Much of this could be addressed by using https for the comms which encrypts the payload and headers if properly set up. But Haravikk's comments are on target. You can't trust the transport without https. I can probably count on one hand the number of grids that have all that set up correctly if it even works. Regardless the script writer has all the tools to add content to a payload or via headers and secure it. Hence I wouldn't recommend the patch approach as it is.
Mike -----Original Message----- From: opensim-dev-boun...@opensimulator.org <opensim-dev-boun...@opensimulator.org> On Behalf Of Haravikk Sent: Tuesday, November 12, 2019 11:18 AM To: opensim-dev@opensimulator.org Subject: Re: [Opensim-dev] Opensim-dev Digest, Vol 60, Issue 8 > On 12 Nov 2019, at 15:35, Fred Beckhusen <f...@mitsi.com> wrote: > > --ooo------/\/\/\-----|(------ooo------/\/\/\-----|(------ooo---- > Fred K. Beckhusen > President > Micro Technology Services, Inc. > fre...@mitsi.com > tel: (888) 230-MTSI Toll Free > cel: (469) 951-7635 > http://www.mitsi.com > > I would think a grid could be be very trustworthy with this patch, as the headers are set in code. No one but the grid operator can change them. I am assuming the HTTP_CUSTOM_HEADER does not override these settings, or can be detected. Has this been tested? While custom headers set by script should already be overridden by generated ones, the problem with trusting these headers is that they can still be very easily spoofed by other means; unless the web-service you are sending the request to maintains a list of valid simulator IP addresses, it has no way of knowing if a request came from a legitimate simulator, or from some other source. For example, common command line tools such as cURL can be used to be build custom http requests, allowing you to set the value of headers to anything you like, because that's just how HTTP works. So if I were a malicious actor and can figure out enough about your API, I can send it any requests I want. This is why I raised the possibility of a callback mechanism a little while ago, as this could at least be used to verify whether an IP address is permitted to send HTTP requests on behalf of a grid: http://opensimulator.org/wiki/User:Haravikk_Mistral/RegionVerification <http://opensimulator.org/wiki/User:Haravikk_Mistral/RegionVerification> Even with that, all this does is confirms that a request came from a (probably) genuine simulator belonging to the grid that the request claimed to come from, i.e- you can be reasonably sure the request is from an actual script on an OpenSimulator grid. If you know that the grid is fully privately operated (i.e- doesn't allow others to setup simulators and properly configures them) then, and only then, can you be confident that the headers weren't spoofed and should be okay to process without additional checks. But that still doesn't do anything to establish the trustworthiness of the specific object sending the request, or the owner of that object, which is why for anything sensitive you still need some kind of authentication like a password, public key or such that only the person you expect could have provided. Of course, if all you're tracking is non-sensitive information (like the example of a lost object tracker) then none of this is all that critical, but for anything else headers are useful information, but they shouldn't be viewed as always reliable or authoritative. _______________________________________________ Opensim-dev mailing list Opensim-dev@opensimulator.org http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev _______________________________________________ Opensim-dev mailing list Opensim-dev@opensimulator.org http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
