Linden Lab Official:Technical overview of Second Life security

From Second Life Wiki
Revision as of 14:37, 9 September 2011 by Rand Linden (talk | contribs) (→‎Locally-hosted servers)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Account information (password, payment info)

Linden Lab does not distribute Resident account information. Here's what our Terms of Service say:

6.1 Linden Lab uses your personal information to operate and improve Second Life, and will not give your personal information to third parties except to operate, improve and protect the Service.

PCI Compliance

Linden Lab® is PCI compliant.

Login security

Your Second Life client login uses password-only authentication over secure HTTP. At no time does Linden Lab have access to your password itself. Your password, and any information entered through your My Account page on the Second Life website is encrypted and uses a secure HTTP connection.

Second Life Viewer security

The Second Life Viewer:

  • Provides a connection to Second Life that does not compromise your computer's security. We believe the client is not subject to a remote exploit.
  • Uses a Vivox-plugin for spatial and group voice chat, checked and provided exclusively by Linden Lab. The viewer does not use any other third-party plugins, nor is there currently a plugin architecture.
  • Can launch your default web browser, but does not have the capability to launch other arbitrary applications.
  • Has an unencrypted cache, but it does not include account information; it only contains object (inworld inventory and assets) information.

Text chat and voice chat are not currently encrypted; see the next section, Private spaces in Second Life, for information on how to secure a private location from unwanted listeners.

Private spaces in Second Life

Any business or individual can buy a Private Region as part of an Estate in the Second Life world. A single Private Region resembles a small island, and can be linked together with other Private Regions to form a larger landmass. These Regions provide a highly manageable environment for conducting private business in the virtual world of Second Life.

A Region owner may choose to exercise full control over access to Private Regions in the Estate. The Region's included administrative tools enable its owner (and designated managers) to create an access list, by individual or group, ensuring that only approved users can enter the Region.

A Private Region is secure from eavesdropping. The Region is surrounded by an equivalent void space, represented by water; void space cannot be crossed by walking, running, flying, or by camera.

The only visibility outside Residents (users) have to a secure Region is through the world map, which can present an abstract overhead view of your Region, as if viewed from extreme altitude. To prevent even this level of access, you may choose to construct a high "roof" over portions of your Region, effectively blocking the aerial view.

There is one possible security concern on properly secured Private Regions: An object or attachment (for example, hair, a wristwatch, or a vehicle) brought into the space could potentially contain an LSL script that records text chat or local avatar and object names. However, no LSL script can listen to Instant Messages (including Group IM, unless the chat targets the scripted object), voice communication, or media streams, nor can an LSL script directly capture visual content such as objects or textures.

Voice chat

Your ability to hear others in spatial voice chat is tied your avatar or camera position by your preferences settings, and by enforced in code that does not exist in the open source viewer. If tied to your avatar, your maximum hearing distance is up to 60 meters from your avatar's position. If tied to your camera, your maximum hearing distance is the maximum tethered distance of your camera (50 meters) plus 60 meters, for a total of 110 meters from your current position.

In no case can your hearing traverse a void space to "listen in" on private regions. Also, even if your avatar is encased in a transparent globe and invisible to others around you, your avatar name always appears in the "Near Me" list of voice listeners and speakers. There is no way to defeat this detection method via the open source viewer.

Voice data passes through servers owned by Vivox, the company that provides Second Life's voice communication technology. If necessary, voice communication can be disabled in the Second Life viewer's preferences, at the land parcel level, or at the Region level.

While it's possible for Linden Lab to work with Vivox to capture or log portions of conversations (either spatial or group voice chat) for diagnostic purposes, we do not do so as a matter of course unless we are diagnosing quality problems.

For more information on voice services, see Voice/Technical.

Data security

We take the security of your data very seriously.

Linden Lab's servers reside in secure hosted facilities. The server does not "trust" the client (Second Life viewer), and all access requires a login token to establish your identity and permissions, including land access. It is impossible to impersonate other clients or accounts, and we restrict multiple concurrent logins for the same account.

Your land (the Private Region, also called a simulator or "sim") runs on servers hosted specifically for Linden Lab, as do all backbone data services, including inventory, server logs, communication, and other content.

All Linden Lab employees, contractors, and third party service providers make every reasonable effort to ensure Residents enjoy a reasonable expectation of privacy. As a Private Region owner, if you are concerned about an employee's activity on your Private Region, you may ask us to verify their activity.

Because of our policy, and the vast amount of data generated by Second Life, the chance of an employee viewing confidential information is exceptionally small.

Stream data

Voice, web, audio, and video streams do not pass through Linden Lab's servers; they are accessed directly by the Second Life viewer. One way to keep your content secure is to use one of these distribution methods.

Streaming content attached to a land parcel can use https to provide a secure stream, and is not routed through Linden Lab's servers. The Second Life viewer pulls the streaming content directly from its source.

KBcaution.png Important: Conversely, the owner of a parcel of land may use their streaming media source to determine your IP address. If you are not on your own land, you may choose to disable reception of streaming media in the Second Life viewer's preferences.

Data retention

Linden Lab only retains data as necessary to operate Second Life.

Instant message and text chat logs are retained for a period of two weeks or less in order to assist us in the resolution of abuse reports. For various legal reasons, we may occasionally retain data for longer than two weeks.

Voice chat is not logged, except for diagnostic and troubleshooting purposes. Voice uses a separate data channel and does not pass through Linden Lab's servers.

Content is stored on our asset servers; our purging routines may leave content on a server longer than it is in your inventory. We also take hourly snapshots of each simulator's Region state for recovery purposes; these snapshots are retained with decreasing frequency as they age.

Any of this stored content is only viewed under the following circumstances:

  • You request it
  • A subpoena is served about the content
  • We are using the content to try to debug a problem that we think is related to it.

Locally-hosted servers

Second Life is a client-server-server architecture: the land server only holds land data and aggregates information about objects and avatars to create the data set your Second Life viewer (the client) translates into a 3D view. Avatar data, authentication information, identity data, inventory, and many other services necessary to create the Second Life experience reside on our backbone services servers and their associated databases. Our current architecture does not anticipate moving these services away from Linden Lab's servers.