[Opensim-users] Banning "bad" viewers was Re: Can this be done?
John Ward
jward at uci.edu
Wed Jan 13 17:48:28 UTC 2010
On 01/13/2010 01:45 AM, Anders Arnholm wrote:
> On Tue, Jan 12, 2010 at 04:55:10PM -0800, John Ward wrote:
>
>> account in the first place, another similar layer. If a grid operator
>> wants a little better protection by checking the string the client
>> identifies itself with would seem a reasonable additional layer.
>
> The grid operator may give any stupid ideas to the user, but i would not
> call it security. Like there is no security in making a web-site that
> only works in IE. If the operator calls this a security thing, it's
> obvius that person don't know squat about security or is lieing. Either
> case lowers the trust for the operator to me.
If one takes a step that thwarts an attack, has security been improved?
I say it has. Does thwarting an attack make a system secure? Not
necessarily.
If you have stupidly written a web site that only securely works with
one browser should you try to restrict access to your web site to that
one browser?
>> So, is the system secure? If one's goal was to prevent casual
>> non-compliance then it probably is reasonably secure. If one wants to
>> prevent anyone from ever running a bad client on their grid then one's
>> grid is not secure.
>>
>> "Security through obscurity" is quite valid. That's why we (hopefully)
>> choose obscure passwords. If one understands what the obsfucation gets
>> them then is just another layer.
>
> A good random passphase is not security by obsurity.
If a password is not obscured it's not effective. If I can guess it or
figure it out it's not secure. The very point of a password is for
others not to know it. The more obscure it is to others the more secure
it is. The security relies on this very obscurity.
> It's a part of authentication of the user.
> In security reserach one have identified
> three elemetrs thet is needed for an authenitcation of a person.
> "ownership", "knowledge" and "inherence". The passphase is the
> "knowledge" part, the harder something is to know the better thius leg
> of authentication. For example we couls say it you in phone can state
> when year you are born, I think you are you. This knowledge is quite
> easy for someone else to figure out so this leg is quite easy to break.
> By makeing the knowledge some kind of long obsure string I made up my
> self. It's much harder for someone else to figure this out and the trust
> is me is me gets better, Still is just the knowledge element. To make a
> good authentication one need atleast two elements. verifying the two
> other elements of authenitcation over the internet is almost impossible
> even if some atemts have been done.
>
> The passphase only lets you to some extent be sure of the person in the
> other end is the person he or she clames to be. It have nothing with
> securing what he or she can do.
Determining who can do what is often called authorization.
>> I think having lots of easy to setup and use layers is a good thing even
>> when some of them are easily defeated. :-)
>
> The big risk is that no security chain is stronger that it's weakest
> link. And having a loot of staong links in one part makes the user feel
> secure. Feeling secure whan one isn't could be fatal.
I think of security in terms of layers not chains. If one technique is
subject to spoofing or man-in-the-middle attack I may need to add other
layers. I don't necessarily stop using those techniques because they don't.
John.
More information about the Opensim-users
mailing list