Should Second Life Teleport Links Be Secured HTTPS vs Currently HTTP

[Paulsian]

I've noticed something concerning with the second life teleport system to the point where I don't feel secure using it.

Wondering why when copying any location's url (from the second life map) and pasting it into the chat box it does not show the unsecure link but instead makes an innocent looking hyperlink with the second life logo giving the sense of security, however, when urls are pasted into this forum or anywhere else it displays as an unsecured link.

Some google info: Plain HTTP is vulnerable to everything. HTTPS is cheap. Practical risks include: you are vulnerable to eavesdropping, DNS hijacking, and BGP attacks. Also, if you're unlucky/not careful, cryptographic keys and other secrets in the URL or query parameters may be recorded in logs or possibly even leaked to third parties.

If securing the inworld teleport system is doable, maybe they will consider also updating all the links in the forums, knowledge base (see jira), and anything else associated with Linden Lab/Second Life. 

 

 

[Rowan Amore]

[Silent Mistwalker]

 

But.... it's not Friday yet.

[Ardy Lay]

https

4 hours ago, Paulsian said:

I've noticed something concerning with the second life teleport system to the point where I don't feel secure using it.

Wondering why when copying any location's url (from the second life map) and pasting it into the chat box it does not show the unsecure link but instead makes an innocent looking hyperlink with the second life logo giving the sense of security, however, when urls are pasted into this forum or anywhere else it displays as an unsecured link.

Some google info: Plain HTTP is vulnerable to everything. HTTPS is cheap. Practical risks include: you are vulnerable to eavesdropping, DNS hijacking, and BGP attacks. Also, if you're unlucky/not careful, cryptographic keys and other secrets in the URL or query parameters may be recorded in logs or possibly even leaked to third parties.

If securing the inworld teleport system is doable, maybe they will consider also updating all the links in the forums, knowledge base (see jira), and anything else associated with Linden Lab/Second Life. 

 

 

HTTPS for SLURLs should probably be used.  HTTPS can deter "eavesdropping", but no, HTTPS does NOT protect you from DNS hijacking nor can it prevent BGP attacks.  Beware Google-mania.  Google DNS is probably one of the largest information super-collectors there is.

Two weeks ago I was responding to a business information leak inquiry when I noticed the source of the leak was the Operations Director using Google Chrome.  That browser was using 8.8.8.8 as a resolver even though the operating system was set to use one of our own resolvers.  The inquiry had been triggered because this person was seeing advertisements about sites he was reading earlier in the day.  Dude.  GOOGLE CHROME does that.  Told you not to use it.  Don't panic.  Google does that to everybody and damn near all of them defend Google's behavior.  Don't wanna see those ads?  Don't visit those sites!  Or, use a different browser, preferably one that does not violate your privacy protection preferences, and good luck.

So, here is a question for the peanut gallery:  Does the Second Life Viewer ever execute the HTTP part of a SLURL?  If so, under what conditions?

I find that the embedded browser does.  No, that's not the location field near the top of the Second Life UI, just under the menus.  Open the browser with

[Control] [Alt] [Shift] [Z]

then paste your SLURL where you see https://duckduckgo.com in this clip:

When I do this with SLURLs, I see the browser and site both appear to handle HTTP and HTTPS.

Good idea, really.  I think you should file a feature request.  The SLURLs with HTTPS at the front do indeed seem to be working in the Second Life Viewer when I paste them into local chat so the hard part appears to already be done.

 

Edited January 5, 2022 by Ardy Lay
correcting typing errors

[Arduenn Schwartzman]

Better not click this link.

http://www.infobyip.com/

They'll know where your house lives.

[Aiyumei]

You can easily intercept https requests too with the right network tracking tool. All you need is web filtration by some sort of unique identifier or IP address and the magic happens! 

If you want to be secure use browser that offers that security or use a VPN.

[Lyssa Greymoon]

15 hours ago, Paulsian said:

Wondering why when copying any location's url (from the second life map) and pasting it into the chat box it does not show the unsecure link but instead makes an innocent looking hyperlink with the second life logo giving the sense of security, however, when urls are pasted into this forum or anywhere else it displays as an unsecured link.

Are you sure it's actually using http instead of https? When you copy & paste a link, it shows http:// but if you click it, you're taken to an https:// address.

[Silent Mistwalker]

5 hours ago, Arduenn Schwartzman said:

Better not click this link.

http://www.infobyip.com/

They'll know where your house lives.

 

It's not accurate.  I don't live in the middle of protected marshland way south of the town I do live in.

[Paulsian]

16 hours ago, Ardy Lay said:

then paste your SLURL where you see https://duckduckgo.com in this clip:

Someone once said if you are not paying for a product, you are the product. I stopped installing 3rd party internet browsers going on 2 years. I do slip up and use google search cause of muscle memory, but finding the official internet browser for windows is decent. I'm starting to like bing a lot better than google. cleaner less crap. 

4 hours ago, Lyssa Greymoon said:

Are you sure it's actually using http instead of https? When you copy & paste a link, it shows http:// but if you click it, you're taken to an https:// address.

I wish I could help more with troubleshooting why things are setup the way they are? No idea. I connect dots and when I start to see people having problems teleporting, the dots start connecting. 

8 hours ago, Arduenn Schwartzman said:

Better not click this link.

http://www.infobyip.com/

They'll know where your house lives.

Perhaps an internal way of letting users know when links on forum or in world and everywhere else links are located are not secure might help secure things up as much as technologically possible. I don't like hearing law enforcement describe second life as being the dark web. 

[Rowan Amore]

30 minutes ago, Paulsian said:

I don't like hearing law enforcement describe second life as being the dark web. 

[Paulsian]

[Ardy Lay]

As far as I am concerned, OP just removed himself from the gene pool.

So long and have fun with that line of reasoning.  It's fun, but wrong.

[Sid Nagy]

13 hours ago, Arduenn Schwartzman said:

Better not click this link.

http://www.infobyip.com/

They'll know where your house lives.

They are getting closer every year.
Now they think that I live in that town where you used to live when you lived in my home province.

Edited January 5, 2022 by Sid Nagy

[Arduenn Schwartzman]

2 minutes ago, Sid Nagy said:

They are getting closer every year.

Meppel is still 260 km off from where I live (in a country that's only 320 km across).

[Rowan Amore]

[Paulsian]

 

[Bree Giffen]

I'd like to see some concrete examples of how using http links in SL is dangerous.

Is this how someone keeps getting followed even after they teleport to different region? Are chat messages unsecure and readable because of this?

[Wulfie Reanimator]

44 minutes ago, Bree Giffen said:

I'd like to see some concrete examples of how using http links in SL is dangerous.

Is this how someone keeps getting followed even after they teleport to different region? Are chat messages unsecure and readable because of this?

No and no.

The attacker must have some kind of access to your network or a physical device. That means either public WiFi, malware in the computer you're logged in on, or a physical network device where your requests/messages will pass through.

Random people on the internet aren't going to be listening in on your network activity, secured or not, unless you do something that enables them to do so. Things like connecting to the attacker's network, having them connect to your network, or giving them your IP (depending on your setup, there are different ways to go from there).

Edited January 5, 2022 by Wulfie Reanimator

[Chaser Zaks]

The funny thing is, there isn't even a request made to the webpage when a map URL is pasted in the chat or similar.

When the viewer sees something like http://maps.secondlife.com/secondlife/quiddity/128/128/23, it really sees secondlife://quiddity/128/128/23. (Not exactly how it works, internally it is a bit different is the same but the idea is the same and is the best way to explain it simply). It doesn't make a request to the url, nor does it try to resolve the domain. It is purely cosmetic.

However, when requests to that page are made, such as opening it in a web browser rather than the viewer, it is automatically upgraded to https. There are no login cookies stored on the http variant, so no worries about people stealing those.

While it is possible for someone to rewrite the DNS info, any upgrades to https would create an error.

Besides, for people to eavesdrop on your connection or rewrite http requests or DNS queries, malware would have to already be on your network. Hackers are not some wizards who can say "SHOW ME WHAT IS BEING REQUESTED BY THIS IP!" and get all requests forwarded to them just by asking the ISP's routing servers. Malware needs to be on either your PC or another PC on your network(only if pernicious mode is enabled, which typically it isn't).

Simply put: If people are eavesdropping your SLURLs, you have much bigger things to worry about.

Edited January 5, 2022 by Chaser Zaks

[Ardy Lay]

1 hour ago, Chaser Zaks said:

pernicious

Huh?  Do you mean promiscuous mode?  This just tells the local computer's network interface to allow all frames inbound instead of discarding those not addressed to "this" computer, network-broadcast or a multicast group "this" computer is subscribed to.  Chaser knows this is an open gate, not a vacuum pump.

Edited January 6, 2022 by Ardy Lay

[Ansariel Hiller]

22 hours ago, Aiyumei said:

If you want to be secure use browser that offers that security or use a VPN.

I didn't know you could establish VPN connections to LL's network - or are you talking about these "super secure" VPNs offered by companies like NordVPN that try to fool people claiming their data would be magically secure just because you connect to their network? The only thing those VPNs are good for is somewhat masquerading your IP address to circumvent geolocks - websites however will still be able to identify you due to a number of other ways.

[mygoditsfullofstars]

``

 

 

Edited January 6, 2022 by mygoditsfullofstars

[mygoditsfullofstars]

On 1/5/2022 at 9:12 AM, Paulsian said:

Some google info: Plain HTTP is vulnerable to everything. HTTPS is cheap. Practical risks include: you are vulnerable to eavesdropping, DNS hijacking, and BGP attacks.

This is a great example of how google can help spread FUD and information that is just plain wrong. HTTP has no relevance to routing protocols like BGP. For info on what BGP actually is https://www.techtarget.com/searchnetworking/definition/BGP-Border-Gateway-Protocol

As for DNS hijacking, more FUD, no relevance to the HTTP protocol. DNS could in theory be hijacked if something were to happen to the hosts file on your PC or something were to change your PC's network configuration to use a set of rogue nameservers. I fail to see the relevance to the HTTP protocol.

People have made far too big a deal out of HTTPS in recent years and created all sorts of FUD around it.

My 2 cents worth.

[TheDarkhand]

I noticed you do not feel very safe in SL from a few of your post, concerns of people knowing what your camming, hacker teleports, I would say SL must not be for you. I been here 15 years, my identity, banking, PayPal or IP have never been stolen or any of that. 

Edited January 6, 2022 by TheDarkhand

[LittleMe Jewell]

At this point, I'd suggest a full body wrap