Comments on: Linden Lab asks: Is your password secure? I ask: Do you support OpenID? http://mrtopf.de/blog/data-portability/linden-lab-asks-is-your-password-secure-i-ask-do-you-support-openid/ Geschreibsel von Christian Scholz Mon, 23 Jan 2012 08:52:26 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Christian Scholz http://mrtopf.de/blog/data-portability/linden-lab-asks-is-your-password-secure-i-ask-do-you-support-openid/#comment-1140 Christian Scholz Thu, 22 Jan 2009 13:04:19 +0000 http://mrtopf.de/blog/?p=1077#comment-1140 Actually, when thinking about it: If Linden Lab wants people to use stronger passwords at least why not putting a password checker in place and deny easy ones? Oh, I know why, nobody would signup anymore ;-) Do they at least have those tips listed on their signup page? Haven't visited that in a while. Actually, when thinking about it: If Linden Lab wants people to use stronger passwords at least why not putting a password checker in place and deny easy ones? Oh, I know why, nobody would signup anymore ;-) Do they at least have those tips listed on their signup page? Haven't visited that in a while.

]]> By: Ichi Merit http://mrtopf.de/blog/data-portability/linden-lab-asks-is-your-password-secure-i-ask-do-you-support-openid/#comment-1139 Ichi Merit Wed, 21 Jan 2009 10:24:07 +0000 http://mrtopf.de/blog/?p=1077#comment-1139 With all the focus on money and trading, why are we not using more secure means for logging in like Security keys (fobs) like paypal uses? Those of us that have large amount of money or assets (land, stores, intellectual property) would prefer the added security!! <a href="https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside" rel="nofollow">https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Mar...</a> With all the focus on money and trading, why are we not using more secure means for logging in like Security keys (fobs) like paypal uses? Those of us that have large amount of money or assets (land, stores, intellectual property) would prefer the added security!!
https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Mar…

]]> By: Christian Scholz http://mrtopf.de/blog/data-portability/linden-lab-asks-is-your-password-secure-i-ask-do-you-support-openid/#comment-1138 Christian Scholz Sat, 17 Jan 2009 19:24:35 +0000 http://mrtopf.de/blog/?p=1077#comment-1138 They don't embrace them because there are supposed to be problems with it. Problems though I never really understood maybe because they haven't been explained in detail. But even if there are problems with that, the OpenID and OAuth communities are all public and open and OAuth is even a community driven specification. There is nothing stopping Linden Lab to engage with these communities to address eventual shortcomings. Moreover there is twice a year an Internet Identity Workshop in Mountain View which should be possible for Linden Lab to attend, be it for listening or for finding solutions. As you say, reinventing everything (and OGP for instance is reinventing really everything and thus just creating just a bigger walled garden instead of opening the whole thing up to the web) is not the solution and will let Second Life stay on it's island. The MD5 thing is good to hear but as sad as it sounds, experience shows that "as quickly as possible" from Linden Lab means not much. The new LSL function might be a sign that it's different this time but then again adding this to LSL should be easy, adding this to your whole infrastructure is certainly not. (and too bad I missed the talk about MD5 and the malicious CA when being at the 25C3 in Berlin). They don't embrace them because there are supposed to be problems with it. Problems though I never really understood maybe because they haven't been explained in detail. But even if there are problems with that, the OpenID and OAuth communities are all public and open and OAuth is even a community driven specification. There is nothing stopping Linden Lab to engage with these communities to address eventual shortcomings. Moreover there is twice a year an Internet Identity Workshop in Mountain View which should be possible for Linden Lab to attend, be it for listening or for finding solutions.

As you say, reinventing everything (and OGP for instance is reinventing really everything and thus just creating just a bigger walled garden instead of opening the whole thing up to the web) is not the solution and will let Second Life stay on it's island.

The MD5 thing is good to hear but as sad as it sounds, experience shows that "as quickly as possible" from Linden Lab means not much. The new LSL function might be a sign that it's different this time but then again adding this to LSL should be easy, adding this to your whole infrastructure is certainly not.

(and too bad I missed the talk about MD5 and the malicious CA when being at the 25C3 in Berlin).

]]> By: Gwyneth Llewelyn http://mrtopf.de/blog/data-portability/linden-lab-asks-is-your-password-secure-i-ask-do-you-support-openid/#comment-1137 Gwyneth Llewelyn Sat, 17 Jan 2009 19:06:42 +0000 http://mrtopf.de/blog/?p=1077#comment-1137 Ah well. OpenID, like XMPP, are those kinds of things that it's impossible to understand why LL doesn't fully embrace them. Yes, sure, there are security problems — there are <i>always</i> security problems on <i>any</i> technology — but really, reinventing the wheel is <i>so</i> 1990s... As for MD5, Zero and Infinity Linden sort of discussed it on a recent Office Hours meeting: they'll be moving on to SHA1 (or possibly even SHA256) "as quickly as possible". You might have noticed that there is a new LSL function with this new 1.25 server release :) Ah well. OpenID, like XMPP, are those kinds of things that it's impossible to understand why LL doesn't fully embrace them. Yes, sure, there are security problems — there are always security problems on any technology — but really, reinventing the wheel is so 1990s…

As for MD5, Zero and Infinity Linden sort of discussed it on a recent Office Hours meeting: they'll be moving on to SHA1 (or possibly even SHA256) "as quickly as possible". You might have noticed that there is a new LSL function with this new 1.25 server release :)

]]>