[Opensim-users] Banning "bad" viewers was Re: Can this be done?

John Ward jward at uci.edu
Thu Jan 14 18:24:02 UTC 2010 

I pretty much agree with you.  My objection is to the notion that 
"fragile filtering" is NOTHING or worse because it only generates safe 
feelings.  Lots of techniques have actual benefits that are not "real 
security" in some academic sense but are if you measure the effects.

Client ID string filtering is a poor example of a useful fragile filter. 
  1. The threshold for avoiding it is too low.  2. The cost of keeping 
legitimate users out is too high.

On 01/14/2010 08:15 AM, Marcus Llewellyn wrote:
> Okay, it's quite possible I'm mistaken, but my understanding was that
> the -channel command line parameter on the viewer allows a user to
> represent themselves as pretty much any other viewer. If I'm incorrect,
> then the rest of this message is to be disregarded. :P
>
> Putting aside whether or not viewer string filtering has merit or not,
> it seems to me that if one must use this approach, then mandating use of
> the official vanilla viewer (or indeed, any current variant I know of)
> is *not* the way to go. You would want one that did not acknowledge the
> -channel parameter at all. And you wouldn't stop there.
>
> In fact, since using any viewer to spoof the viewer string is no more
> difficult then changing the shortcut to connect to a different grid.
> This isn't even obscure... really it's not. Most grids have a "How to
> connect" page, and it doesn't take a mental giant to figure out how to
> add other parameters to what's on there. No coding skills are required.
>
> To attempt security by obscurity (if we define coding skills as a
> prerequisite for defeating it) you will really have to maintain your own
> version of the viewer. One that ignores a -channel parameter, and
> probably one that goes the extra step of sending at least one other
> string that the server expects to intercept for a successful login. And
> if you're gonna do that, why not go whole hog and make the client
> exchange keys to authenticate itself?
>
> Sounds like a hassle to me. Wouldn't it simply be easier to make your
> grid invitation only or something?
>
>
>
> _______________________________________________
> Opensim-users mailing list
> Opensim-users at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-users

More information about the Opensim-users mailing list