Category: News-Opinion

HTTP pipelining viewer reaches release status as CDN support is grid-wide

Posted on by Inara Pey

On Wednesday, October 29th, the Lab promoted the HTTP pipelining viewer to the de facto release viewer, a move that came just after the grid-wide deployment of CDN support on Tuesday, October 28th. While the two are complementary rather than reliant upon one another, both should help improve the majority of users’ Second Life experience to some degree.

Monty Linden: the HTTP pipelining viewer marks the culmination of over 2 years of work inproving SL's HTTP capabilities
Monty Linden: the HTTP pipelining viewer marks the culmination of over 2 years of work improving SL’s HTTP capabilities

The HTTP pipelining viewer is the latest phase of over two years of work on Second Life by Monty Linden, and which has involved both the viewer and the servers and back-end services which support SL.

The work, originally a part of Project Shining, which was itself heralded as complete in June 2014, initially focused on texture handling between the servers and the viewer. Since then, Monty has gone on to tackle a number aspects of improving the use of HTTP in Second Life, such as making connections more robust and reliable, improving throughout to the viewer via HTTP, and so on.

The HTTP pipelining viewer, as the name suggests, leverages HTTP pipelining, a technique in which multiple HTTP requests are sent on a single TCP connection without waiting for the corresponding responses, which significantly improves the download of data (currently avatar baking information, texture data, and mesh data) to the viewer. The upshot of this is that the impact of a user’s physical location on scene loading is reduced, improving their overall experience.

As well as this, the HTTP viewer includes significant improvements to inventory folder and item fetches, which can markedly decrease the time taken for inventory to load, particularly if a user’s local inventory files have been flushed as a part of a cache clearing (or similar) exercise.

These inventory updates alone are liable to be appreciated by users as the viewer-side HTTP code gains wider adoption by TPVs. Tests have shown that a decently structured inventory (e.g. one that uses a folder hierarchy, rather than everything dumped into just a handful of top-level folders) of 100K can have a “clean” load time of 16-18 minutes reduced to around 3 minutes.

Earlier in October 2014, Monty blogged on his work, showing how both the CDN and the HTTP pipelining viewer, coupled with his earlier HTTP improvements have benefited texture and mesh fetching in SL. If you’ve not read that blog post, I recommend that you do.

Monty Linden's recent blog post shows how the HTTP work has improved texture and mesh fexture within SL
Monty Linden’s recent blog post shows how the HTTP work has improved texture and mesh texture fetching within SL

As well as working on HTTP, Monty has also been engaged on rebuilding and cleaning-up many of the third-party libraries used in the building of the viewer. This work should not only improve the viewer build process and such third-party libraries are consistently used in the build process, it may also help pave the way toward the Lab producing 64-bit versions of their viewer in the future.

Continue reading “HTTP pipelining viewer reaches release status as CDN support is grid-wide”

Poodle vulnerability: Lab issue RC viewer with browser fix

Posted on by Inara Pey

On Wednesday October 15th I blogged about the Lab having issued a Grid Status update warning, those who use the viewer’s built-in browser may not be able to access certain websites. The notice was issued by the Lab as a result of the Padding Oracle On Downgraded Legacy Encryption (Poodle) vulnerability reported by Google.

As noted in my original article, the Poodle vulnerability exploits a flaw in the design of the SSL 3.0 protocol, which despite being 18 years old, is used as a fallback security protocol within most browsers. By using a series of connection failures between a browser and website, an attacker can trigger what is called a “downgrade dance” where the browser eventually falls back to using the SSL 3.0 protocol to maintain communications. When this happens, the attacker can use the exploit within SSL 3.0 to grab sensitive data.

How a Poodle attack works (image courtesy of Critical Watch)
How a Poodle attack works (image courtesy of Critical Watch)

There are a couple of caveats to the vulnerability; for the attack to work, the attacker must be on the same wireless network as you or in the path of your communications (as shown above), and your client must be running JavaScript. However, it caused Google to issue an advisory that SSL 3.0 support is disabled or that tools that support TLS_FALLBACK_SCSV (Transport Layer Security Signalling Cipher Suite Value) are used be websites, which prevent the “downgrade dance” attacks. This prompted some websites to remove / disable SSL 3.0 support, which in turn resulted in some websites becoming inaccessible when using the viewer’s internal browser or browser-related services.

At the time the Grid Status update was issued, the Lab indicated they are working to fix the problem within the viewer’s browser capability. This has now been done, and release candidate version 3.7.18.295539 of the viewer, referred to as the “Browser Fix” viewer, removes SSL 3.0 usage from the viewer’s internal browser, allowing it to connect to sites which have disabled SSL 3.0 support.

If you do use the official viewer and prefer accessing websites using the internal browser, you may want to download this RC. For those not using the official viewer and who have experienced issues accessing websites through the viewer’s internal web browser, try switching to using an external browser to open web links (set via Preferences), as per the advice on the original Grid Status update from the Lab.

Related Links

“I believe I can fly”: the empowering freedom of virtual worlds

Posted on by Inara Pey
The single image Jay Jay
The single image Jay Jay Jegathesan used in his 3-minute presentation on his PhD research on community and collaboration through virtual worlds

I’ve frequently blogged about the work of the University of Western Australia in Second Life; with an active presence in SL since 2009, the University has gained a first-class reputation for sponsoring and promoting art in virtual worlds through initiatives such as the MachinimUWA competitions, and activities such as their current Transcending Borders challenge, the Freedom Project, and Project Homeless, as well as supporting the LEA’s Full Sim Art series, all of which I’ve had the privilege of covering in this pages.

The Freedom Project, one of many community-focused activities undertaken by the UWA within Second Life
The Freedom Project, one of many community-focused activities undertaken by the UWA within Second Life

The UWA’s involvement in Second Life came about as a result of PhD student Jay Jay Jegathesan (Jayjay Zifanwe in-world), who founded the University’s virtual campus in Second Life, which has grown to include academic teaching activities across Business, Law (including the use of SL machinima in a post-graduate degree course), the Arts, Anatomy, Physiology & Human Biology, and Education (including providing resources essential it helping educators and new users get started with SL).

In particular, as a result of Jay Jay’s work the University has become recognised as a world leader in global community development through virtual worlds technology. This in turn has encouraged Jay Jay to make the topic of global community development and collaboration through virtual worlds, particularly in reference to people with disabilities, the focus of his PhD thesis.

Currently, Jay Jay is participating in the UWA’s 2014 3-Minute Thesis competition, in which students were asked to speak for 3 minutes on their PhD research using no technology or props aside from a single image. His presentation, directly referencing the power of virtual worlds to help those with disabilities – indeed, all of us -, is both beautiful and direct; so why not take a moment to listen to his impassioned explanation of the empowering freedom virtual worlds offer?

I’d also like to take this opportunity of thanking Jay Jay for his generosity and kindness in sending me a copy of the Freedom Project book, which is a fabulous publication, lavishly illustrated with pictures of the works submitted to the project, biographies of the artists, and much more besides. It is very much a must-have for anyone with and appreciation of virtual world art. Copies can be obtained for L$5000 (around $20.00 US), shipped anywhere in the world. Those wishing to purchase a copy should contact Jayjay Zifanwe in-world for ordering information.

The ghost of the Premium Membership offer returns …

Posted on by Inara Pey

preimiumThe Lab has announced the latest round of the Premium Membership promotions – this one with a decidedly Halloween feel.

As usual, the offer is 50% off of membership for those upgrading, but only if they opt for the Quarterly billing plan, and the discount is applied only to the first quarter billing period. The offer begins on Wednesday the 15th of October at 08:00 am Pacific Daylight Time (PDT) and expires on Monday the 3rd of November 2014 at 08:00 am Pacific Standard Time (PST).

Alongside of the membership discount, comes the Premium gift offer, which this time has a Halloween theme, which includes “jack o’lanterns, witches’ brooms and more – including a bone-shaking skeleton avatar”. The gift pack can be obtained through the Premium Gift kiosks.

I admit I’ve not picked-up my gift, as it doesn’t really appeal. This being the case, I’ll also avoid my usual grumblings about the way Premium membership is pitched, and instead say that whether or not you feel upgrading to Premium is worthwhile is purely a matter of individual choice. However, I would say that if you’re considering on the basis of “exclusive gifts” or “more privacy”, then you’re probably better off sitting down and thinking again.

Part of the Halloween 2014 Premium Gift (image va Linden Lab)
Part of the Halloween 2014 Premium Gift (image va Linden Lab)

Launched alongside the Premium Membership offer, and included in the same blog post as the Premium offer stuff, is news about the Haunted Halloween Tour, the latest offering from the Lab to feature Experience Keys. This can be accessed via the Lab’s Portal Park, and I’ve covered it in a companion article to this one.

Poodle vulnerability: Lab issue viewer browser notice

Posted on by Inara Pey

On Wednesday October 15th, and as a result of the Padding Oracle On Downgraded Legacy Encryption (Poodle) vulnerability reported by Google, the Lab issued a Grid Status update, warning those who use the viewer’s built-in browser may not be able to access certain websites.

The update from the Lab reads in part:

[Posted 12:15 PM PDT, 15 October 2014] Residents may be unable to open certain websites using the viewers internal browser. This is due to a security related change made by many web sites in response to a vulnerability announced today by Google.  This issue will affect Media-on-a-Prim for those sites, and will block initial setup of some SLShare accounts.

You may be able to access those sites by setting your viewer to use an external browser: go to Me/Preferences/Setup and check “Use my browser (Chrome, Firefox, IE) for all links.

We are aware of the issue and working on a fix.

Unlike recent security vulnerabilities, like Heartbleed, Poodle targets the client-end of things. It does this by exploiting a flaw in the design of SSL 3.0 protocol, which despite being 18 years old, is used as a fallback security protocol within most browsers, including Chrome, Firefox and Internet Explorer. However, there are a couple of caveats to its effectiveness: for the attack to work, the attacker must be on the same wireless network as you (or in the path of your communications), and your client must be running JavaScript.

Essentially what happens is that the attacker initiates a series of connection failures between the browser and website, which in turn trigger what is called a “downgrade dance” where the browser eventually falls back to using the SSL 3.0 protocol to maintain communications. The attacker then uses the vulnerability within SSL 3.0 to grab sensitive data.

Because of its nature, and the fact that certain requirements must be met (as noted above) in order for it to work, Poodle is regarded as less far-reaching than something like Heartbleed. However, it has prompted Google to issue an advisory that websites disable SSL 3.0 support or that tools that support TLS_FALLBACK_SCSV (Transport Layer Security Signalling Cipher Suite Value) are used which prevent the “downgrade dance” attacks on services that can trigger the vulnerability. Google have also stated they plan to scrub SSL 3.0 support from its Chrome browser, and Mozilla are going to do the same with Firefox.

Related Links

UKanDo 3.7.17: new login screen

Posted on by Inara Pey

logoOn Thursday October 8th, the UKanDo viewer updated to version 3.7.17.28056 for both Windows and Linux.

The new version leap-frogs over a 3.7.16 release (the September release being 3.7.15), and instead combines the Lab’s 3.7.16 and 3.7.17 code base updates into a single release.

UKanDo version 3.7.17.28056 incorporates the Lab’s updated log-in splash screen, which sees one of two different screen displayed, depending upon whether the user is logging-in to SL for the first time (or has performed a completely clean install), or is returning to SL having previously logged-in (the screen shown below).

With the 3.7.17 release, UKanDo adopts the new-look Lab log-in splash screen layouts
With the 3.7.17 release, UKanDo adopts the new-look Lab log-in splash screen layouts

As well as the log-in screen update, the release also includes the last set of maintenance updates from the Lab to become the release viewer, and which comprised fixes and updates for: inventory & outfit management; appearance editing; group & group ban management; multi-grid support for favourites; camera controls; notifications management and stability improvements, as well as various UI bug and viewer crash fixes.

The new Status bar option to show / hide your L$ balance
The new Status bar option to show / hide your L$ balance

There are also a number of updates requested by UKanDo users included in the release:

  • An option in the Status Bar menu to show / hide your L$ account balance (shown by default) – useful for those taking snapshots or screen captures which include the UI, as they can hide their account balance if they wish. when unchecked, the account balance display slides out of sight
  • An option to show the UI in Mouselook has been added to Preferences (Preferences > General > Camera). This is disabled by default, requiring the use of the ALT key to move the cursor
  • The “Save to Disk” button in the Snapshot floater has been re-labelled “Save to Computer”.

Further updates in this release comprise:

  • FModEx updated to 4.44.41
  • lqtwebkit updated to 4.8.1 (contributed by Drakeo), which should fix Flash video not working for GNU/Linux users
  •  FS pose stand updated with additional validation checks (via Ansariel Hiller).

Related Links