Update on Web Profiles in 1.12.3
Tuesday, October 24th, 2006 at 9:59 AM by: Joshua LindenShort version: the Web Profiles feature will not be in Second Life 1.12.3 as planned; look for it in the subsequent release.
Read on for details…
Background
The Web Profiles feature is based on the Mozilla libraries included in Second Life. Specifically, the version we have been using is based on the 1.8.0.5 code base of Mozilla. In addition to addressing annoying but non-critical bugs (e.g. the positioning of SELECT element popups, etc.), we had been engaged in updating our code base to utilize the 1.8.0.7 code base of Mozilla.
Update
Unfortunately, the update to the new code base was not completed in time for a quality assurance pass before our planned release date for Second Life 1.12.3. As Kelly Linden has mentioned (see below) we plan on keeping the versions of the Mozilla libraries used in Second Life up to date with the released versions. And since we weren’t up to date, we are holding the feature for the next release.
Sincere apologies to those who were planning on taking advantage of this feature in 1.12.3. Once we have moved to the newer Mozilla code base we see no blocking issues with opening up the feature - so presumably in 1.12.4.
FAQ
Q: What are the issues that could occur?
A: Let’s say Eve is a malicious developer, and puts together a site (evil.example.com) that takes advantage of a “arbitrary code execution” bug in Mozilla. What this means is that there is content on the site which uses a bug in Mozilla to run the code Eve wants as if she had total control over your computer. Let’s say Alice is an average user of Firefox. If Eve can arrange for Alice to visit evil.example.com - e.g. by tempting Alice by e-mail, or a blog link, etc. then when Alice’s browser pulls the content from Eve’s site, Alice’s computer is compromised - Eve can do anything she wants to Alice’s computer. That’s why browsers are updated as quickly as possible with security patches.
In the context of Second Life, Eve would be a malicious resident who sets her web profile to evil.example.com. She tempts Alice to look at her profile by “social engineering” (e.g. saying “Look at my way-cool profile!”); if the Mozilla code used by Second Life has the same vulnerability as the web browser in the previous example, then Alice’s computer is could be compromised.
For details about potential vulnerabilities addressed in various versions of the Mozilla code base, you can look at the Mozilla Foundation Security Advisories.
Q: What happens if a new vulerability is discovered after the feature is released?
A: Kelly Linden answered this in a comment a few days ago, but since readers are having trouble finding it let me quote it here:
All the HTML rendered in Second Life (the new login screen, web profiles and F1 help) is done using the Mozilla browser engine. Since web profiles do have the potential to spread an exploit, were one to be found and exploited, we have implemented a ‘kill switch’. If we find that there is a serious exploit in the mozilla we are using we have the ability to disable web in profiles entirely, on the fly with no new code release, until such time as a version of SL with a fix can be deployed. We plan on keeping the embedded Mozilla version up to date with the released versions so we don’t expect this to be a common occurance, but we are prepared in case it does.
Additionally the default behavior for web profiles requires 1 click after viewing the URL to see the web page. The web page can be opened with the embedded browser (Load) or with your systems default external web browser (Open). There is a convenience option to automatically load web profiles, however if you are concerned with security then you should *not* choose this option and you should review every URL before you visit it.
Q: Why doesn’t this affect F1 Help and the Login screen?
A: These features do use the same Mozilla-based code. However, those Second Life features get their content directly from Linden Lab resources, not arbitrary sites specified by third parties (e.g. hackers, phishers, etc). If you hack your own viewer to point at a malicious site, you would potentially be vulnerable. (So, um, don’t do that.) But if you’re hacking your own viewer you could just as easily install malware or an insecure independent browser version directly to become vulnerable. (Also bad ideas.)
October 24th, 2006 at 10:02 AM
Well $#@&!
I’d even built a teeny-window web site. Alas! Next time is is then!
October 24th, 2006 at 10:04 AM
OH NOES! H4X
I was so looking forward to them! Damn you H4X0rZ
October 24th, 2006 at 10:06 AM
You can still look at my web profile template if you want!
http://www.babasucks.com/secondlife/profile.html
I know, hawt.
October 24th, 2006 at 10:13 AM
Well, this is going to be just like transparent shiny, great…
http://www.secondlifeservers.com/profiles/ice.php
to say I’m not happy is an understatement.
October 24th, 2006 at 10:24 AM
Well this is actually good news. But I would suggest not releasing ANY of the HTML improvemements tomorrow. They are clearly half baked.
The UI scaling completly messes up the splash page causing it to be unreadably blurry and actually not fill the space, causing a repeat (tile) of the page on the right hand side of the screen.
And speaking of UI scaling. It seems to have stopped working in this beta. Myscaling set at 0.9 is functioning, but I cannot change it in the test grid. Changing it to 1.0 in the live grid then going back to the test grid then shows it scaled to 1.0. (All bugs properly reported)
Not, ready for consumption!
We desperately DO need the bug fixes though. How about backing out all the HTML “shineness” and just give us a solid bug fix update?
Pretty please?
October 24th, 2006 at 10:25 AM
/me Waits patiently for Lewis to claim he had some effect on the decision to nix the feature.
October 24th, 2006 at 10:27 AM
Well, I’m actually glad they caught this one before it went live. I’d rather they find ‘em and fix ‘em now. This is the first time in a long time that they’ve added a tool they’ve needed BEFORE they’ve needed it too! Well done!
*shrugs* Okay, I didn’t plan on taking time to use the new shiny, but this time, they are thinking ahead, so I’m pleased.
October 24th, 2006 at 10:32 AM
I’ll be setting my web profile to http://my.slopenid.net/SignpostMarv-Martin/ (SLOpenID bells & whistles like the profiles are still under development) for kicks and giggles
October 24th, 2006 at 10:45 AM
You do realise of course that people will be now targetting known exploits in Mozilla to put specifically on websites to put in their profiles, and using known pulls like “look at my naked pictures” to get people to look, download malware and keyloggers, knowing they have SL login details?
Hackers and suchlike will always be one step ahead of the version of the Mozilla code you have, so you really are introducing a vulnerability which is just unnecessary.
If you really do want to go ahead with this feature, can I suggest that you have an option - open in integral browser, or to open externally in your browser of choice, which then is protected by whatever security you have chosen, kept up to date as often as it does. If, of course, people choose not to protect their own PC that is their problem to deal with, but if we have to rely on Linden Lab - and potentially known problems/exploits being rampant for 2-3 weeks before the next update to close the hole - then I have to say I have little confidence in this.
Given your inability to maintain a simple forum, and the concentration on “little shiny things” instead of fixing difficult, but essential, bugs, can we be totally sure that you will do everything possible to protect our computers from potential exploits that you are knowingly opening us up to?
I personally see no need for this ‘web profiles’ feature, however others have expressed an interest in it. Please, add an additional option to disable this feature and just open it externally in a user’s browser of choice, so that those of us who value our computer security can trust McAfee or Norton to intercept any dodgy content, rather than an “open source” browser which many of us choose not to use for that very reason. Sure, no browser is 100% secure - but at least it’s our choice of browser, rather than yours.
Lewis
October 24th, 2006 at 10:51 AM
Lewis - I’m surprised you even use Second Life. All that tinfoil you have on your head must not be comforting while flying around the metaverse.
October 24th, 2006 at 11:14 AM
Having played a web based game in the past that was full of exploits, I’ve seen what they can do, and how they can be imbedded in pictures or music files.
I am _strongly_ requesting a way for players to disable viewing of pictures or playing music when viewing internet profiles.
And on this thread, I agree with Lewis 100%. If you think the forum sucked precious LL resources, wait until the exploiters realize they can compromise computers and SL accounts. It will make the forums seem like a stroll through the park.
October 24th, 2006 at 11:19 AM
One way to protect random user supplied HTML from harming opther people is to use an HTML scrubber. Remove anything that is not basic HTML+CSS. No Java, no scripting. Allow K.I.S.S. web pages only.
I wrote a program that used HTML as rich output and did this exact thing to prevent this exact problem. There is no reason that people HAVE to be able to run games and have 6 level deep fly out menus in their profile period.
October 24th, 2006 at 11:22 AM
The naked picture profiles are one approach, but a smart exploiter will be much more clever than that once they figure out how SL works and where the money is.
I’m not a programmer, but I’ve seen games where exploits allowed malicious codes to be put into pictures, such as passeword sniffers. An exploiter could work for several weeks as a new texture seller, having a semi legitimate texture business in SL designed to get interested buyers to look at the web for more samples. Do this for a few weeks, with each viewer potentially unwittingly compromising their computer. Then the exploiter gets the data from the password sniffer, logs onto each account, transfers money to a dummy account(s), cashes out and disappears.
Ive seen this done with fake money, $L are far more an incentive, and there are a lot of clever exploiters out there from all over the world.
I’ve got a really bad feeling this will not end well.
October 24th, 2006 at 11:23 AM
Thank you for pulling this option back and taking time to review it. It shows me that you are at least taking seriously the potential danger of embedded URLs. It also sounds like there is an option to choose how it is viewed. which is good.
So as one who has been concerned and voicing my opinion on this option, I thank you. It helps me begin to believe that you are taking security concerns seriously and dealing with potential problems before code realease. Thats a good start at regaining trust.
Is there any chance that we could have an option to disable this completely. I personally have no need to see another person’s web pages, so I would prefer to have an option so I can disable this option completely. I know there will be an option to choose how you view a page, but I would just prefer to disable the feature and never be asked.
October 24th, 2006 at 11:23 AM
Lewis, welcome to the internet of 1995…
It’s also an opt in feature, for those of you who don’t wish to see it (note there’s a checkbox that I have to currently check every time I log in, to auto-load profiles) you can also manually load it on a per user basis, including opening it externally, so Lewis, you’re a tad late with that rant, they already did that.
I rather like it, I’ve alreayd started work on my own profile (link in my prior post here) and I’ve been asked to provide services for otehrs creating theirs. It can be a business tool, it can be a social exchange (BlogHUD’s already started work on a Profile output for their blog including a web map)
After discussing this with a few friends, I do reolize it’s good to wait for a more stable release, and I appologize to LL for my prior frustration at the feature’s delay.
On a personal note, do people actually use features they complain about before complaining?
October 24th, 2006 at 11:38 AM
Granted I haven’t been around for more than a few months but up until now it seems that whenever an exploit pops up in SL it’s limited to at worst (potentially) stolen logins, permission bugs, taking objects that you don’t own or elevating your status on groups. In other words, while damaging, all of them are confined to Second Life and don’t really affect anything in the real world (loss of L$ aside).
Integrating a web browser into SL brings the potential damage of an exploit to a whole new level since it is/will be possible to install/manipulate the enviornment SL runs in. I know this sounds like fear mongering but when it comes to browsers it seems more like a matter of time than merely an unlikely hypothetical scenario.
I don’t know enough about the whole thing to know for certain but why do web profiles need things like scripting enabled (someone mentioned Flash even works in them?). If you restrict content to the bare minimum (HTML and CSS) wouldn’t any risk drop down to virtually non-existant?
Finally, I hope you realize that web profiles will lead to things like phishing where someone’s web profile shows a mock-up of the web login on secondlife.com in an attempt to acquire login details.
October 24th, 2006 at 11:42 AM
@ Ice: I don’t need to slam my head into a wall to know that I don’t want to do it. All it will take is one exploiter getting through to a large number of accounts. It won’t affect LL directly, just us complaining residents.
Take a look at the relevant TOS Section. It says, in condensed terms…
5.2 All data on Linden Lab’s servers are subject to deletion, alteration or transfer.
When using the Service, you may accumulate … Currency … on Linden Lab’s servers. TH(IS) … MAY BE DELETED … AT ANY TIME FOR ANY REASON IN LINDEN LAB’S SOLE DISCRETION.
… LINDEN LAB DOES NOT PROVIDE OR GUARANTEE, AND EXPRESSLY DISCLAIMS … ANY VALUE, CASH OR OTHERWISE, ATTRIBUTED TO ANY DATA RESIDING ON LINDEN LAB’S SERVERS.
So if an exploiter does succeed, LL will not guarantee any lost data. And last time I checked, $L are simply data.
I’m _not_ saying LL will intentionally screw players, but simply stating the minimum they are _required_ to do under TOS.
How many times have there been grey goo attacks after the problem was “fixed”? Wasn’t there a recent security breach resulting in a change of password for every SL resident?
While I’d love to see this profile thing work, I really like the idea, I’ve just seen too many issues with it elsewhere. Perhaps there is more to it than what I’ve seen, but given that LL has admitted they lack the resources to handle the level of new accounts, and given the amount of bugs which are being worked on, I really wonder if they have sufficent resources to pull off this new web based profile exploit free.
If LL is confident they can, perhaps they should offer some sort of guarantee on any data lost to an exploit.
October 24th, 2006 at 11:43 AM
Its a shame, because I was looking forward to the HTML profile section to publicise the Barbie Club website through my 150 girls profiles. Alas we’ll have to wait until next update for this feature.
BTW what happend to HTML on a prim?
Luv
Stacey
xxx
October 24th, 2006 at 11:47 AM
I agree with Vanessa, why not limit web profiles to HTML & basic jpeg & gif images? Do we need all the bells and gizmos of php, flash & mysql databases just for a profile lol.
Luv
Stacey
xxx
October 24th, 2006 at 11:49 AM
@Ice Brodie: “On a personal note, do people actually use features they complain about before complaining?”
I didn’t use this option before I complained, but I didn’t have to because I understood the potential dangers of this option. My posts elsewhere in this blog outlined my concern and the reason for my concerns. I presented my concerns because I felt too many people were ignoring Lewis Nerd, or attacking him out of habit, without really understanding what he was saying.
This option presents a very significant security risk to the data on every SL residents home computer, and LL is doing the right thing in pulling it back for further review.
October 24th, 2006 at 11:49 AM
I like the option to “opt-in” to new features. I also hate scammers and criminals. If you can do something to keep my account safe and not introduce a vulnerability I’m all for it.
October 24th, 2006 at 11:57 AM
@ Cannae
You know… this is just a web browser being added… it doesn’t interact with the Linden Lab servers aside from storing the address for your web profile. You are obviously using a web browser, and thus have, at one time agreed to a license that basically said Mozilla, Firefox, Navigator, Internet Explorer, Opera, Konqueror, Links, Lynx and Safari (and smaller browsers I may not be aware of) are all provided ‘As is’ without explicit or implied waranty…
Okay, Mozilla’s being put in the client, we aren’t even going to see scripts/notecards as web pages for a while, until then, you’re going to someone else’s personal, business, borrowed, home, exploited server and you’re taking as much risk as you are by clicking a link in an IM client, a web page, an IRC channel, or a search engine.
I’m sorry, but anyone expected to imply a waranty on content they have zero control over is asking too much of anyone.
October 24th, 2006 at 11:59 AM
@Cari oh I aimed that at Lewis, who desired features that where already in it.
@Martin I actually agree with that, and this one is opt in, the browser doesn’t load unless a checkbox is clicked, or a button is pressed, which is opt in.
October 24th, 2006 at 12:07 PM
I can’t tell… is Lewis complaining because they decided not to put in the profile feature… or did he miss the point that it isn’t being rolled out and foaming at the mouth with useless suggestions because he likes to see his name on the Blog (that he thinks is useless and has no value)
Personally… I liked the feature… it didn’t like running the one Java Application i tossed at it. But for an interactive profile page… it was nice.
October 24th, 2006 at 12:11 PM
@Lewis
Dude, you use IE.
A browser, with the catch phrase “Easier and more Secure” that has a critical security flaw discovered less than 24 hours from release.
What the hell do you know about browser security ?
October 24th, 2006 at 12:25 PM
Ice Brodie Says:
…
I’m sorry, but anyone expected to imply a waranty on content they have zero control over is asking too much of anyone.
_________________
Thats my point. LL has zero control over this, which begs the question, why add it? Although I suspect this was part of the grand design for SL from the beginning, making SL fully integrated with the internet.
SL by its nature draws programmers and scripters, both gruntled and disgruntled. Its the latter I worry about with this new feature.
___________________
SignpostMarv Says:
October 24th, 2006 at 12:11 pm
@Lewis
Dude, you use IE.
A browser, with the catch phrase “Easier and more Secure” that has a critical security flaw discovered less than 24 hours from release.
What the hell do you know about browser security ?
_______________________
He probably knows more than your average user. I would bet a signifcant amount of SL residents use IE and rely on preloaded software bundles for security.
October 24th, 2006 at 12:30 PM
Well, LL wants SL to be a part of the internet in the grand scheme of things, tehy can’t waranty that random object dropped on you isn’t going to be someone’s attempt to crash the grid. (I had one friend that that happened to during the grid crashes 2 weeks ago)
Historically, closed source packages will result in delayed updates which leaves people more vulnerable longer.
Open source packages pull resources from many more people and a large focus of those people is putting out code that’s done first because their code is open to public review.
Also, if someone who doesn’t even know about the load and open buttons, and the checkbox required before a web profile loads automatically is an expert in security, I fear for the industry.
October 24th, 2006 at 12:39 PM
@Cannae
When the Department of Homeland Security basically says “Use anything BUT Internet Explorer”, I would hardly call using IE a competent security decision.
IE has NEVER been a secure browser.
October 24th, 2006 at 12:39 PM
@signpostmarv : “What the hell do you know about browser security ?”
I sure Lewis doesn’t need me to defend him, but these personal attacks against him in this blog are out of control and do not add much to the conversation. Ironic that you should accuse him of rude behavior in a rude way…
As for browser security - I know a lot about browser security. And whether you use IE, or FIrefox, or Grandma’s Homemade Browser, they all carry risk. NONE of the browsers are free from exploit. If you think you are safe because you don’t use IE, then all you very wrong.
Running a online game app like SL is a risk, but generally controled risk. Allowing content SL to be scripted and modified by users adds risk, but is mostly limited to loss withn SL which lowers its danger. But allowing external URL connection within SL seriously increases the risk to my personal infomation on my computer and should be taken seriously by LL and others.
October 24th, 2006 at 12:55 PM
@ice: It seems like you and Cannae generally agree that LL can’t control or warranty content, which is true, but what they really worry about is public perception.
If they would allow this external URL option to go in with the concerns we have mentioned, and IF some bad person managed to create an exploit that affected the 1 million SL users, the LL would have a sudden image nightmare, because all of the news media that has been talking about SL would suddenly have a hot story headline “SL exploit allows hackers to access gamers personal data”. Something like this on the heals of the stolen customer data would be a very very big nightmare.
As for any warranty, they will just add something to their TOS that says they are not responsible if your computer is hacked. But even with that, the public perception would still point the finger at LL
As for you comment on load buttons and click boxes - all I ask is a box that says “Disable URL” and I will be happy. I want to turn it of and not have to select how to open someting I don’t want to open at all. But I don’t know how that reflects on anyones ability to be a “security expert.”
October 24th, 2006 at 12:57 PM
the blog seems to have ignored my first attempt to post this -sorry if it comes up twice
@ice: It seems like you and Cannae generally agree that LL can’t control or warranty content, which is true, but what they really worry about is public perception.
If they would allow this external URL option to go in with the concerns we have mentioned, and IF some bad person managed to create an exploit that affected the 1 million SL users, the LL would have a sudden image nightmare, because all of the news media that has been talking about SL would suddenly have a hot story headline “SL exploit allows hackers to access gamers personal data”. Something like this on the heals of the stolen customer data would be a very very big nightmare.
As for any warranty, they will just add something to their TOS that says they are not responsible if your computer is hacked. But even with that, the public perception would still point the finger at LL
As for you comment on load buttons and click boxes - all I ask is a box that says “Disable URL” and I will be happy. I want to turn it of and not have to select how to open someting I don’t want to open at all. But I don’t know how that reflects on anyones ability to be a “security expert.”
October 24th, 2006 at 1:00 PM
@Cari
Mozilla, that is, the core of Firefox, was chosen because SL itself is an OpenGL application, this means that things need to be rendered differently than they do for your windows/mac/linux desktop for the 3D systems (remember, this is leading up to web on prim, and SL’s UI is all GL rendered, not 2D).
Living is a risk, but generally a controlled risk… This is controlled, LL’s delaying the Mozilla integration until Moz1.8.0.7 where a lot of security issues formerly in Moz1.8.0.5 along with a bug I think I might have discovered, if not at least found… related to some elements of the browser rendering oddly.
Also, in Kelly Linden’s prior comments on prior posts about this feature, there is a gridwide killswitch if a vulnerability is foun, that does not require client update, but merely a setting on the LL backend. So there is some security here, as LL will be adopting a policy of “killswitch and fix” when problems are found.
October 24th, 2006 at 1:07 PM
Ironically, there is a bit of waranty built in, Kelly had posted earlier that there’s a gridwide killswitch.
So, heh, I was wrong, LL can ensure some security.
October 24th, 2006 at 1:09 PM
Good job. One of the key things about SL is that it is a secure platform, let’s keep it that way. (Though, there is some loopholes via streaming, of course..)
October 24th, 2006 at 1:41 PM
Correct I am an “average user” - but I choose to protect my PC with the Norton security suite, which covers most vulnerabilities that users can throw at you, plus of course common sense when you get the “Dear Ebay User, please log in to confirm your details” or suchlike emails when they arrive.
But this is the thing. I use IE, knowing it’s not perfect, but it is covered by the integration with Norton’s stuff.
However, the SL client does not integrate with Norton in the same way, and not only is the general risk there, but the *specific* risk of a user linking a page specificially set up as a web profile targetted only for use in SL - so any passwords grabbed are known to be from active SL users. Just like the “Dear Ebay user” phishing emails, when someone responds you *know* that they are an active Ebay user.
I’m not at all disappointed that this feature I have no use for is being delayed - I am however disappointed that it appears that Linden Lab do not take the security of their world seriously - putting it off two weeks is not, repeat not, going to change the risk. The only truly secure solution is to open in an external browser where you, the user, are responsible for implementing security on it. As it stands now, we have to trust Linden Lab - and there’s no other way to say this, but I don’t.
Lewis
October 24th, 2006 at 1:45 PM
Hmmm my post disappeared… we being moderated again without warning or reason?
Lewis
October 24th, 2006 at 1:50 PM
@Cari
I’m not making personal attacks, although I can understand how they can seem that way. I was intending to make light of the well publicised history of IE as an insecure browser and Lewis stating he uses IE.
I personally do not believe that I am “safe” because I do not use IE, I belive I am safeER because I don’t use IE.
No ActiveX support in Firefox (unless you’re installing that extension), AdBlock + No Script + Cookie Safe + Platypus + Greasemonkey + Web Developer to disable Java applets globally + auto-update + RSS feeds in Thunderbird means my browsing is a hell of a lot safer (and more pleasant since I don’t have any annoying ads to deal with) than using IE.
All I see Lewis doing is fear mongering the lesser-informed.
Making entirely valid points, but doing them in such a way that nobody wants to listen. And if it’s intentional (which I hope it isn’t), then one would assume this is so Lewis can say “told you so” when the shit hits the fan.
Which it probably will at some point, but there’s no need to be an ass about it.
October 24th, 2006 at 2:01 PM
Having spent 5 minutes in the preview grid and finding 3 bugz with web profiles, I’m happy they decided not to deploy this feature for whatever reason.
October 24th, 2006 at 2:08 PM
The central issue is that viewing a profile has historically been a risk-free, cost-free exercise. Now it should be approached like normal web surfing, which many — but not most — users already approach with a degree of caution. I.e., they usually only go where they want to.
As I understand it, however, there is a disable option and page loading is staged and not automatic. This seems like a sensible approach.
Seriously, though, complaining about exploit potential for an application that hosts a web browser is absolutely barking up the wrong tree — many applications host 3rd-party web browser components (my RSS aggregator, for one) and they’re not responsible for the weaknesses of their browser technology at all.
October 24th, 2006 at 2:40 PM
@Cari : “But allowing external URL connection within SL seriously increases the risk to my personal infomation on my computer and should be taken seriously by LL and others.”
Which is why LL is delaying the introduction of the feature.
October 24th, 2006 at 7:52 PM
@Lewis: “Correct I am an “average user” - but I choose to protect my PC with the Norton security suite, which covers most vulnerabilities that users can throw at you, plus of course common sense when you get the “Dear Ebay User, please log in to confirm your details” or suchlike emails when they arrive.”
Norton is better than nothing I guess ;/ It’s not exactly revered by security experts.
I would I would reccomend Zone Alarm Security Suite over Norton.
October 24th, 2006 at 8:24 PM
@Ice; I know that living is risk, and the whole computer security world is nothing but controlled risk. That is exactly what I tell people. BUT I want to control the risk, and not leavie it up to LL, who have a recent reputation of NOT being able to control that risk.
So that is EXACTLY why I want an option to disable all external URLs, whetheri in profiles or in whatever future use they may have for it - whch, by the way, is limitless. I don’t think its enough to disable the ability to open URL’s inside SL so I want to manage my risk by disabling it.
A kill switch is a good idea, and even an important security tool, but it is a REACTIVE solution. Thats nice, and mitigates risk - unless you happen to be on of the unlucky people who are exploited before the switch is flipped.
@Michael: Which is exactly what I said in an earlier post in this blog. I am glad they are delaying it. This is one feature that needs to be implemented with great care.
October 24th, 2006 at 8:36 PM
The tuesday before this so called feature is pushed, I’ll have looked at my last profile.
October 24th, 2006 at 11:50 PM
It seems a shame to have this cut off right now, but I’m glad to see you guys seem to be trying to get a testing schedule down at least.
‘course, I’m on the Linux client, so it doesn’t actually affect me cuz we still don’t have Mozilla integrated.
October 25th, 2006 at 12:19 AM
oh well - looking forward to when it does come out - securely.
October 25th, 2006 at 12:22 AM
Everyone seems to be missing two key points about the Web tab in profiles….
1) By default, the contents of the Web tab DOES NOT load automatically; you have to click the “Load” button to load the contents in the tab.
2) You have the option to OPEN THE WEB PROFILE IN AN EXTERNAL BROWSER by clicking the “Open” button.
So, to those who have security concerns and/or wish to be protected by their (lackluster) security software, simply don’t change the default behavior of the Web tab, and load the web profiles in an external browser. Problem solved.
Take care.
- SDW ^..^
October 25th, 2006 at 1:55 AM
Yes, how about these personal attacks, there used to be a time where ppl got warned/banned for doing so in the forums. The way some think they can talk about others is really bothering and fears off others to react at all, as it seems some of us can be openly targeted in more the one thread, without any action taken, its going on for some days now
October 25th, 2006 at 4:10 AM
[...] UPDATE 2: Web tabs on hold until later release [...]
October 25th, 2006 at 6:55 AM
Norton secure? ROFLMAO!
You MUST be joking Lewis. The only thing Norton does ’securely’ is consume disk space, system memory, and resources! Ahahhahahah
Sorry… am I reducing your comfort level?
Seriously… NO computer is 100% secure. The only way to achieve that is to keep it turned off.
Good luck with that.
October 25th, 2006 at 7:11 AM
Thank you so much for posting this, that’s really laid a lot of my fears to rest - particularly the fact that we can *choose* whether or not to view external sites and don’t just get them autoloaded as soon as we look at a profile (since a griefer’s profile is usually the first thing you want to check!). Okay, now I appreciate that this is going to be a great feature for a lot of people. Well done on informing us all =)
You still need to fix my teleport bug though LOL
October 25th, 2006 at 7:43 AM
Qoute Cannae Brentano
“but I’ve seen games where exploits allowed malicious codes to be put into pictures, such as passeword sniffers.”
First i like to mention picture formats dont have anny runable exec. they can contain hidden data tho only with animating gif files. jpg is pritty thight. its just not posible to include anny runnable info into an picture and run it. least not with the common pictures used out on sites. (i would love to see and article on this game)
Its always a good idea to run the proper security messures and keep them upto date. in my opion sites always pose a sertian risk and u should ALWAYS be protected against them. leavingout sertian features wil just surface other evils and supress creativity.
a basic antivirus will not be suficient with the current perm internet connection aka broadband. u are connected to the internet when your computer is on, if u have broadband and firewall is a must have. the internet ALWAYS will pose some risk nomatter the precousions u take. but u never should just asume your computer is safe..
“asumption is the mother of all screwups”
October 25th, 2006 at 8:53 AM
Regarding any personal attacks, which may (or may not) be happening. I have certainly noticed a strong tendency for some bloggers to pooh-pooh general concern and disgruntlement at poor customer service, as though we had no right to air such negative opinions.
I for one am grateful for Lewis, Cannae, Cari and others for pointing out potentially serious issues that other people seem to be taking with an extremely naive pinch of salt. I am an average user, I don’t really have much of a clue about internet security beyond common sense, and I am quite sure that many players are even less clued up than me. Is giving the masses a pretty feature to mindlessly click-click-click like hamsters *really* a good idea..? Time will tell.
It seems to me, now that the release of the profile URL feature is being delayed and we are all suddenly given a security explanation to calm our fears, that some of this is being done IN RESPONSE to concerns posted on this blog.
So, good. I’d like to see people continue to voice their concerns, in the only forum available for them to do so, as this is the only way we get any input on what LL does with **OUR** platform. Assuming they listen to the bloggers at all, that is.
October 25th, 2006 at 11:04 AM
Waster: “First i like to mention picture formats dont have anny runable exec.”
Not true. There have been situations where maliciously created image files create various buffer overrun situations in an image viewer. Or worse, the shared chunks of code that several programs use to view images can be exploited.
Thus, a picture can DEFINITELY cause code to run on your computer. It’s not supposed to, but it can in the right situation.
October 25th, 2006 at 11:14 AM
Norton, secure? Ha! They’re more of a marketing company than a technology company, infesting every new home PC bought with their mediocre-at-best, system hogging infestware.
Please also note, SL uses the Mozilla browser (SLozilla?), NOT Firefox, and there is a difference. Is there any chance of getting a “SecondLife” token in the user agent header before release? Right now, the mozilla browser in preview reports this as the header:
HTTP_USER_AGENT Mozilla/5.0 (Windows; U; Windows NT 5.1; chrome://navigator/locale/navigator.properties; rv:1.8.0.4) Gecko/20060602
Compare that to Firefox:
HTTP_USER_AGENT Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
If we could get a “SecondLife/1.x.x” at the end, that would rock, so we can *easily* detect when people are using the Second Life browser versus another. Also, and chance of getting something passed in the header to say specifically this request is from the web profiles tab, so we can size accordingly? That way, we don’t have to worry changing things around once there’s a full-size browser available from within SL.
Regards,
-Flip
October 25th, 2006 at 12:05 PM
@FlipperPA Peregrine
Wrong on both accounts. Second Life uses uBrowser, which is an implementation of the Gecko rendering engine. The version of Gecko used in uBrowser is the same as the one in Firefox. The Mozilla Foundation no longer actively develop the Mozilla Browser.
In casual reference to uBrowser, it’s more accurate to say “Firefox” than it is to say “Mozilla”. Something I keep bugging Phillip about
All browsers can have their user agent spoofed. Therefore having “SecondLife/1.x.x” would be entirely useless.
The only relatively reliable way to detect if a user was using SecondLife would be for Linden Lab to support
lindescript:urls as I’ve mentioned, and allow llHTTPRequest() to work as document.location would in javascript, or some new function to similar effect (e.g. to append ?secondlife=TRUE to the query string as you might do for flash).Even then, that’s only a greasemonkey script or firefox extension away from getting spoofed.
October 25th, 2006 at 12:07 PM
Waster: “First i like to mention picture formats dont have anny runable exec.”
_________________
It is possible to embed a malicious code in a picture using JAVA. View the picture, it runs the script. It won’t work to my knowledge if Java is disabled on the user end.
October 25th, 2006 at 12:27 PM
Signpost, to respectfully disagree:
Who cares if the user agent is spoofed? So they get a slightly different version of your web site. There’s no advantage or honey pot to spoofing the user agent, but it would be quite useful as a developer. Calling it “entirely useless” just because it could be spoofed (with no real advantage to spoofing it) makes no sense to me. What percentage of typical computer users have ever spoofed a user agent header? My guess is less than 0.01%. Therefore, it would typically be *quite* useful. OTOH, introducing a new URL type could be quite confusing to the typical user.
The uBrowser code is what will be used for HTML on a prim, I know; are you sure it’s also what they’re using here? Read Kelly’s comments for more details:
“All the HTML rendered in Second Life (the new login screen, web profiles and F1 help) is done using the Mozilla browser engine.”
“The Web Profiles feature is based on the Mozilla libraries included in Second Life. Specifically, the version we have been using is based on the 1.8.0.5 code base of Mozilla. In addition to addressing annoying but non-critical bugs (e.g. the positioning of SELECT element popups, etc.), we had been engaged in updating our code base to utilize the 1.8.0.7 code base of Mozilla.”
The Firefox comment was directed towards people who have been commenting that they “don’t want Firefox in SL” and would “prefer IE in SL” (even though that’s just silly).
Regards,
-Flip
October 25th, 2006 at 1:26 PM
@SignpostMarv, If somebody want to their browser agent and get a tiny profile sized web page, then who am I to judge?
October 26th, 2006 at 3:58 AM
@ Flippe:
Yes. I’m sure. Lindens making typos yet again.
As it states on uBrowser.com:
The Triden rendering engine sucks. The Tasman one is marginally better, but why would you want to embed a rendering engine that drives the web design industry nuts ?
using
lindenscript:urls would be no more difficult than usingjavascript:urls to do javascript detection.Since both ways can be spoofed in one way or the other, the most reliable method would be to get the user to click a button that IMs their avatar a code by way of XML-RPC.
Since unless Linden Lab put some special stuff in like the
), you’re going to have a hard time telling the functional difference between uBrowser and Firefox.
lindenscript:support (which the peeps over at libSL will no doubt have fun releasing a javascript wrapper extension forWebsites that attempt to sniff the functionality of a browser have historically done it the wrong way, and have generally done so for the wrong reasons. Serving completely different content when flash isn’t “available” instead of using the Flash Satay technique for example.
What you should be able to do to detect if they’re viewing it inworld however is to script up a POST request instead of a GET request using some secret sauce that’s invisible to the user.
October 26th, 2006 at 5:59 AM
“if you’re hacking your own viewer you could just as easily install … an insecure independent browser version directly… ”
How would one go about that?
October 27th, 2006 at 9:43 AM
@Sue Baskerville:
I didn’t mean install it into SL.
I meant: download any older copy of Firefox, IE, Opera, whatever that has known security issues and visit an exploit site. That’s even easier than modifying your SL preferences to point the embedded browser at an exploit site. So DON’T DO IT!
November 2nd, 2006 at 2:32 PM
[...] (more…
[...]
February 18th, 2007 at 12:21 AM
java popups
Here is a true saying ” For every girl with curves there are several