Subodh Neximus Posted May 19, 2018 Share Posted May 19, 2018 (edited) Like the title somewhat suggest the goal for this post is to find a way for http request from virtual world to the great outside, and not have destination ip address show up in logs for the virtual server holder (other then linden, if the object is active in SL). Don't know if this is a problem but assuming so. Reason for this inquiry is at bottom line that i'm a noob when it comes to server and therefore security is not the most molded concept. By doing some foot work in lsl code this can be partially remedied. This would be applied to a single lsl script with no modify permission that will handle http/https communication to and from the internet. The script would most likely be used at different regions, therefor most likely have little to non know data to compare and confirm if a Linden Lab server are the current host. The Application is not super secret but would not be hurt from better security towards not showing server ip address and other server holder information to current host. Any suggestions or hypothesizes is greatly appreciated. Concepts for a partially remedy tincture: Use a 3rd party server to verify from sender and act as a relay. Cons: Cost, complication, implementation. Pros: Would assumme a very high chance to not show destination ip address Check if ip address are known to be Linden Labs ones http://wiki.secondlife.com/wiki/Simulator_IP_Addresses , this would necessity be verified by a 3rd party server. Cons: Can probably be simulated by a non Linden Labs server Use a if statement in lsl code for known values that should equal return from all/any llGetSimulatorHostname | llRequestSimulatorData | llGetRegionCorner | llGetRegionName | llGetEnv Cons: Can probably be simulated by a non Linden Labs server, Not always enough relevant data to accurate confirm if data is true. Edit: Is it possible to show a lsl code(with any permissions) in a web browser like firefox with and without login credentials? Is possible for a lsl code to get a 'bird eye view' of where it is run and confirm that some how? : Not only look inside its "bubble of operation environment" but the greater "image". Edited May 20, 2018 by Subodh Neximus Link to comment Share on other sites More sharing options...
animats Posted May 19, 2018 Share Posted May 19, 2018 It's not clear what you want to do. Do you just want your server to be sure the message is from your LSL code? If so, you could sign it. I do that for bike logging data, which can be used for race timing. My LSL code has a key in it, which is just a string of arbitrary characters. That's the only secret. The LSL code converts the data to a string, adds the secret key to the string, computes the SHA 1 hash (there's a LSL function for this) and sends the hash as an HTTP parameter. The data string is sent as HTTP data. The server does the same hash using the same secret key, and checks that it gets the same value as the one in the HTTP parameter. This doesn't encrypt the data; it just signs it to prevent tampering. If you want to encrypt it, too, use HTTPS. This is reasonably secure. Not perfect. There's a known way to break SHA1, and this doesn't protect against playback attacks. It's enough to stop griefers. Link to comment Share on other sites More sharing options...
Subodh Neximus Posted May 20, 2018 Author Share Posted May 20, 2018 (edited) Thank you animats for a great replay. I'll surely will use your suggestion for added security. My question is about to not let the sim host (if it be openSim or other non Linden Labs servers) to know the destination ip address for and http request sent from 'in world' except for Linden Labs. Did change the title to a more fitting one. Edited May 20, 2018 by Subodh Neximus Link to comment Share on other sites More sharing options...
Richardus Raymaker Posted May 20, 2018 Share Posted May 20, 2018 I think what subodh want is that only the ip adresses from linden lab appear in the logs of the external server and not any ip directly from a user. It's a good question with GDPR around the corner. Not that i use http right now, but i like to know a way to, in case i need it. So the question could be, how to remove user ip adresses from lsl http request ? Link to comment Share on other sites More sharing options...
Monti Messmer Posted May 20, 2018 Share Posted May 20, 2018 Hi, ip adresses are openly used all over. A DJ or music/video streamer knows it. Google knows it, FBook, WApp .... The IP adress is not you, or owned by you (usually) it´s your internet provider. About privacy: My Ip adress is about 200 miles away from my real home, so theres millions of people you had to ring at the door. HTTP request are made to "outside" servers to read data from a database for whatever reasons. Opensim, well ... sims (grids) run by whoever not even a legal company, is always a "risk". Hiding the ip adress is cutting your internet. The logs must keep them for research, legal inquiry by police ... Short: you cannot hide them Nothing to do with the new GDPR, i think. Monti Link to comment Share on other sites More sharing options...
Subodh Neximus Posted May 20, 2018 Author Share Posted May 20, 2018 Thank you both Richardus and Moti for a solid answer. But that is not quite right with the context of the question. So if an object in second life(in world) contacts an 'real life' server, What the inquiry is about: To make sure that the 'in world' lsl code only does http communication when hosted by Linden Labs servers. This way i assume only Linden Labs get to know destination ip address, wish is acceptable. What is not desirable is if the 'in world' lsl code is running/hosted by non Linden Labs server and the outgoing ip address are loged or in other ways "exposed" as a potential target. Also i don't have a domain name that are used in http requests so ip address and domain name can be interchanged in my posts. Link to comment Share on other sites More sharing options...
Callum Meriman Posted May 20, 2018 Share Posted May 20, 2018 (edited) 20 minutes ago, Subodh Neximus said: What is not desirable is if the 'in world' lsl code is running/hosted by non Linden Labs server For SL, and that is really all you are allowed to talk abou on these forums, LSL code will *ALWAYS* run on servers under LL's control. That's it. Topic effectively closed. Edited May 20, 2018 by Callum Meriman Link to comment Share on other sites More sharing options...
Subodh Neximus Posted May 20, 2018 Author Share Posted May 20, 2018 (edited) Thank you for response Callum. Have posted new questions at the bottom of entry post. Edited May 20, 2018 by Subodh Neximus Link to comment Share on other sites More sharing options...
animats Posted May 21, 2018 Share Posted May 21, 2018 If you make an HTTP request from a Second Life LSL script, the source IP address will be some server at Linden Labs' data center. It will not be the IP address of the user's computer where the viewer is running. Link to comment Share on other sites More sharing options...
Subodh Neximus Posted May 22, 2018 Author Share Posted May 22, 2018 Thank you for good response animats. Link to comment Share on other sites More sharing options...
Subodh Neximus Posted May 22, 2018 Author Share Posted May 22, 2018 Have come to the conclusion that a no-mod script is impossible to copy-bot and therefor resign only on Linden Labs official server. Link to comment Share on other sites More sharing options...
Kyrah Abattoir Posted May 22, 2018 Share Posted May 22, 2018 You could check for referrers, linden lab has some specific "browser parameters" in all outbound HTTP requests (it can however easily be forged). You could also check that the source IP belongs to linden lab. Link to comment Share on other sites More sharing options...
Facebook
Instagram
Twitter
YouTube
Flickr
Recommended Posts
Please take a moment to consider if this thread is worth bumping.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now