> On 10 Nov 2019, at 23:36, Mike Higgins <m...@kayaker.net> wrote:
>
> These values turn out to be incredibly useful for authentication, commerce
> and other cryptographic uses. For example, it is extremely difficult for an
> avatar to spoof her own UUID. So this value can be used to uniquely
> authenticate that the person using a prim is in fact who she claims to be.
I'd caution against using this is a sole factor in authentication; the whole
point of OpenSimulator is that anybody can setup and run a simulator, and the
code is open source, so it would be entirely possible to send false requests
from a malicious server (or CURL or similar if you know what you're doing),
there's also no guarantee that an avatar's UUID is unique between grids (it
should be, but it also may not be, e.g- if data was imported, or someone
changed their UUID on purpose).
You would also need to establish that the request comes from a trustworthy
grid, and there isn't currently a way to do this as such, as again a malicious
request can pretend to come from any grid it likes, unless you have a list of
all valid IP's for that grid, you can't verify it. I discussed a possible
method to check that a simulator actually belongs to the grid it says it does
via a grid-level API, but have never found the time to sit down and learn
enough about the OpenSimulator code to implement it. If you're interested, I
covered this in a pair of wiki articles:
http://opensimulator.org/wiki/User:Haravikk_Mistral/RegionVerification
<http://opensimulator.org/wiki/User:Haravikk_Mistral/RegionVerification> and
http://opensimulator.org/wiki/User:Haravikk_Mistral/ExpandedGridInfoAvailability
So yeah, if you want validation I strongly recommend something more than just
checking the headers in an HTTP request at present; an initial password then a
persistent session token is still my preferred method, so a user should only
need to enter their password (and it should only be held by the script) during
initial setup of a device, or if they let the session expire.
> [Network]
>
> OpenSimHeaders = true ;add new information to llHTTPRequest header
>
> ;OpenSimHeadersGrid = false ;if false, don't include grid info in header
>
> ;OpenSimHeadersRegion = false ;don't include region info
>
> ;OpenSimHeadersParcel = false ;parcel info
>
> ;OpenSimHeadersPrim = false ;extra prim info
>
> ;OpenSimHeadersScript = false ;script info
>
> ;OpenSimHeadersDesc = false ;descriptions (prim and script)
>
>
> Complete list of new header values added:
>
>
> X-Opensim-Grid-Login-Uri
>
> X-Opensim-Grid-Name
>
> X-Opensim-Parcel-Flags
>
> X-Opensim-Parcel-Group-Key
>
> X-Opensim-Parcel-Key
>
> X-Opensim-Parcel-Name
>
> X-Opensim-Parcel-Owner-Key
>
> X-Opensim-Prim-Creator-Key
>
> X-Opensim-Prim-Description
>
> X-Opensim-Prim-Group-Key
>
> X-Opensim-Prim-Owner-Mask
>
> X-Opensim-Prim-Sit-Text
>
> X-Opensim-Prim-Text
>
> X-Opensim-Prim-Touch-Text
>
> X-Opensim-Region-Key
>
> X-Opensim-Region-Size-X
>
> X-Opensim-Region-Size-Y
>
> X-Opensim-Script-Creator-Key
>
> X-Opensim-Script-Description
>
> X-Opensim-Script-Name
>
> X-Opensim-Script-Perms-Mask
I'm generally in favour of these though; personally I wonder if we should just
include grid info as standard, since it's such a crucial part to OpenSimulator,
shouldn't present a security threat (unless your login URI is unsecured
somehow, in which case you have bigger problems) and it's useful for basic
verification of an HTTP request.
_______________________________________________
Opensim-dev mailing list
Opensim-dev@opensimulator.org
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
