[Opensim-users] Banning "bad" viewers was Re: Can this be done?

Anders Arnholm anders at arnholm.se
Sat Jan 16 15:27:23 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Ward skrev 2010-01-15 19.07:
> On 01/15/2010 12:39 AM, Anders Arnholm wrote:
>>
>>
>> Skickat från min iPhone
>>
>> 13 jan 2010 kl. 18.48 skrev John Ward<jward at uci.edu>:
>>
>>> On 01/13/2010 01:45 AM, Anders Arnholm wrote:
>>>> On Tue, Jan 12, 2010 at 04:55:10PM -0800, John Ward wrote:
>>>>
>>>>> account in the first place, another similar layer.  If a grid
>>>>> operator
>>>>> wants a little better protection by checking the string the client
>>>>> identifies itself with would seem a reasonable additional layer.
>>>>
>>>> The grid operator may give any stupid ideas to the user, but i
>>>> would not
>>>> call it security. Like there is no security in making a web-site that
>>>> only works in IE. If the operator calls this a security thing, it's
>>>> obvius that person don't know squat about security or is lieing.
>>>> Either
>>>> case lowers the trust for the operator to me.
>>>
>>> If one takes a step that thwarts an attack, has security been
>>> improved?
>>>   I say it has.  Does thwarting an attack make a system secure?  Not
>>> necessarily.
>>>
>>> If you have stupidly written a web site that only securely works with
>>> one browser should you try to restrict access to your web site to that
>>> one browser?
>>
>> Not fixing once problem is irresponsible. If you have this problem and
>> spend time on the workaround I would call you stupid. You have done a
>> really bad system to start with you now have to pay the bill for not
>> doing it right. Closing the site may be a better solution given all
>> viewer already have a maskerade mode.
> 
> Ignoring the name calling....

The name calling was for someone that thinks that can secure a server
by blocking any kind of client. The server have to be secured on the
server side. It can never ever trust anything from the client.

> When one designs the server side of a system and finds a security flaw
> in the client software that they did not write, then by your logic the
> server has responsibility to block the client or shut down the service.
>  That agrees with blocking you so vehemently reject.

If the client have a security problem, the client should be fixed. if
it's your own client you can use messaged to ask users to update, maybe
even deny them access untill they done so. If a bug in the cleint make
the server unsecure, then the server is unsecure and should be fixed.
The server can't be resposible for client security, the client can fix
server security. Whats happends on the other side of the internet your
side can't take resposibilty for.

> Exactly the point.  I use the word obscure the same way you do when you
> said "By makeing the knowledge some kind of long obsure string I made up
> my self. It's much harder for someone else to figure this out and the
> trust is me is me gets better"

This is not the security by obsurity thou.


> 
> Correct.  However some systems mix them.  The idea being that if access
> is the only permission available then authorization and authentication
> become a one to one correspondence.  I generally argue against this mixing.
> 

You can't mix them, you maybe can do at the same time and you can have
bad schemsed for it. But as it totally differ functions and theoretical
functions you can't mix them really.


>> Both models have there vaildity the problem with the layer idea is
>> when it applied to stuff that easy can be added into a tool.
> 
> Checking a string is on easy end of the scale.
> 

The flaw, the big flaw in this model is that you asks the bad guys to
identify thems selfs. It's a bout as efficiant as a sign "Bad guy's,
don't log in please."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.12 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktR2toACgkQtbR3SXmySrf/yACeP7B9BQNGHa84isPVja1HPxuu
N0kAoINACJt0I5f9G+hUKylo5JtLEOpm
=PGOi
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Opensim-users mailing list