Difference between revisions of "Web Textures"

From Second Life Wiki
Jump to navigation Jump to search
Line 61: Line 61:
Using web textures in an attachment (particularly a HUD) provides an attacker the greatest oppportunity to ensure that they have a correct match to an IP address, so while this is not that useful for bulk data gathering it's particularly problematic for targeted attacks. It would probably be best not to make web textures on attachments an exception to any wider restrictions. Web textures on HUDs, though, are particularly useful, so there should be some mechanism to allow a user to grant their own attachments the right to load web textures even if they are otherwise disabled.
Using web textures in an attachment (particularly a HUD) provides an attacker the greatest oppportunity to ensure that they have a correct match to an IP address, so while this is not that useful for bulk data gathering it's particularly problematic for targeted attacks. It would probably be best not to make web textures on attachments an exception to any wider restrictions. Web textures on HUDs, though, are particularly useful, so there should be some mechanism to allow a user to grant their own attachments the right to load web textures even if they are otherwise disabled.


*Pro: Allows cautious users to use attachments.
*Pro: Allows cautious users to use web-enabled HUDs.
*Pro: Promotes effective low-lag tools.
*Pro: Promotes effective low-lag tools.



Revision as of 15:04, 26 January 2007

Summary

This page is about dynamic web textures, a feature to allow an LSL script to assign an image URL to a face and cause it to dynamically update from the script. This is not HTML-on-a-prim, though it shares some of the same complications regarding anonymity.

This raises a potential issue regarding Expected Privacy. The only practical way to accomplish dynamic web textures is to let the client download the image directly. This will expose user's IP addresses. This issue is also there for HTML on a prim, though the limitations several Lindens have mentioned to reduce the processing overhead of HTML on a prim - similar to the current limitations for media textures - make it less likely to be easily abused.

We are looking toward making it possible for prims to reference external websites for texture information, which is where PNG textures would start to come into play. -Phoenix Linden

Benefits of this feature

  1. Negates the need for scripts like XyText that are very laggy when dynamic displays are large.
  2. Allows for things like streaming news service HUDs.
  3. Interactive games can present large amounts of off-world data.
  4. Corporations that already have many dynamic web assets can reuse them in-world.
  5. Live porn.
  6. Web Cams.

Potential LSL implementation

llSetTextureURL(integer face, string url);
llRefreshTextureURL(integer face);

Example with text generation script:

llSetTextureURL(1, llUrlEncode("http://example.com/getpng.php?text= " + text + "&font=futura&rez=512x512");
llRefreshTextureURL(integer face);


Suggested Privacy Protections

Because this feature would expose the IP address of an agent in a way that could identify the agent, especially on a HUD, several suggestion were made to enhance privacy protections. They are listed in order of least effort to implement to most effort.

Do nothing, just implement it

  • Pro: Feature itself is somewhat easy to implement, if images are powers of 2
  • Pro: Sets precedent for other features that may expose IP association information.
  • Con: Sets precedent for other features that may expose IP association information.
  • Con: Unannounced loss of privacy.
    • Mitigation: Announce it first.
  • Con: Could become a public relations nightmare if users react badly.

Global on/off, with one time dialog opt-in

The client could prompt the first time you encounter a web texture, and ask you if you want to enable it, warning you that it will expose your IP address to third parties. This would be similar to the way parcel streaming media prompts the first time you encounter a parcel with it set.

  • Con: The user is asked to make technical decisions they might not understand.
  • Con: The user must sacrifice all dynamic web content to get privacy for their IP.
  • Pro: No annoyance for those who don't care about exposing IP associations.

Proxy Options

The client would provide a place to enter a HTTP proxy address for web textures. This would allow the user to enter an anonymizing proxy service if they want to.

  • Pro: Easy to implement
  • Pro: Proxy support will be needed anyway for the general move to HTTP texture transfers for regular asset textures.
  • Con: Configuring proxy settings for anonymizing proxies can be extremely difficult even for professionals.
    • Mitigation: this work can be hidden by the browser or browser extensions, so SL or a plugin for SL could do the work.
      • But there isn't such a plugin mechanism yet.
  • Con: Anonymizing proxies are slow and unreliable.
  • Con: Proxy support is not even implemented yet for the help browser
  • Con: Default settings (no proxy) expose users to privacy violations.
    • Which means this is likely to be a PR disaster.

Attachments

Using web textures in an attachment (particularly a HUD) provides an attacker the greatest oppportunity to ensure that they have a correct match to an IP address, so while this is not that useful for bulk data gathering it's particularly problematic for targeted attacks. It would probably be best not to make web textures on attachments an exception to any wider restrictions. Web textures on HUDs, though, are particularly useful, so there should be some mechanism to allow a user to grant their own attachments the right to load web textures even if they are otherwise disabled.

  • Pro: Allows cautious users to use web-enabled HUDs.
  • Pro: Promotes effective low-lag tools.

Dialog Boxes

The client could pop up some sort of dialog when attaching a HUD with web textures, asking if you want to allow the HUD to use them.

  • Pro: Easy on the scripter.
  • Pro: Implemented entirely in the client.
  • Con: The user is asked to make technical decisions they might not understand.
  • Con: It's a unique mechanism.
  • Con: Dialog boxes are annoying.
  • Pro: Establishes precedent for other useful client-side security and privacy tools
    • Or is that a con? :)

The Permissions system

Alternatively, this could be done through the normal LSL permission system with a permission request, and something like PERMISSION_TEXTURE_URL.

  • Pro: Already well-understood interface.
  • Con: Dialog boxes are annoying.
  • Con: The user is asked to make technical decisions they might not understand.

Whitelists

This could simply be handled the same way as third-party textures in the proposal below. The same pros and cons apply.

White/Black List

Similar to Firefox/IE popup blocking, the client could manage white/black lists.

  • Pro: Flexible and complete control
  • Pro: users not concerned about privacy could select "Accept everything"
  • Con: If poorly implementd, this would cause a lot of user input: (for example, thousands of prompts per second for someone flying over the mainland).
  • Con: The user is asked to make technical decisions they might not understand (the user might be tricked, they might not know who to trust).
  • Con: Very complex to implement, UI elements hard to design effectively.
    • Mitigation: Using existing controls (texture cues, pie menu) would simplify the implementation and make the interface more familiar.
  • Con: Reinstalling could lose settings.
    • Mitigation: Selecting a "safe default" would protect naive users.

Suggested implementation:

Safe but convenient default behaviour.

  • Textures on prims set to the land group are automatically loaded by default.
  • Optionally - Textures set by scripts created by you, or owned by and readable by you are automatically loaded by default.
  • All other textures are left unloaded.

No popups.

  • Unloaded HTML textures have a distinct appearance.
  • Optionally - Left-clicking on the object will load the unloaded texture(s).
  • Right-clicking on an unloaded HTML texture will bring up the pie menu, and a pie menu option will allow you to load the textures on the object or whitelist it.
    • Load the textures on this object.
    • Always load textures on this object
    • Always load textures from objects owned by this person
    • Always load textures from objects in this group
  • You can also remove these permissions if they are set.

Simple preferences

  • Privacy setting: only three levels of privacy:
    • Low - load all HTTP textures and HTML-on-a-prim automatically.
    • Normal - default behaviour described above.
    • High - No HTTP textures are loaded.
  • Button to clear textures.

What is required of the Sim

When an HTTP texture is sent to the client, it's bundled with some UUIDs:

  • The owner of the object.
  • Optionally - The creator of the script that set the texture.
  • The group of the object.

Change Users Privacy Expectation

Make it clear to the users that their IP address association with their avatar name is not private information and can't be protected while still providing dynamic and seamless integration with the rest of the Internet.

  • Pro: No technical implementation necessary.
  • Con: Not easy.

Trusted hosting partners

Have one or more trusted hosting partners that would provide scriptable webspace on standard Linux servers. The key difference is that the partners could not allow the IP address of clients to pass through to the scripting language.

  • Pro: Fully fixes privacy problem, with no effort required from the end user.
  • Con: Hard to monitor trusted partners for compliance if more than one.
  • Con: If only one, then developers have no choice.
  • Con: Business risk from close external relationship with other company if only one provider.
  • Con: Not in the spirit of SL.

Linden Lab Webhosting

Linden Lab would could offer their own webhosting that withholds end user IP similar to above.

  • Pro: Fully fixes the privacy problem
  • Pro: Could also be used as a super low latency way to do HTTPRequest calls to a web server. HTTPRequest limits could be raised for requests to these servers.
  • Con: LL is not a web hosting company.