Jump to content
Subodh Neximus

Hide ip address from host holder except Linden Labs for http from SL.

Recommended Posts

Like the title somewhat suggest the goal for this post is to find a way for http request from virtual world to the great outside, and not have destination ip address show up in logs for the virtual server holder (other then linden, if the object is active in SL). Don't know if this is a problem but assuming so. Reason for this inquiry is at bottom line that i'm a noob when it comes to server and therefore security is not the most molded concept. By doing some foot work in lsl code this can be partially remedied.

This would be applied to a single lsl script with no modify permission that will handle http/https communication to and from the internet. The script would most likely be used at different regions, therefor most likely have little to non know data to compare and confirm if a Linden Lab server are the current host.

The Application is not super secret but would not be hurt from better security towards not showing server ip address and other server holder information to current host.

Any suggestions or hypothesizes is greatly appreciated. 

 

Concepts for a partially remedy tincture:

Use a 3rd party server to verify from sender and act as a relay.

Cons: Cost, complication, implementation.

Pros: Would assumme a very high chance to not show destination ip address

Check if ip address are known to be Linden Labs ones http://wiki.secondlife.com/wiki/Simulator_IP_Addresses , this would necessity be verified by a 3rd party server.

Cons: Can probably be simulated by a non Linden Labs server

Use a if statement in lsl code for known values that should equal return from all/any llGetSimulatorHostname | llRequestSimulatorData | llGetRegionCorner | llGetRegionName | llGetEnv

Cons: Can probably be simulated by a non Linden Labs server, Not always enough relevant data to accurate confirm if data is true.

 

Edit:

Is it possible to show a lsl code(with any permissions) in a web browser like firefox with and without login credentials?

Is possible for a lsl code to get a 'bird eye view' of where it is run and confirm that some how? : Not only look inside its "bubble of operation environment" but the greater "image".

Edited by Subodh Neximus

Share this post


Link to post
Share on other sites

It's not clear what you want to do. Do you just want your server to be sure the message is from your LSL code? If so, you could sign it. I do that for bike logging data, which can be used for race timing. My LSL code has a key in it, which is just a string of arbitrary characters. That's the only secret. The LSL code converts the data to a string, adds the secret key to the string, computes the SHA 1 hash (there's a LSL function for this) and sends the hash as an HTTP parameter. The data string is sent as HTTP data. The server does the same hash using the same secret key, and checks that it gets the same value as the one in the HTTP parameter. 

This doesn't encrypt the data; it just signs it to prevent tampering. If you want to encrypt it, too, use HTTPS. 

This is reasonably secure. Not perfect. There's a known way to break SHA1, and this doesn't protect against playback attacks. It's enough to stop griefers.

Share this post


Link to post
Share on other sites

Thank you animats for a great replay. I'll surely will use your suggestion for added security.

My question is about to not let the sim host (if it be openSim or other non Linden Labs servers) to know the destination ip address for and http request sent from 'in world' except for Linden Labs.

Did change the title to a more fitting one.

Edited by Subodh Neximus

Share this post


Link to post
Share on other sites

I think what subodh want is that only the ip adresses from linden lab appear in the logs of the external server and not any ip directly from a user. It's a good question with GDPR around the corner.

Not that i use http right now, but i like to know a  way to, in case i need it.

So the question could be, how to remove user ip adresses from lsl http request ?

 

 

Share this post


Link to post
Share on other sites

Hi, ip adresses are openly used all over. A DJ or music/video streamer knows it. Google knows it, FBook, WApp ....

The IP adress is not you, or owned by you (usually) it´s your internet provider. About privacy: My Ip adress is about 200 miles away from my real home, so theres millions of people you had to ring at the door.

HTTP request are made to "outside" servers to read data from a database for whatever reasons.

Opensim, well ... sims (grids) run by whoever not even a legal company, is always a "risk".

Hiding the ip adress is cutting your internet. The logs must keep them for research, legal inquiry by police ...

Short: you cannot hide them

Nothing to do with the new GDPR, i think.

Monti

Share this post


Link to post
Share on other sites

Thank you both Richardus and Moti for a solid answer. But that is not quite right with the context of the question. So if an object in second life(in world) contacts an 'real life' server, What the inquiry is about: To make sure that the 'in world' lsl code only does http communication when hosted by Linden Labs servers. This way i assume only Linden Labs get to know destination ip address, wish is acceptable. What is not desirable is if the 'in world' lsl code is running/hosted by non Linden Labs server and the outgoing ip address are loged or in other ways "exposed" as a potential target.

Also i don't have a domain name that are used in http requests so ip address and domain name can be interchanged in my posts.

Share this post


Link to post
Share on other sites
20 minutes ago, Subodh Neximus said:

What is not desirable is if the 'in world' lsl code is running/hosted by non Linden Labs server

For SL, and that is really all you are allowed to talk abou on these forums, LSL code will *ALWAYS* run on servers under LL's control.

That's it.

Topic effectively closed.

Edited by Callum Meriman

Share this post


Link to post
Share on other sites

If you make an HTTP request from a Second Life LSL script, the source IP address will be some server at Linden Labs' data center. It will not be the IP address of the user's computer where the viewer is running.

Share this post


Link to post
Share on other sites

You could check for referrers, linden lab has some specific "browser parameters" in all outbound HTTP requests (it can however easily be forged).

You could also check that the source IP belongs to linden lab.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...