Hi, I'm about to start tightening the ropes for the Hypergrid in order to make it safer, and also make safer some loose ends of OpenSim without HG, and I would appreciate feedback on this.
The first issue that needs to be addressed is the issue of user authentication. The regions need to be able to verify that the agent that claims to be representing [email protected] is, indeed, representing [email protected]. (As you know, right now this is... err... a bit overlooked... *coughs*... and not just in the HG... *more coughs*). Having looked at OpenID, I came to the conclusion that it's not enough to know that osgrid.org has a user named "Charles Krinke", and we certainly don't want Charles to be constantly typing his password everytime he moves; the region needs to know that this user is already logged in to the system AND the region also needs to know that the agent that is representing this user is a legitimate agent. OK, so the part about being logged in is easy; the user server already knows that, to some approximation. However, the part about the agent being legitimate is a bit more tricky. Here's the bad thing that can happen: Charles logs in to OSgrid, and TPs to this intriguing region called "Sports Illuminated Swimming Suite Edition". That region happens to be up to no good. It grabs Charles current notion of identity (all the current identifiers we use), it crashes Charles' viewer so that the user server never knows about it, and proceeds to impersonate Charles using all those stolen identifiers; for example, it can go back to Charles's regions and erase them completely pretending to be Charles. So, what can we do to detect the legitimacy of agents? Having scratched my head over this, I came to the conclusion that the most promising element that can be used to identify agents is the Viewer's EndPoint. This is what happens down in the LLUDPServer (I'm sure something similar happens in other viewers' packet handlers): if (packet != null) { if (packet.Type == PacketType.UseCircuitCode) AddNewClient((UseCircuitCodePacket)packet, epSender, epProxy); else ProcessInPacket(packet, epSender); } The EndPoint epSender comes directly from the socket and I'm assuming it can't be faked, at least the IP part. Is this correct? This is a critical assumption. So, back to the "Sports Illuminated" scenario: that sim would then try to launch an agent at Charles' region. It can fake everything except being Charles' viewer machine. When Charles' region does that code above, it asks the User server for authentication of an agent with all those identifiers and the given EndPoint, and the User server tells back that Charles wasn't using that EndPoint to start with, so the authentication fails, and an alarm is rang. Thoughts? Crista Disclaimer: I'm not an expert in security, I'm just using my brain in context. _______________________________________________ Opensim-dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/opensim-dev
