Optional Region Security - Viewer Validation by Simulator
Otoa Kiyori
I want to suggest a feature idea to help counter copy-bots and bot-based griefers in private regions. This feature would let region owners
optionally
enable more security for their regions. The idea is for regions to validate viewers with special keysProposal Details:
- Region owners can turn this feature on or off
- If turned on:
* LL and official TPV viewers would connect to regions using a private key for validation
* The simulator would check the connection with public keys and decide if the viewer can connect. Validation happens entirely on the simulator side, and viewers would send encrypted requests with private keys if the region has this feature turned on
* To handle viewer/simulator updates or key refreshes, the system could support multiple keys (old and new)
* The "officialness" through key can be controlled by Linden Lab through key management with each TPV project
Benefits:
- Regions with this option turned on would block viewers that don’t have valid keys. This could stop unauthorized viewers from stealing content or trolling other residents and region owners
- Residents using official viewers wouldn’t notice any difference. They’d connect to the region just like always through LL and Official TPV viewers
- Project viewers or new TPVs without keys could still connect to regions that don’t use this feature like right now
- Residents and region owners would have fewer concerns about trolls and content thefts. Linden Lab will have to deal with less AR cases
- This does not leave a trace of connections except on the simulator so 3rd party would not know which viewer was used to connect to the region (rejected would not be in the region)
Key Management:
- Linden Lab would issue unique key pairs (private and public), and give the private key for each LL and TPV viewer
- TPV teams would be responsible for keeping their private keys secure. These keys should be kept secure to prevent leaks or misuse
- Linden Lab would revoke keys if they are leaked or misused
- Linden Lab would provide a way for TPV teams to request new keys if they are lost or compromised
Why This Matters:
I had a chance to meet a region owner who has been dealing with massive griefing and suspected content theft. They have a large community in their region, and visitors are systematically trolled, and their unique content seems to be stolen. This idea came to me as a way to give region owners more control while still keeping things simple for users
Log In
Gimme Morehead
I really don’t think this is an issue nowadays
Otoa Kiyori
I am realizing this is just almost duplicate of this except it is a option of a region. I forgot that I alread voted too.
Of course it is already being discussed...
Otoa Kiyori
I think I wrote too long and some points are probably missed (probably skipped my supplement part 1 and 2 in the comments?) so.. let me supply this summarized version:
This feature is entirely optional and gives region owners the choice to push back against unverified viewers. It’s not about 100% security but about adding another layer of control for those who need it. Just like locks on doors, it raises the barrier for unauthorized access without claiming to be perfect
Orion Greymoon
While there are implementation specifics that need to be worked out, I'm in support of this suggested functionality.
This is not mandated to implement on every region in SL but is available for those region owners that would like to leverage it.
Key management is a well honed SE/ Security practice that's been in place for years, to include automated key rotation, and requires no manual intervention. It's likely that LL already has some infrastructure in place internally to this end and may be able to re-purpose / extend it, without having to implement a new security layer.
Attaching key management to an open sourced view can be done via the packaging into the installer, which is outside the scope of open source code. One could see integrations with keys within this source code but the keys themselves are abstracted out. If someone wants to leverage open sourced viewers, grab a key set from LL and off you go. Not difficult.
For those of us that aren't content creators, or perhaps a small content shop, this is may not be an issue. But for content creators who are successful, whose products are widely known, appreciated and in demand, they may have a use case or two for this functionality.
This applies to content that is exfiltrated to both OpenSim grids as well potentially back into SL in a slightly different form.
Darien Caldwell
Many people, like me, build their own viewer for convenience and security reasons and having them blocked for paranoid reasons is kind of sad tbh.
Otoa Kiyori
Would you mind explaining this paranoia setting would cripple your convenience and your security?
Jessica Hultcrantz
worthless suggestion
Just another layer of security by obscurity that falsely implies no bad viewer can exist.
Anyone working with security knows this can be bypassed and will open a new can of worms, giving LL an even bigger workload to govern viewers than today.
As stated, it impacts open source philosophy negativity, and it will only disguise bad viewers even more.
If anything, improve server side permission enforcement instead.
Downvote!
Otoa Kiyori
Jessica Hultcrantz Does my request sound like bad viewers do not exist? a bad viewer does I was aiming to show that they do. My English is pretty bad.
So, on the open source side, any viewer can connect to any regions that do not have this option turned on. I just want to give region owners an option to only allow
official
viewers (including official TPV) so custom viewers like copybots cannnot even connect. So this is meant to enforce the server side connect permission.Jessica Hultcrantz
Otoa Kiyori Bad viewers exists, we all know. The lab does too and have several times stroke down on them to save us.
My point is that it is way too easy to circumvent your suggestion, alas it creates a false security feeling, while making it harder for the lab to trace it (Is it the viewer the key says, or the viewer the identification says, or another viewer spoofing itself as something else?) and TPV makers to collaborate and create viewers for us. Unnecessary burden!
Today anyone can pull the source code and compile the viewer self. Anyone! You and me too. (I actually once compiled Marines viewer for Linux users for some years so I know viewer code, but I'm not a C programmer mind you.) All you have to do is to change one identification string to comply.
Now think again, how will your suggestion ever be secure? Keys will be shared, keys will be accessible in the open, or do you plan for the lab to demand developer accounts to hand out keys and code to?
The official viewers sources are publicly available in an open repository.
So... You will have keys floating around no matter what, and your suggestion will effectively kill open source work flow (which is what keeps most viewers alive and working), so we will likely face more security issues in viewers thanks to your suggestion on the long run as developers will have more issues to keep their code up to date thanks to an increased burden of unnecessary complicated work flow.
We can forget quick beta releases for testing, developers might give up or share keys high and low to be able to do test compilations.
Please go back, and think again. This is never going to be secure from a programming standpoint, it's a pure desktop middle management idea you have.
Good intention, impossible to realise securely.
Otoa Kiyori
Jessica Hultcrantz
> Now think again, how will your suggestion ever be secure? Keys will be shared
So... I was thinking that keys are NOT to be shared publicly... they would be carefully managed by TPV persons as secure secret data, and those keys would ONLY be used during the TPV release builds... NO ONE else should be able to use those keys unless Linden Lab gives them... just like passwords, and certificates.
and if someone stole those keys and was able to use them to build their custom viewers, the other key in the pair controlled by Linden Lab would be revoked, the stolen keys would become useless, and viewers using invalid keys would not be able to enter the protected private regions
It is a way to identify "Linden approved" viewers not just by the Wiki page saying so, but by the simulators
By the way, I never feel very secure out there outside of my region. I have seen media prims trying to load malware web pages in mainland regions, music played on HTTP servers from unknown IP addresses from random counties... 😵💫 So even if something like this was implemented somehow, I would not have that sense of security...
I really want to know... Do you have any alternative suggestions to improve the situation?
Chaser Zaks
This wont stop copybotters, you can easily copybot by sniffing the protocol.
If you somehow encrypted the protocol, you would still be able to get data out of the graphics APIs provided by the operating system.
Jessica Hultcrantz
And freely available keys in any viewer code repository with public access!
Otoa Kiyori
Chaser Zaks No it wont. Just like hacking vs security, it is a never ending stupidity... but I was hoping this would slow the evil people down until they figure out of bypassing it. And when that happens we have to figure something out more... Right now is it regions are completely open to copybots and trollbots and region owners have nothing to defend themselves
Otoa Kiyori
Jessica Hultcrantz So... I wasn't clear about this... in my proposal, the Key pairs created by LL would not be in any of the public repos. As keys get refreshed periodically (how frequently is up to LL to decide), LL would issue new different pairs for each TPV project, and the viewer side keys would be given to them. Each key is unique for the refresh period and TPV, so if a key is stolen by unofficial viewer projects and used, LL can easily revoke it on the grid side, preventing them from connecting to restricted regions (but they can still connect to unrestricted normal regions)
This will encourage TPV projects to do good key management and also give copybots and trollbots a harder time stealing the keys. Am I making sense? 😅
Otoa Kiyori
Chaser Zaks Yea, once the viewer is connected to the region they can get asset UUIDs and then would be able to decode the asset data and do whatever they want with the data. The goal is to not let them connect to protected regions. I see that if they can get uuid of uniquely rezzed object in restricted regions, if they do packet sniffing they might be able to get it, so for copybotting side, it will not prevent it, it will just make it harder for causal troll people.
Also it will not let the bot based region entry attack because they won't be ablet to enter the protected regions
Jessica Hultcrantz
Otoa Kiyori How are you thinking the delivery of key pairs will be managed securely without the wrong hands getting their hands on the keys?
What about people who today self-compile viewers for system-specific dependencies? Are you going to exclude them from free access?
BTW. Since a lot of content in SL is served through CDN you have another issue to worry about right there, which might be a bigger issue than your walled garden approach.
The backbones of SL isn't as hypersecure as you might think. And
gosh
internet is involved!Otoa Kiyori
Jessica Hultcrantz
> How are you thinking the delivery of key pairs
I was thinking LL would send the key to TPV projects through secure sharing services. Designated persons in the TPV project would manage the keys carefully and only use them for their official release builds. It's like server certificates of critical systems in workplaces
> What about people who today self-compile viewers
The self-compilers can enter the regions without this option turned on like right now, or they need to obtain the TPV keys for their viewers from Linden Lab
Any viewers without keys won't be able to enter those regions. It is to give *some choice to the region owners who pay real money because griefers are abusing the openness.
> Since a lot of content in SL is served through CDN you have another issue to worry about right there
The CDN level or packet sniffing level content thefts are not what I was trying to solve with this suggestion... Although this should limit methods to the thieves
Do you have any other good ideas to slow them down or even stop them?
Jessica Hultcrantz
Otoa Kiyori How would you make sure that no one acts as a middle man for getting keys to a rouge viewer, and do you really expect every member of TPV development to be able to manage keys securely?
You are blatantly denying the need for developers to run test viewers in live environment as you put your idea. Come on, development of software does not work like you envision it.
What the lab will get to work with if this vision of yours go through is angry users that has no idea why they can not TP somewhere and sees that as a fault in LL's infrastructure, and if the key management should be even remotely secure you need verified identities of involved parties. That has been tried and failed repeatedly during SL's history. I think you are too young to remember the Aristotele failure when the Adult segregation happened 2009. And today even TPV managers enjoy relaxed demands on that due to several RL laws prohibiting such use of PII, and a changed workflow as LL moved to GitHub with their code.
As for paket sniffing etc... As long as intertnet looks like it does it is going to happen. It is standardised protocols, no fancy encryption.
It has been said before, Cliford Stoll mentioned it in the book "The Cuckoo's Egg"... The only way to be 100% secure against hackers and data theft is physical isolation. No cables, no modems, no connections.
Kind of impossible in a shared world. (And floppy disks are so obsolete.)
For the record. I am not defending theft or griefing, I look at your idea from a technical point of view, network protocols and software development, where he human factor also plays a non-neglectable role..
Things are not built the way you imagine, it won't work. It just won't.
It is a dead end. Nice idea but only as a report on a desk at a multimillion company, not in a open source production environment.
OK I have said too much now, good luck, peace. I'm outta here.....
Otoa Kiyori
I could not fit this in the description so... I am adding them as a comment
Potential Issues and Concerns (part 1)
- Potential for Key Mismanagement: While key leaks could momentarily reduce security, this would still leave the system no worse than the current situation. The benefits of added protection for private regions outweigh this concern, as TPV teams are accustomed to handling sensitive data
- Administrative Overhead for Linden Lab: Managing keys adds some burden, but this overhead is limited to issuing, revoking, and refreshing keys for a small number of official viewers and TPVs. The benefits of giving region owners an optional tool to combat theft and trolling make the tradeoff reasonable
- Impact on TPV Developers: Smaller TPVs might face challenges with private key security, but this proposal doesn’t exclude them—regions with this feature disabled would still allow such TPVs. Additionally, TPVs could request new keys if lost, reducing the long-term impact
- Limited Effectiveness Against Advanced Attacks: Skilled attackers might bypass the system, but it significantly raises the barrier for unauthorized viewers. As it’s an optional feature, region owners gain extra control without guaranteeing absolute security. The proposal still represents an improvement over the current state
(continues)
Otoa Kiyori
Potential Issues and Concerns (part 2):
- User Experience Risks: Users typically rely on LL or official TPVs, which would have validated keys. Temporary compatibility issues during rollout could be mitigated by clear communication from Linden Lab. For regions that don’t use the feature, nothing changes. The benefit of stopping unauthorized viewers outweighs minor rollout risks
- Griefing and Theft Beyond Viewers: This proposal doesn’t aim to address all forms of griefing or theft but specifically targets unauthorized viewers. The benefit is a focused improvement to a specific problem, not a comprehensive solution
- Impact on Open Source Philosophy: While private key validation adds a layer of control, this still allows TPVs to continue innovating and maintaining transparency. Open-source TPVs that meet security requirements would still operate freely. The benefit of preventing unauthorized viewers from entering sensitive regions outweighs this concern
- False Sense of Security: Education and communication could address this concern. Linden Lab and region owners can emphasize that this is an additional layer of security, not a complete solution. It is also optional for region owners. The potential for significant improvement in preventing unauthorized access outweighs this concern