sl-service-account
commented
9 months ago Beq Janus commented at 2023-10-04T01:10:19Z
I have previously raised this issue, not as a Jira but in discussions and social media.
This weakness has existed for a very long time however, as the platform attracts new people they are likely to bring with them preconceptions that chat is secure given that pretty much every other social chat platform is encrypted at some level. There are multiple points of weakness.
1) data at rest.
Currently all chat logs are in plaintext and enabled by default.
There is no clear warning or any indication to the user that this data is being stored in plain text on their hard drive. On the LL viewer, there is no aging of logs and the tools for managing the data are limited (delete is all or nothing).
2) data in flight
There is no encryption or encoding at all and chat is openly observable.
IM (which is more commonly referred to as DM outside of SL) is most likely to be incorrectly considered as secure because it is presented as direct and person-to-person.
public and group chat is equally vulnerable but the argument that it is less likely to be "thought to be private" is less easily defended. That said, if you are not aware of the logging of local chat, it would be reasonable to assume that only those listed as present would have a record.
Given that the chat mechanism is used for so many communication needs within SL, I doubt that a true end-to-end encryption is viable. putting aside the techcnail requirements and even any internal requirements to support management of the platform it seems likely that some of the regulatory requirements of operating a virtual currency include adequate safeguards around money laundering, and would potentially clash with this. However, point-to-point encryption from the viewer to the sim would pose no such barriers as "internally" to Second Life data would be as it is today.
For a short while around 15 years ago the Emerald Viewer had OTR chat, an end-to-end encrypted tunnel within the existing chat. While it predates my involvement with viewer development by many years, it would appear to have been explicitly banned by LL and as such no TPV can now attempt to address this problem. Adopting point to point TLS, which is already in place for the HTTP-based capability system would be a step-forward.
The following document covers in great depth just one class of exposed individuals whose potentially uninformed capture of "private" conversations could land them in very deep waters indeed. https://ilga.org/downloads/ILGA_World_State_Sponsored_Homophobia_report_global_legislation_overview_update_December_2020.pdf
I think also that a short-term measure to remind all users that data that they share is not secure should be deployed, probably in the form of a one-time popup in the viewer.
How would you like the feature to work?
Currently ( to the best of my understanding ) all chat for Second Life is transmitted over the internet as plaintext over UDP Protocol, meaning anyone who has the interest and access to the connection can simply read whatever is occurring with minimal effort.
Moving chat to an HTTPS protocol would bring SL security up to parity with the rest of the modern internet.
Why is this feature important to you? How would it benefit the community?
Moving off of plain-text over UDP is important because normal people don't check what internet security protocols are in place before saying something that might get them in trouble when they're using a live chat service. It's not something that is always at the forefront of the average SL users mind while they're using the platform, and it shouldn't HAVE to be...
One of SL's primary strengths is the incredibly diversity of its user base. The "freedom to do whatever you can imagine", as advertised. However many users often physically live in locales where they are very much NOT allowed to do "whatever they can imagine".
I personally know multiple people in SL who physically live in areas that are very hostile towards LGBTQ+ people, including, specifically, Saudi Arabia and UAE ( Dubai ), where offenses, if found out are literally punishable by imprisonment or death. Many other Arabic speaking countries also bring heavy penalties to people who are "discovered" to be LGBT, including Muslim parts of India, from which SL finds many of its users. Other areas where non-cis behavior is severely punished or curtailed include China ( now including Hong-Kong) as well as all of Russia. While many of these regions rarely enforce violent penalties; instead opting to just make people's lives exceedingly difficult ( such as China, and it's habit of simply coercing people to ... stop using the internet for their own 'best interests' ) it's a risk that can be mitigated by simply changing to a more secure environment. While it is admittedly unlikely that the PRC is closely monitoring SL chat for inappropriate activist sentiments, in the modern age of AI data collection and congregation, it's not entirely UNLIKELY either.
Members of the LGBTQ+ community are not the only ones at risk. There are plenty of people who are simply exploring social connections where they are not free to do so RL. While oppressive regimes aggregating data are always a concern, there's plenty of SL residents who are living in very socially liberal areas where they simply don't want their SL adventures to be broadcasted to the world at large. This includes people who are public figures, police officers, teachers, public servants, or anyone who's currently legally married or not currently "out" while living with their sexual orientation.
I'm not a cryptography expert, nor an internet security expert. I don't expect full end-to-end encryption for a social virtual environment, but I do hope that users who may be completely unaware of the risk that they're posing to themselves by "just being themselves" as advertised, would at least be met halfway in terms of privacy features.
Thank you.
Original Jira Fields
| Field | Value | | ------------- | ------------- | | Issue | BUG-234488 | | Summary | Move all SL Chat from Plaintext over UDP to HTTPS | | Type | New Feature Request | | Priority | Unset | | Status | Accepted | | Resolution | Accepted | | Created at | 2023-10-03T22:55:40Z | | Updated at | 2023-10-04T18:19:43Z | ``` { 'Build Id': 'unset', 'Business Unit': ['Platform'], 'Date of First Response': '2023-10-03T20:10:18.973-0500', 'How would you like the feature to work?': 'Currently ( to the best of my understanding ) all chat for Second Life is transmitted over the internet as plaintext over UDP Protocol, meaning anyone who has the interest and access to the connection can simply read whatever is occurring with minimal effort.\r\n\r\nMoving chat to an HTTPS protocol would bring SL security up to parity with the rest of the modern internet.', 'ReOpened Count': 0.0, 'Severity': 'Unset', 'Target Viewer Version': 'viewer-development', 'Why is this feature important to you? How would it benefit the community?': 'Moving off of plain-text over UDP is important because normal people don\'t check what internet security protocols are in place before saying something that might get them in trouble when they\'re using a live chat service. It\'s not something that is at the forefront of most users minds.\r\n\r\nOne of SL\'s primary strengths is the incredibly diversity of its user base. The "freedom to do whatever you can imagine", as advertised. However many users often physically live in locales where they are very much NOT allowed to do "whatever they want".\r\n\r\nI personally know multiple people in SL who physically live in areas that are very hostile towards LGBTQ+ people, including specifically, Saudi Arabia where offenses, if found out are literally punishable by death. Many other Arabic speaking countries also bring heavy penalties to people who are "discovered" to be LGBT, including muslim parts of India, from which SL pulls many users. Other areas where non-cis behavior is severely punished or curtailed include China ( now including Hong-Kong) as well as parts of Russia. While many of these regions rarely enforce violent penalties; instead opting to just make people\'s lives exceedingly difficult ( such as China, and it\'s habit of simply coercing people to ... stop using the internet for their own \'best interests\' ) it\'s a risk that can be mitigated by simply changing to a more secure environment. While it is admittedly unlikely that the PRC is closely monitoring SL chat for inappropriate activist sentiments, in the modern age of AI data collection and congregation, it\'s not entirely UNLIKELY either.\r\n\r\nI\'m not a cryptography expert, nor an internet security expert. I don\'t expect full end-to-end encryption for a social virtual environment, but I do hope that users who may be completely unaware of the risk that they\'re posing to themselves by "just being themselves" as advertised, would at least be met halfway in terms of privacy features.\r\n\r\nThank you.', } ```