> On 12 Nov 2019, at 16:26, [email protected] wrote:
>
> Much of this could be addressed by using https for the comms which encrypts
> the payload and headers if properly set up. But Haravikk's comments are on
> target. You can't trust the transport without https. I can probably count
> on one hand the number of grids that have all that set up correctly if it
> even works. Regardless the script writer has all the tools to add content
> to a payload or via headers and secure it. Hence I wouldn't recommend the
> patch approach as it is.
>
> Mike
Actually HTTPS doesn't solve the problem of header reliability, as HTTPS
doesn't do anything to verify the request itself or the source that sent it,
all it does is verify the server you are sending it to, and encrypts the data
in transit. Of course, for those reasons everybody should be using it anyway,
but my point is that you can still send spoofed headers via HTTPS.
While HTTPS *does* have a mechanism for verifying the sender (client
certificate authentication), I'm not sure it'd be well suited to OpenSimulator,
as a simulator is not necessarily a secure environment for storing client
certificates.
This is why a callback is my favoured option; basically if a script from
address 1.2.3.4 claims to be from SomeRegion of SomeGrid then a web service
could use a callback to ask SomeGrid if it has a region called SomeRegion with
an external IP of 1.2.3.4, if the grid responds yes then the service can
believe that the request came from a simulator belonging to SomeGrid, and that
the headers should be from a legitimate server (or at least one that SomeGrid
is willing to host).
Basically this is equivalent to what we can do for SL which is to resolve a
request IP and see it gives an address in the form of
sim12345.agni.lindenlab.com <http://sim12345.agni.lindenlab.com/>, as that
signifies a request is reasonably certain to be genuine, but that trick doesn't
work with OpenSimulator as there's no standard domain to look for (some sims
don't have a domain name at all).
Personally I don't mind the idea of adding more standard and optional headers
for those that want to configure their sims to send them; I'd argue that we
should really be sending more grid information headers at the very least, but I
just wanted to caution against trusting headers to be legitimate when we don't
have a way to confirm who they came from, this is why sensitive services still
need to do more (such as passwords etc.).
_______________________________________________
Opensim-dev mailing list
[email protected]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
