Difference between revisions of "Viewer Authentication Critique"

From Second Life Wiki
Jump to navigation Jump to search
Line 36: Line 36:
** Links to secondlife:// can only point to one instance (version, e.g. homebrew, release candidate official) of the program
** Links to secondlife:// can only point to one instance (version, e.g. homebrew, release candidate official) of the program
** Links to secondlife:// can not pass parameters to the program
** Links to secondlife:// can not pass parameters to the program
*** In fact allowing that was a security flaw recently found and fixed in the SL client. :(
<br>
<br>
* Possibility some third party clients will retain the existing UI in order to make it easier for people with alts and multiple clients, and do appropriate GETs and POSTs on the SL to initiate a logon and get the token (thus defeating the original purpose)
* Possibility some third party clients will retain the existing UI in order to make it easier for people with alts and multiple clients, and do appropriate GETs and POSTs on the SL to initiate a logon and get the token (thus defeating the original purpose)

Revision as of 19:54, 29 September 2007

This is a formal critique of Viewer Authentication that was requested by User:Rob Linden on the SLDev mailing list.

For a branch of the discussion see Talk page on the original proposal.

Security

LL's Objectives

  • To mitigate the danger of password capturing Trojans masquerading as third party viewers
  • Improve trust in third party viewers by providing a means of assurance to the user that the third party viewer could not be a Trojan capturing usernames and passwords.

Pros

  • Viewer does not have to process (and "see") username and password

Cons

  • The main risk of running a third party viewer (or any other application not provided by Linden Labs) is not stealing passwords, it's direct attacks through the client... and the "official" client is not really any protection against that.
    • Viewer still involves running trusted code on the computer and could initiate other attacks e.g.
      • Silently buy L$ and pass onto another account
      • Pass token onto bot, and drop the users connection
      • Install key logger to monitor the next website login
      • Salami slicing - make additional small or duplicate payments to cutout when user purchases or pays in game.
    • Most of these attacks could be performed by any third-party software designed for use with SL
      • A local support program could install a keylogger.
      • A local support program could inject code into the client.
      • Look at 'cheating' tools in MMORPGs for possible approaches.
  • Potential for naive user to believe this reduces all risks in using a third party viewer.
    • Or any third party software. :)
  • Bottom line here is that third party viewers are a very small risk for the user.


  • In fact the bigger risk is from the web browser!
    • Potential for phishing websites to entice users to enter username and password and then pass control to SL website and viewer.
      • This kind of attack is not theoretical, phishing websites are a criminal industry.
    • Relies on browser security, and uses a mechanism often disabled or filtered due to security concerns
    • Too reliant on browser/OS implementations (proxies, firewalls, used browsers, etc.)


  • And the mechanism itself is relatively inflexible.
    • Links to secondlife:// can only point to one instance (version, e.g. homebrew, release candidate official) of the program
    • Links to secondlife:// can not pass parameters to the program
      • In fact allowing that was a security flaw recently found and fixed in the SL client. :(


  • Possibility some third party clients will retain the existing UI in order to make it easier for people with alts and multiple clients, and do appropriate GETs and POSTs on the SL to initiate a logon and get the token (thus defeating the original purpose)
    • The issues raised in the next section would mean that people would have an incentive to use this kind of client.

Alternatives

  • One time passwords (for copy paste into a non-secure viewer or to print and take with you to friends, internet cafes, public terminals, etc.)
  • lower perm passwords (pwds which put the account into a restricted state, disallowing "dangerous" transactions)
  • separate passwords for website account and being inworld
  • Account restrictions
  • CRAM-MD5 or a similar challenge-response type
  • Dictionary check to reject insecure passwords

Other Issues

  • The main existing vulnerability involving the viewer and passwords is that the viewer does not use a cryptographically secure mechanism to pass the password to the server, not that the viewer may be stealing the password.
  • In practice, trapdoored unofficial third party clients for applications have not historically been a major problem. This seems to be attacking an exposure that is primarily theoretical, and using a mechanism that has been known to be exploited to solve it.



Flexibility

LL's Objectives

  • Single Sign On - allowing multiple web applications (forums, support, account, jira, wiki etc.) and viewers to use the same username and password through a single point without duplicating usernames and passwords into multiple systems
  • Extension of this to allow non-LL applications and web sites to participate in this single sign on system.

Pros

  • Enables username/password authentication to work on third party sites without them having to "see" username and password

Cons

  • This is really an unrelated issue...
    • The client doesn't need to depend on the website for this purpose, or this could be a command line option.
    • The client could just as easily be the 'authentication source' as the website.
      • Via a "go to website" link in the client that passed an equivalent token.


  • As noted in section 1, this reduces flexibility for the *users*.

Alternatives

  • Use this mechanism for websites (including third party) only but not for viewers
  • Identity Metasystem - [1]




Persistence

LL's Objectives

  • To integrate the various LL's systems (forums, support, jira, account, etc.) so that by logging onto one, you are automatically logged onto the others.

Pros

Cons

  • As in the previous section, LL's objectives could be met without the browser logging in via the same mechanism.
  • Inconvenient for those with alts
    • Cumbersome to change alts and logon with multiple alts
    • Those with alts, often have a primary account which is used for forums and logged on permanently to forums even when the alt is online in SL
  • Inconvenient for those with multiple clients
  • Danger on public or multi-user machines that the user will log out of the client, but not log out of the website properly allowing the next user to access their account.
  • Staying online on secondlife.com (which many people seem to do) automatically means anyone with access to the computer/browser (family) can log in with the account inworld

Alternatives

  • Is this really needed?

Other issues

  • Is this kind of persistence desirable for the client? SL is not an extension of the web, it's a different kind of interface... one that has the potential of becoming a "3d web".




Misc

  • this should be an option for those who have increased security needs, users should be able to make their own risk/convenience decisions
  • the feature especially forces those into an extra login step, who use an official viewer (homebrews will most likely quickly implement a way around this for convenience)
  • starting SL from the web browser on a regular basis will most likely result in the web browser lingering in memory in the background when running the viewer, which based on the heavy memory requirement may impair viewer performance.
  • this would make things harder for independent grids to use the official client. Is this considered an advantage or a disadvantage by LL?




Signatories

Please sign this below with "~~~~" if you agree with the version of this document you are reading. The date will indicate which version of the document you read and agree with.