Jump to content

Marketplace has a serious security problem


Dean Claremont
 Share

You are about to reply to a thread that has been inactive for 902 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Hey guys I hope you are doing great!

I was unable to see images on Sl marketplace and I thought that the solution would be

to disable adblocker or to clear cache, different browser or something usual, 

but it turns out that it's something much more serious and needs to be solved ASAP!

 

At the end of my research, I managed to detect the problem.

The only way to see images on SL marketplace is to turn off Safe browsing in Google Chrome???

 

There is actually one more way but that's just unacceptable!

Go to Chrome settings

Security and Privacy 

Security 

Site settings

Additional permissions

Insecure content 

Allowed to show insecure content

Add https://marketplace.secondlife.com/

 

 

sl 2.png

  • Haha 1
Link to comment
Share on other sites

For anyone reading who is confused or doesn't understand:

Newer Chrome versions block 'insecure' content by default - that means, any content loaded over HTTP (not HTTPS) won't load.

The issue here seems to be that product images sometimes fall back to serving over HTTP, and not HTTPS thus meaning images won't load.

As pictured above, this can be worked around, although it should not be needed - by default, at least on my connection, images are served via HTTPS. meaning I do not require this workaround.

  • Like 3
  • Thanks 1
Link to comment
Share on other sites

Just a heads-up, this is now the third thread on this subject, in a third forum. it really needs condensing to one.

In another thread I mentioned I had cured some of the problems by clearing cookies for the marketplace but then found that was a random cure.

The final cure I managed was to stop using Firefox and use Opera. I then got all the images.

Link to comment
Share on other sites

15 hours ago, Jenna Huntsman said:

For anyone reading who is confused or doesn't understand:

Newer Chrome versions block 'insecure' content by default - that means, any content loaded over HTTP (not HTTPS) won't load.

The issue here seems to be that product images sometimes fall back to serving over HTTP, and not HTTPS thus meaning images won't load.

As pictured above, this can be worked around, although it should not be needed - by default, at least on my connection, images are served via HTTPS. meaning I do not require this workaround.

Thanks Jenna for the clarification, that's exactly what the problem is. 

For Linden Lab that should be pretty easy to fix

All they have to do is to use a plugin "Better search and replace" 

https://wordpress.org/plugins/better-search-replace/

That plugin will convert all their http media files to https

and problem solved.

  • Haha 1
Link to comment
Share on other sites

7 hours ago, Profaitchikenz Haiku said:

Just a heads-up, this is now the third thread on this subject, in a third forum. it really needs condensing to one.

In another thread I mentioned I had cured some of the problems by clearing cookies for the marketplace but then found that was a random cure.

The final cure I managed was to stop using Firefox and use Opera. I then got all the images.

Already tried all other browsers and incognito modes, nothing works

except turning off safe browsing

or adding marketplace to be allowed to show insecure content 

  • Haha 1
Link to comment
Share on other sites

4 minutes ago, Dean Claremont said:

Already tried all other browsers and incognito modes, nothing works

except turning off safe browsing

or adding marketplace to be allowed to show insecure content 

Wouldn't it make sense that if it's only you complaining about not being able to see images and you've tried everything that umm...it might be you and whatever computer set up you have?

I haven't had any issues that you've posted here. Everything is working fine.  I have the newest version of Chrome.

  • Like 1
Link to comment
Share on other sites

3 hours ago, Sam1 Bellisserian said:

Wouldn't it make sense that if it's only you complaining about not being able to see images and you've tried everything that umm...it might be you and whatever computer set up you have?

I haven't had any issues that you've posted here. Everything is working fine.  I have the newest version of Chrome.

Trying to make this look like it's not harmful won't help.

The problem is real and SL marketplace is serving images over HTTP and not over HTTPS

I am sure you know all about it since you are using the newest version of Chrome :)

Edited by Dean Claremont
  • Haha 2
Link to comment
Share on other sites

On 10/2/2021 at 1:01 AM, Dean Claremont said:

Trying to make this look like it's not harmful won't help.

The problem is real and SL marketplace is serving images over HTTP and not over HTTPS

I am sure you know all about it since you are using the newest version of Chrome :)

There's nothing inherently wrong with serving marketplace images over HTTP instead of HTTPS as a fallback. If you're concerned about security, as long as it's maintained where it's necessary (see: login, password, etc details) an image being unencrypted is of little concern. Keep in mind the majority of the 'net (>50%) ran over HTTP before 2014. It wasn't until relatively recently (2018) that websites were labeled insecure for not being HTTPS by default.

"But they can see what I see". Yes, they can if there's a MitM intercepting traffic. But unless you've taken appropriate steps to secure your DNS requests they can also see that you're accessing marketplace.secondlife.com (or any other website for that matter). But that's another topic for discussion.

If you're still having this issue then likely you need to review your software/hardware. Given the date of your initial post it sounds like it has to do with the DST Root CA X3 certificate expiring on September 30th. It's the same issue that caused the Unscheduled Maintenance to LSL Scripts as well.

Bottom line:
HTTPS? Important.
HTTP for images? Not a serious issue to blare alarms.
Having to make exceptions for the fallback? Worth looking into but that's why it's called a fallback.

  • Like 4
Link to comment
Share on other sites

7 hours ago, Renae Daines said:

There's nothing inherently wrong with serving marketplace images over HTTP instead of HTTPS as a fallback. If you're concerned about security, as long as it's maintained where it's necessary (see: login, password, etc details) an image being unencrypted is of little concern. Keep in mind the majority of the 'net (>50%) ran over HTTP before 2014. It wasn't until relatively recently (2018) that websites were labeled insecure for not being HTTPS by default.

"But they can see what I see". Yes, they can if there's a MitM intercepting traffic. But unless you've taken appropriate steps to secure your DNS requests they can also see that you're accessing marketplace.secondlife.com (or any other website for that matter). But that's another topic for discussion.

If you're still having this issue then likely you need to review your software/hardware. Given the date of your initial post it sounds like it has to do with the DST Root CA X3 certificate expiring on September 30th. It's the same issue that caused the Unscheduled Maintenance to LSL Scripts as well.

Bottom line:
HTTPS? Important.
HTTP for images? Not a serious issue to blare alarms.
Having to make exceptions for the fallback? Worth looking into but that's why it's called a fallback.

Thank you Renae for your opinion.

If you believe that SL marketplace should continue to use HTTP instead of HTTPS then we have nothing to discuss.

Millions of people every day using that website to sell and buy their digital products.

I guess we are waiting for people to start complainig how their accounts are hacked and money gone,  and then to "blare alarms".

I can see that you are advanced user, and therefore I am surprised even more.

Hopefully, responsible people will understand that they have to upgrade SL marketplace

to be in compliance with the latest security standards.

  • Haha 2
Link to comment
Share on other sites

4 hours ago, Dean Claremont said:

Thank you Renae for your opinion.

If you believe that SL marketplace should continue to use HTTP instead of HTTPS then we have nothing to discuss.

Millions of people every day using that website to sell and buy their digital products.

I guess we are waiting for people to start complainig how their accounts are hacked and money gone,  and then to "blare alarms".

I can see that you are advanced user, and therefore I am surprised even more.

Hopefully, responsible people will understand that they have to upgrade SL marketplace

to be in compliance with the latest security standards.

I would argue that you missed my point entirely. An image being served over HTTP poses nearly no security risk. The worst someone could do is see said image via MitM. Falling back to HTTP when configuration fails to serve HTTPS is perfectly acceptable. It's not acceptable when done while transmitting credentials. (hint: serving images doesn't fall under this) If you're implying that the login screen is falling back to HTTP that's a different story but not the one you're trying to tell.

 

No one is going to get "hacked" for being served an image over HTTP.  It's simply not the way it works and trying to claim it is falls under fear mongering.

 

Though I am curious if you're still experiencing the issue.

  • Like 4
Link to comment
Share on other sites

As expected, everything goes under the carpet.

I guess you are somehow connected to Linden Lab and just trying to make it sound less harmful.

so people don't make a big deal out of it.

I will report this problem where it should be reported since here people are just bored 

and giving some random opinions.

  • Haha 2
Link to comment
Share on other sites

Ah yes, because you do not like the responses or the reality, at least one person who dares to disagree with you must be connected to Linden Lab (or "bored")

It cannot possibly be because *gasp!* you're quite wrong and pushing Security Theater for the sake of it.

  • Thanks 1
  • Haha 1
Link to comment
Share on other sites

You are about to reply to a thread that has been inactive for 902 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...