Ok yeah but you're implying there some extra goodness, even worse, security, by making the system generate the header entries and that’s just not true. There already is a mechanism to add header entries to data being sent and its secure enough for simple exchanges where the cost of trusting something is valid is small. The problem is implying making the system do it makes it more secure isn’t true and may mislead someone to improperly depend on the information being sent. Plus you'll pay that overhead for every message sent.
OpenSim is, well open, so you can certainly maintain your own version that works this way. But I'd hate to see this put into core as it has very little value over what you can already do and potentially weakens overall security. Pretty everything in your list is discoverable by a script with appropriate privileges and I'm not sure every region owner would want all this information exposed. And yes I get you can turn it off in the config file but there's no reason to add it in the first place. Mike -----Original Message----- From: opensim-dev-boun...@opensimulator.org <opensim-dev-boun...@opensimulator.org> On Behalf Of Mike Lorrey Sent: Monday, November 11, 2019 7:36 PM To: opensim-dev@opensimulator.org Subject: Re: [Opensim-dev] Patch for New llHTTPRequest Internal Header Values this header info is incredibly useful for getting information from the grid about the user that cannot be spoofed by the casual user unless they are the grid operator as well, which, face it, is not many people, for use by a web service. Contrary to what Haravikk says, the purpose of opensim is NOT so "anyone" can boot up a grid of their own (as I was just the other day yelled at about cause I thought the same thing). Custom header info can easily be spoofed by the casual scripter, so claiming that is good enough is simply false. On Mon, Nov 11, 2019 at 7:26 PM Cinder Roxley <cin...@alchemyviewer.org> wrote: > As Mike stated, this seems redundant to HTTP_CUSTOM_HEADER. There is > already a mechanism for adding an entry if that is what you desire. > Certainly for the stated use case, it’s already possible. I don’t see > how adding additional entries to every llHTTPRequest() would be widely > beneficial especially at such a broad scope. > > > On November 11, 2019 at 11:48:38 AM, Mike Higgins (m...@kayaker.net) > wrote: > > There is no such thing as perfect security, but there is utility in > increasing the difficulty of breaking the security. Eventually the > difficulty exceeds the value of the information and you are secure > enough. Adding values to the header in the OpenSim code instead of in > the script adds just a little bit more difficulty and therefore a > little more security. > > Here is an example use: It is common in grids to fly around in an > airplane and have it crash (or the viewer crashes, or the region > crashes or the grid crashes) and you leave the vehicle behind. I have > a transponder script that occasionally reports the vehicle position to > a database on an external server. When you log back on, you can ask > that server to tell you where your vehicle is so you can go clean up > any mess you may have left on someone else's land. The prim that finds > the vehicle for you uses your UUID to look up your vehicle > transponders in the database. No need to log on, no passwords, > automatic authentication just takes you to your vehicles. > > Is it worth the trouble for someone to build a stand alone grid or > modify the sources of OpenSim in order to maliciously find out where > your crashed vehicles are? No. Is it useful to find your own crashed > vehicles and clean up your own messes? Yes. Adding information to the > HTTP Request header will allow more useful functions like this. > > > On 11/11/2019 6:56 AM, mike.dick...@utopiaskye.com wrote: > > There is already a mechanism to add Header entries in llHttpRequest > > (http://wiki.secondlife.com/wiki/HTTP_CUSTOM_HEADER) . And I don't > > think it's reasonable to consider anything on the header trusted or > > secure just because its in the header. I'd argue there's little > > utility to adding a bunch of data to the header that can't be > > trusted implicitly and it may > bulk > > up the message to the degree that the data gets split across packets > > and delivered less efficiently. But my main argument against the > > approach > would > > be that information in the header is somehow secure or trustable. > > It's > just > > not. > > > > Mike > > > > -----Original Message----- > > From: opensim-dev-boun...@opensimulator.org > > <opensim-dev-boun...@opensimulator.org> On Behalf Of Haravikk > > Sent: Monday, November 11, 2019 5:26 AM > > To: opensim-dev@opensimulator.org > > Subject: Re: [Opensim-dev] Patch for New llHTTPRequest Internal > > Header Values > > > > > > > >> On 10 Nov 2019, at 23:36, Mike Higgins <m...@kayaker.net> wrote: > >> > >> These values turn out to be incredibly useful for authentication, > commerce > > and other cryptographic uses. For example, it is extremely difficult > > for > an > > avatar to spoof her own UUID. So this value can be used to uniquely > > authenticate that the person using a prim is in fact who she claims > > to > be. > > > > I'd caution against using this is a sole factor in authentication; > > the > whole > > point of OpenSimulator is that anybody can setup and run a > > simulator, and the code is open source, so it would be entirely > > possible to send false requests from a malicious server (or CURL or > > similar if you know what > you're > > doing), there's also no guarantee that an avatar's UUID is unique > > between grids (it should be, but it also may not be, e.g- if data > > was imported, > or > > someone changed their UUID on purpose). > > > > You would also need to establish that the request comes from a > trustworthy > > grid, and there isn't currently a way to do this as such, as again a > > malicious request can pretend to come from any grid it likes, unless > > you have a list of all valid IP's for that grid, you can't verify > > it. I discussed a possible method to check that a simulator actually > > belongs to the grid it says it does via a grid-level API, but have > > never found the > time > > to sit down and learn enough about the OpenSimulator code to > > implement > it. > > If you're interested, I covered this in a pair of wiki articles: > > http://opensimulator.org/wiki/User:Haravikk_Mistral/RegionVerificati > > on > > <http://opensimulator.org/wiki/User:Haravikk_Mistral/RegionVerificat > > ion> > and > > > > http://opensimulator.org/wiki/User:Haravikk_Mistral/ExpandedGridInfoAv > ailabi > > lity > > > > So yeah, if you want validation I strongly recommend something more > > than just checking the headers in an HTTP request at present; an > > initial > password > > then a persistent session token is still my preferred method, so a > > user should only need to enter their password (and it should only be > > held by > the > > script) during initial setup of a device, or if they let the session > expire. > > > >> [Network] > >> > >> OpenSimHeaders = true ;add new information to llHTTPRequest header > >> > >> ;OpenSimHeadersGrid = false ;if false, don't include grid info in > >> header > >> > >> ;OpenSimHeadersRegion = false ;don't include region info > >> > >> ;OpenSimHeadersParcel = false ;parcel info > >> > >> ;OpenSimHeadersPrim = false ;extra prim info > >> > >> ;OpenSimHeadersScript = false ;script info > >> > >> ;OpenSimHeadersDesc = false ;descriptions (prim and script) > >> > >> > >> Complete list of new header values added: > >> > >> > >> X-Opensim-Grid-Login-Uri > >> > >> X-Opensim-Grid-Name > >> > >> X-Opensim-Parcel-Flags > >> > >> X-Opensim-Parcel-Group-Key > >> > >> X-Opensim-Parcel-Key > >> > >> X-Opensim-Parcel-Name > >> > >> X-Opensim-Parcel-Owner-Key > >> > >> X-Opensim-Prim-Creator-Key > >> > >> X-Opensim-Prim-Description > >> > >> X-Opensim-Prim-Group-Key > >> > >> X-Opensim-Prim-Owner-Mask > >> > >> X-Opensim-Prim-Sit-Text > >> > >> X-Opensim-Prim-Text > >> > >> X-Opensim-Prim-Touch-Text > >> > >> X-Opensim-Region-Key > >> > >> X-Opensim-Region-Size-X > >> > >> X-Opensim-Region-Size-Y > >> > >> X-Opensim-Script-Creator-Key > >> > >> X-Opensim-Script-Description > >> > >> X-Opensim-Script-Name > >> > >> X-Opensim-Script-Perms-Mask > > I'm generally in favour of these though; personally I wonder if we > > should just include grid info as standard, since it's such a crucial > > part to OpenSimulator, shouldn't present a security threat (unless > > your login URI > is > > unsecured somehow, in which case you have bigger problems) and it's > useful > > for basic verification of an HTTP request. > > _______________________________________________ > > Opensim-dev mailing list > > Opensim-dev@opensimulator.org > > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev > > > > _______________________________________________ > > Opensim-dev mailing list > > Opensim-dev@opensimulator.org > > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev > > > _______________________________________________ > Opensim-dev mailing list > Opensim-dev@opensimulator.org > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev > _______________________________________________ > Opensim-dev mailing list > Opensim-dev@opensimulator.org > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev > -- Mike Lorrey CEO Galactic Systems, Inc bntholdi...@gmail.com <m...@tokens.vc> International Spaceflight Museum m...@ismuseum.org Skype: michael.lorrey LinkedIn: https://www.linkedin.com/in/mikelorrey _______________________________________________ Opensim-dev mailing list Opensim-dev@opensimulator.org http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev _______________________________________________ Opensim-dev mailing list Opensim-dev@opensimulator.org http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
