[sldev] [Upcoming Changes] Website Viewer Authentication

Anders Arnholm Anders at Arnholm.se
Sat Sep 29 02:22:57 PDT 2007


> I'm rather torn on this idea. On one hand, I understand the decision of 
> making the authentication be separate from the viewer, so that a third 
> party viewer can't report the passwords to its master.

No i can't for the attached not having to attache the viewer and fool
the user into getting that down load would make the password attack so
much easier. For me the website are the weakest point, for the website
we already have no download needed attacks to the user name and
password. Its easy to make that attack using a remote website with a
slightly different uri. If i can change my takers SL viewer, thet i can
change my targets web browser. I can also install my keylogger directly.
My professional security options is that keeping the possibility to
login to your account out of the website would be the sensible way to
go.

TO raise the security level think about looking at how kerberos handles
login tokens. It's "quite" easy to kerbosify the viewer. You can't
secure the client's computer, that have to be done my the client.
Malware SL-viewer or malware keylogger, if that can some into the
clients computer you are fucked. You can't protect them.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the SLDev mailing list