[Opensim-dev] Security: multiple or the most generic?
Diva Canto
diva at metaverseink.com
Tue Apr 14 15:38:57 UTC 2009
And while this kind of spoofing may look absolutely scary in the context
of a web of VWs, it may be a feature in game applications.
Diva Canto wrote:
> Michael Cortez wrote:
>> Any particular reason why the system could not use the SessionID
>> (established for the source region) to validate the user as they
>> transfer to the destination region -- but once validated, a new
>> SessionID is generated for the target region and the old SessionID
>> invalidated -- or if not invalidated, at least make it useless without
>> some region key, thus giving you a unique key-pair? This would give
>> you a unique "key" for each region, without the client having to be
>> modified {negotiation of new Sessions would be done between the region
>> and the authentication server.}
>
> This brings no more security than session authentication. In the case of
> trusted sims, you don't need to change the session id, because all sims
> will do the right thing. In the case that some sims are not trusted,
> having unique keys (or changing session ids) by the regions does not
> prevent spoofing by rogue sims. They will simply change the session id
> and launch a user agent at another region which they have complete
> control of. Very concretely, you may end up with the region you are
> visiting launching an agent on your behalf into another region, and
> doing actions on your behalf, without you knowing about it. So "your"
> agent may be having conversations with other people on your behalf, for
> example, etc.
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
More information about the Opensim-dev
mailing list