

Posts: 337

12-28-2006 18:55

If you don't mind, post (or IM) a valid url to your server... perhaps we can examine the certificate as transmitted and see if there's something unusual with the response.

Maybe create a one-liner test file we can access from http & https.

-peekay

Zack Hicks

Registered User

Join date: 14 Apr 2006

Posts: 5

12-29-2006 04:48

I'll IM my url as soon as the grid is back up.

Peekay Semyorka

Registered User

Join date: 18 Nov 2006

Posts: 337

12-29-2006 04:57

I'm in (the nearly empty) world and can be IMed through email at [email]3df4c58a-acc5-d0c1-304b-30fe48f7049d@lsl.secondlife.com[/email].

Peekay Semyorka

Registered User

Join date: 18 Nov 2006

Posts: 337

12-29-2006 09:32

Hi Zack,

The certificate's Common Name (CN) must match the server's URL. If you're using an IP address, the CN must be the IP address (without the port number); otherwise, the CN has to be the server's fully qualified domain name.

Right now it's trying to match the wrong CN with the URL and it will fail even with HTTP_VERIFY_CERT set to false.

Regards,

-peekay

Zack Hicks

Registered User

Join date: 14 Apr 2006

Posts: 5

12-29-2006 11:22

Hi Peekay:

That was it!!! I've created a ddns account and recreated the certificates with the given
Hostname and all is fine now. Thanks a lot for your help.

Secure communications
Homer Antler Registered User Join date: 21 Oct 2006 Posts: 105	12-08-2006 10:52 Hi: What is the best way to have secure communications between an in-world object and an external database server (i.e. PHP website). I know that we can use HTTP request /response to send back and forth data. But how secure is that? In this thread, I am just trying to find from some of the Gurus that may have do this in the past. Is there a way that we can be cetain that the information that I send back and forth is secure. Do you have an example or a method? Also, has there been any hack in the past into an object in-world? I mean did anyone ever break into the scripting of an in-world object? Do I have to worry about that? Thank you. -Homer
Script Su Professional SOA Designer Join date: 23 Aug 2006 Posts: 79	12-08-2006 11:52 There are only 2 methods HTTP and RPC. RPC is clumsy and unnessarily complicated for lsl scripts as there is no way to send an object a request. I use HTTP and it is SSL so it is secure and people cant sniff to find out whats going on because it is HTTPS. TO use HTTP send the HTTP request to the PHP server with a seperator that you dont use very ofte (such as a pipe \| or double \|\|). Then do CODE $raw = $_REQUEST['raw']; $seperator = "\|\|"; $response = explode($seperator,$raw); Then you will have the array numerical array $response you can then extract it like so CODE // foo\|bar $raw = $_REQUEST['raw']; $seperator = "\|\|"; $response = explode($seperator,$raw); $foo = $response[0]; $bar = $response[1]; It is just as simple as that. _____________________ The LSL Repository @ sf.net. The LSL Repository is dedicated to bring open source lsl programmers together and develop the best service oriented scripts. Gridworks gives you the whole package. We also have in-house builders, scripters, web programmers, and salesmen. Premium Account\|\|Age Verified\|\|Gridworks Executive
Homer Antler Registered User Join date: 21 Oct 2006 Posts: 105	12-08-2006 13:29 Thanks Su. I thought that we may have to worry about this some loop holes. Since it is https I am sure it is secure just like any other web transaction.
Kitty Barnett Registered User Join date: 10 May 2006 Posts: 5,586	12-08-2006 19:21 There have been some full permission exploits in the past, so there is some risk that someone might be able to read the source of your script and figure everything out. It's not very likely that this will happen, but it's a good idea to keep it in mind, especially if you're storing or accessing highly sensitive or important data. [Edited to point out that they need to be able to get a copy of your object. If it's something only you own and noone else will ever have, then even a new full permissions exploit won't have any effect on you]
Zack Hicks Registered User Join date: 14 Apr 2006 Posts: 5	Apache Configuration 12-28-2006 07:55 I have been trying to get a secure connection (https) from SL to an apache server but it seems to be unable to connect further but it works with a web browser. Are there any special configuration for the certificates to use and do they have to be signed by a valid certificate authority? Any pointers would be appreciated. I get no messages in my apache logs; it seems to fail in the ssl module.
Peekay Semyorka Registered User Join date: 18 Nov 2006 Posts: 337	12-28-2006 08:23 If it's a certificate issue, you can bypass it by setting the HTTP_VERIFY_CERT parameter to false: request_id = llHTTPRequest(URL, [ HTTP_VERIFY_CERT, FALSE ], ""; Otherwise you'd get a 499 error response code. -peekay
Zack Hicks Registered User Join date: 14 Apr 2006 Posts: 5	12-28-2006 08:40 Hi Peekay: Thanks for your reply. I am doing what you suggested but I'm still getting a 499 error response code. I'm pretty sure it's a configuration issue on the kind of certificate SL expects. Maybe someone could post the the commands they used to generate their keys and certificates?
Peekay Semyorka Registered User Join date: 18 Nov 2006 Posts: 337	12-28-2006 09:07 CODE openssl genrsa 1024 > myhost.key openssl req -new -x509 -nodes -sha1 -days 365 -key myhost.key > myhost.crt -peekay
Zack Hicks Registered User Join date: 14 Apr 2006 Posts: 5	12-28-2006 09:59 Hello again: I've tryed it again using these key generated from your commands but I'm still getting the same error. I've confirmed this from someone in SL and he was also able to connect using his own web browser outside my firewall. Should I post my Apache configuration? Thanks again.
Peekay Semyorka Registered User Join date: 18 Nov 2006 Posts: 337	12-28-2006 18:55 If you don't mind, post (or IM) a valid url to your server... perhaps we can examine the certificate as transmitted and see if there's something unusual with the response. Maybe create a one-liner test file we can access from http & https. -peekay
Zack Hicks Registered User Join date: 14 Apr 2006 Posts: 5	12-29-2006 04:48 I'll IM my url as soon as the grid is back up.
Peekay Semyorka Registered User Join date: 18 Nov 2006 Posts: 337	12-29-2006 04:57 I'm in (the nearly empty) world and can be IMed through email at [email]3df4c58a-acc5-d0c1-304b-30fe48f7049d@lsl.secondlife.com[/email].
Peekay Semyorka Registered User Join date: 18 Nov 2006 Posts: 337	12-29-2006 09:32 Hi Zack, The certificate's Common Name (CN) must match the server's URL. If you're using an IP address, the CN must be the IP address (without the port number); otherwise, the CN has to be the server's fully qualified domain name. Right now it's trying to match the wrong CN with the URL and it will fail even with HTTP_VERIFY_CERT set to false. Regards, -peekay
Zack Hicks Registered User Join date: 14 Apr 2006 Posts: 5	12-29-2006 11:22 Hi Peekay: That was it!!! I've created a ddns account and recreated the certificates with the given Hostname and all is fine now. Thanks a lot for your help.

Welcome to the Second Life Forums Archive

Secure communications