[Opensim-dev] Opensim-dev Digest, Vol 60, Issue 8

[Haravikk]

> On 12 Nov 2019, at 16:26, mike.dickson at utopiaskye.com wrote:
> 
> Much of this could be addressed by using https for the comms which encrypts
> the payload and headers if properly set up.  But Haravikk's comments are on
> target.  You can't trust the transport without https.  I can probably count
> on one hand the number of grids that have all that set up correctly if it
> even works.  Regardless the script writer has all the tools to add content
> to a payload or via headers and secure it.  Hence I wouldn't recommend the
> patch approach as it is.
> 
> Mike

Actually HTTPS doesn't solve the problem of header reliability, as HTTPS doesn't do anything to verify the request itself or the source that sent it, all it does is verify the server you are sending it to, and encrypts the data in transit. Of course, for those reasons everybody should be using it anyway, but my point is that you can still send spoofed headers via HTTPS.

While HTTPS *does* have a mechanism for verifying the sender (client certificate authentication), I'm not sure it'd be well suited to OpenSimulator, as a simulator is not necessarily a secure environment for storing client certificates.

This is why a callback is my favoured option; basically if a script from address 1.2.3.4 claims to be from SomeRegion of SomeGrid then a web service could use a callback to ask SomeGrid if it has a region called SomeRegion with an external IP of 1.2.3.4, if the grid responds yes then the service can believe that the request came from a simulator belonging to SomeGrid, and that the headers should be from a legitimate server (or at least one that SomeGrid is willing to host).

Basically this is equivalent to what we can do for SL which is to resolve a request IP and see it gives an address in the form of sim12345.agni.lindenlab.com <http://sim12345.agni.lindenlab.com/>, as that signifies a request is reasonably certain to be genuine, but that trick doesn't work with OpenSimulator as there's no standard domain to look for (some sims don't have a domain name at all).


Personally I don't mind the idea of adding more standard and optional headers for those that want to configure their sims to send them; I'd argue that we should really be sending more grid information headers at the very least, but I just wanted to caution against trusting headers to be legitimate when we don't have a way to confirm who they came from, this is why sensitive services still need to do more (such as passwords etc.).