Poodle vulnerability: Lab issue viewer browser notice

On Wednesday October 15th, and as a result of the Padding Oracle On Downgraded Legacy Encryption (Poodle) vulnerability reported by Google, the Lab issued a Grid Status update, warning those who use the viewer’s built-in browser may not be able to access certain websites.

The update from the Lab reads in part:

[Posted 12:15 PM PDT, 15 October 2014] Residents may be unable to open certain websites using the viewers internal browser. This is due to a security related change made by many web sites in response to a vulnerability announced today by Google.  This issue will affect Media-on-a-Prim for those sites, and will block initial setup of some SLShare accounts.

You may be able to access those sites by setting your viewer to use an external browser: go to Me/Preferences/Setup and check “Use my browser (Chrome, Firefox, IE) for all links.

We are aware of the issue and working on a fix.

Unlike recent security vulnerabilities, like Heartbleed, Poodle targets the client-end of things. It does this by exploiting a flaw in the design of SSL 3.0 protocol, which despite being 18 years old, is used as a fallback security protocol within most browsers, including Chrome, Firefox and Internet Explorer. However, there are a couple of caveats to its effectiveness: for the attack to work, the attacker must be on the same wireless network as you (or in the path of your communications), and your client must be running JavaScript.

Essentially what happens is that the attacker initiates a series of connection failures between the browser and website, which in turn trigger what is called a “downgrade dance” where the browser eventually falls back to using the SSL 3.0 protocol to maintain communications. The attacker then uses the vulnerability within SSL 3.0 to grab sensitive data.

Because of its nature, and the fact that certain requirements must be met (as noted above) in order for it to work, Poodle is regarded as less far-reaching than something like Heartbleed. However, it has prompted Google to issue an advisory that websites disable SSL 3.0 support or that tools that support TLS_FALLBACK_SCSV (Transport Layer Security Signalling Cipher Suite Value) are used which prevent the “downgrade dance” attacks on services that can trigger the vulnerability. Google have also stated they plan to scrub SSL 3.0 support from its Chrome browser, and Mozilla are going to do the same with Firefox.

Related Links

More than Just Another Tequila Sunrise

Just Another Tequilla Sunrise, Isle of Love; Inara Pey, October 2014, on FlickrJust Another Tequila Sunrise, Isle of Love (Flickr)

I was led to Just Another Tequilla Sunrise by Kate Bergdorf, who mentioned it in her blog recently. A homestead region, it is currently painted in rich autumnal colours which make it an absolute delight to visit on these (for those of us in the UK at least), damp and dreary days.

The work of SL photographer Arol Lightfoot, the region’s name is a perfect reflection of its look and feel under the default windlight (although I admittedly used others when taking my own snaps).  Photographers are warmly invited to explore and take pictures, and Arol has created a Flickr group where images can be shared, if people wish.

Just Another Tequilla Sunrise, Isle of Love; Inara Pey, October 2014, on FlickrJust Another Tequila Sunrise, Isle of Love (Flickr)

For those who explore SL a lot, there are a number of familiar motifs here – the offshore lighthouse, the craggy upthrust of a rocky plateau, the low-laying lands broken by bodies of water, the sweeping white curve of a beach… Which is not to say that Just Another Tequila Sunrise is in any way derivative; quite the reverse in fact. In a world where people are limited in how they can take an island 256 metres on a side and blend it into the surrounding sea, it is inevitable that regions come to share familiar elements while still retaining their own individuality from one another.

More than this, however, is the fact that such familiar elements within individual region designs help to give a feeling of continuity as one travels through SL. When encountered, they can help make individual islands feel as if they are different elements of the same country or coastline, rather than being individual places, more-or-less standing on their own.

Just Another Tequilla Sunrise, Isle of Love; Inara Pey, October 2014, on FlickrJust Another Tequila Sunrise, Isle of Love (Flickr)

Two areas of habitation mark the island. On the west sits a small farm, the ribbon of a lake reaching almost to the front door of the house. To the east, and built out over one of the two beaches, sits a wooden pier topped by a sun-bleached house. Between them the low-lying grasslands offer plenty of space to wander, with places for individuals, couples and groups to sit and enjoy the surroundings. Bridges, both stone and wooden, allow easy passage over the water, and a path cut into the rock guides those so minded to the top of the southern plateau.

With the sounds of nature throughout and birds wheeling overhead, Just Another Tequila Sunrise is, as noted above, an absolute delight to visit, and guaranteed to brighten the dreariest of days. Highly recommended.

Just Another Tequilla Sunrise, Isle of Love; Inara Pey, October 2014, on FlickrJust Another Tequila Sunrise, Isle of Love (Flickr)

Related Links

SL project updates 42/1: server, viewer, viewer-driven Marketplace

Square Pegs in Round Holes, Kashmir Dreams; Inara Pey, September 2014, on FlickrSquare Pegs in Round Holes, Kashmir Dreams (Flickr) – blog post

Server Deployments Week 42

As always, please refer to the server deployment thread for updates and the latest information.

  • There was no code promotion to the Main (SLS) channel on Tuesday, October 14th – this follows from there having been no deployments to the primary RC channels in week 41
  • On Wednesday, October 15th, the primary RC channels should be updated as follows:
    • Bluesteel should receive the CDN texture & mesh fetching capabilities – release notes
    •   LeTigre and Magnum should both receive a new server maintenance package,  which includes a crash fix and improves the delivery pipeline for abuse reports.

SL Viewer

As noted in my report here, Monday October 13th saw the release of the latest version of the Oculus Rift project viewer. Version includes support for the Oculus DK2.

Viewer-managed Marketplace (VMM)

Baker Linden sports a new look, but keeps the hair, shades and bling  - as al lhamsters should!
Baker Linden sports a new look, but keeps the hair, shades and bling – as all hamsters should!

Baker Linden, who has been carrying out a lot of the back-end work on support of the forthcoming viewer-managed Marketplace, was on-hand that the Simulator User Group meeting on Tuesday October 14th to talk a little more about the project.

He reconfirmed that the new capabilities, which will allow merchants to carry out a number of Marketplace-specific tasks from within the viewer (create new listings with stock, Associate inventory to an existing listing, remove items from a listing, unlist goods entirely) will commence testing on Aditi in November, together with a new project viewer. This testing is liable to run well into the first quarter of 2015, and will involve both Marketplace merchants and TPV developers.

Various additional safeguards are being built into the updated delivery mechanism, both within the Marketplace web interface (which is the responsibility of one of the Lab’s web developers) and the back-end of things. For example, if someone leaves an item in their shopping cart and either the price for the item changes or it is unlisted in the intervening period prior to them continuing to the checkout, they will receive a notification of the change when they do so.

Baker himself is working to eliminate issues with No Copy items, such as preventing a race condition in which a region restart can be exploited to obtain more than one version of a No Copy item. He also indicated that when a No copy item runs out of stock, the listing for it will no longer be delivered to users’ browsers by the Marketplace (presumably until the merchant “restocks” the item) and the listing may even be deactivated.

He also provided more information on the ability to link more than one items to a Marketplace listing, stating:

For merchants, you will be able to choose which “version” is listed so you can have a special holiday-skinned object, and then simply right-click, say “use this version” and then it will start selling the new holiday version of your object!  When you’re done selling the holiday themed object, just switch back to the original version.

However, a problem here is that some people tend to let items accumulate in their Marketplace shopping cart for a period of time – perhaps a week or so – before proceeding to the checkout. It is therefore possible that if they add a “special” version of an item to their cart and leave it there for a while, the merchant may subsequently swap the listing back to deliver the “normal” version of the item – which the buyer will receive when then do eventually proceed to checkout and pay for the items in their shopping cart, leading to complaints and upset. This is something the Lab hadn’t actively considered, so Baker has taken the issue back to the office where it will be given further thought.

The discussion of the new Marketplace capabilities lead to a number of suggestions being put forward, some of which may be on their way to being filed as JIRA feature requests:

  • The ability to mark stores as favourites in the Marketplace
  • The ability to obtain a demo version of an item directly from the item’s listing page
  • The ability to associate different coloured versions of the same product in a single listing
  • The ability to view an item’s contents like the contents of in-world objects can be inspected.

A request was also made for some kind of in-world meeting to discuss the Marketplace. This is not the first time such a request has been made. However, the last time the Commerce Team directly responded to such requests, it was with a refusal to hold in-world meetings. However, there was a lot going on with the Marketplace at that time, which was causing a lot of angst; it’s fair to say a lot has changed since then. Certainly, with an extended period of testing for the new viewer-driven capabilities about to commence, which will involve both merchants and TPV developers, it would seem that putting a mechanism in place by which the Lab, merchants and developers can discuss things would benefit the project tremendously.