Secondlife.com a security risk?

[Keli Kyrie]

Why are the Second Life community web sites considered a security risk by firewalls and ie? Try using any network and explorer with heightened security you will find that Second Life Community Sites are broken. I am not talking about the Viewer but the Forums/Blogs/Wiki. So far I have found 6 sites that have to be unlocked for this sites to work right.

amazonaws.com lindenlab.com secondlife.i.lithium.com community.secondlife.com secondlife.com wiki.secondlife.com The last three are treated as security risk. I can't really navigate without unblocking them all. Just when I think I know them all I find another that needs to be unblocked. Agggg!

The worst part is when you are somewhere that allows Blogs and Forums but you can't get there because the website are treated as a unsercure website.

Here is a post from another person with the same problem http://community.secondlife.com/t5/General-Discussion-Forum/What-domain-does-LL-use/m-p/1113917#M27778

[Freya Mokusei]

Some firewalls hate cross-site-scripts. Like how the forums are HOSTED on secondlife.com, with the interface and most of the back-end on Lithium.com

Plus, LL have never been good at keeping their Security Certificates up to date. I think my.secondlife.com shows as expired right now, but I don't check them often.

Life's too short

[Storm Clarence]

This may sound onerous, but I would use another browser.  I don't think this issue is your firewall.  I don't know how doable it is for you to download firefox to demonstate that the sites are secure and you can access, but this is how I would approach/attack this issue.  

[Deej Kasshiki]

Firefox never flags the LL websites as being a problem but, does give notices of true threats on my systems. I'd echo Storm's recommendation; try Firefox. I think what's broken here is Microsoft's browser.

[Chelsea Malibu]

She did mention she set her security settings to high though.  This is really intended for VPM and Intranet attached devices and not for the public internet.

[Freya Mokusei]

Most of my warnings occur from Android's native browser, which is Chrome-based.

But I agree, getting notified about the warnings is a browser issue. I don't think expired certificates is likely to be too much of a risk.

[Venus Petrov]

I agree with the recommendation re: Mozilla's Firefox.  I have never had issues with blocked LL-related SL websites.

[Void Singer]

while I agree that Firefox does a much saner job of warning against threats (as should any browse that doesn't offer a window directly into the OS :: cough :: ) the problem would seem to be the excessive mess of cross hosted content, and IIRC high settings on IE by default block mismatched and expired certificates (the former can be used for phishing attempts, the latter usually only matter when someone buys up a domain that's been abandoned such as during a corporate name change).

both certificate problems should be curable by tweaking the setting to "ask" rather than "block". I can't remember if the crosshosting problem can be similarly solved, but it would be in the scripts section if so. Doing any of these things changes the setting from "high" to "custom"

[Keli Kyrie]

It does not matter what browser I use it still gets blocked because secondlife.com uses the http protocol and not the https. Half the websites SL is using are http and the other half are https. By the vary definition of https it is more secure and the fact the secondlife.com does not use it is causing it to be blocked by some services.

 

 

[Venus Petrov]

That would mean that nearly all websites you want to access would be blocked.  Most use http and not https.

[Void Singer]

yeah if you are blocking anything NOT using a secure address, you've basically turned off the internet for doing anything but direct manipulation of your secure accounts....

[Keli Kyrie]

Void and Venus you are right it must be something else then because msn and goggle don't use https and they are not blocked.

[Ishtara Rothschild]

---

Keli Kyrie wrote:

Void and Venus you are right it must be something else then because msn and goggle don't use https and they are not blocked.

---

I think it is mixed https and http content on the same website that causes this. For example, a https site that contains images that are linked from http sites. In IE, this can be solved by setting "Display Mixed Content" (about halfway down the Security Settings list) to "Enable".