Category Archives: News

Poodle vulnerability: Lab issue RC viewer with browser fix

On Wednesday October 15th I blogged about the Lab having issued a Grid Status update warning, those who use the viewer’s built-in browser may not be able to access certain websites. The notice was issued by the Lab as a result of the Padding Oracle On Downgraded Legacy Encryption (Poodle) vulnerability reported by Google.

As noted in my original article, the Poodle vulnerability exploits a flaw in the design of the SSL 3.0 protocol, which despite being 18 years old, is used as a fallback security protocol within most browsers. By using a series of connection failures between a browser and website, an attacker can trigger what is called a “downgrade dance” where the browser eventually falls back to using the SSL 3.0 protocol to maintain communications. When this happens, the attacker can use the exploit within SSL 3.0 to grab sensitive data.

How a Poodle attack works (image courtesy of Critical Watch)

How a Poodle attack works (image courtesy of Critical Watch)

There are a couple of caveats to the vulnerability; for the attack to work, the attacker must be on the same wireless network as you or in the path of your communications (as shown above), and your client must be running JavaScript. However, it caused Google to issue an advisory that SSL 3.0 support is disabled or that tools that support TLS_FALLBACK_SCSV (Transport Layer Security Signalling Cipher Suite Value) are used be websites, which prevent the “downgrade dance” attacks. This prompted some websites to remove / disable SSL 3.0 support, which in turn resulted in some websites becoming inaccessible when using the viewer’s internal browser or browser-related services.

At the time the Grid Status update was issued, the Lab indicated they are working to fix the problem within the viewer’s browser capability. This has now been done, and release candidate version 3.7.18.295539 of the viewer, referred to as the “Browser Fix” viewer, removes SSL 3.0 usage from the viewer’s internal browser, allowing it to connect to sites which have disabled SSL 3.0 support.

If you do use the official viewer and prefer accessing websites using the internal browser, you may want to download this RC. For those not using the official viewer and who have experienced issues accessing websites through the viewer’s internal web browser, try switching to using an external browser to open web links (set via Preferences), as per the advice on the original Grid Status update from the Lab.

Related Links

“I believe I can fly”: the empowering freedom of virtual worlds

The single image Jay Jay

The single image Jay Jay Jegathesan used in his 3-minute presentation on his PhD research on community and collaboration through virtual worlds

I’ve frequently blogged about the work of the University of Western Australia in Second Life; with an active presence in SL since 2009, the University has gained a first-class reputation for sponsoring and promoting art in virtual worlds through initiatives such as the MachinimUWA competitions, and activities such as their current Transcending Borders challenge, the Freedom Project, and Project Homeless, as well as supporting the LEA’s Full Sim Art series, all of which I’ve had the privilege of covering in this pages.

The Freedom Project, one of many community-focused activities undertaken by the UWA within Second Life

The Freedom Project, one of many community-focused activities undertaken by the UWA within Second Life

The UWA’s involvement in Second Life came about as a result of PhD student Jay Jay Jegathesan (), who founded the University’s virtual campus in Second Life, which has grown to include academic teaching activities across Business, Law (including the use of SL machinima in a post-graduate degree course), the Arts, Anatomy, Physiology & Human Biology, and Education (including providing resources essential it helping educators and new users get started with SL).

In particular, as a result of Jay Jay’s work the University has become recognised as a world leader in global community development through virtual worlds technology. This in turn has encouraged Jay Jay to make the topic of global community development and collaboration through virtual worlds, particularly in reference to people with disabilities, the focus of his PhD thesis.

Currently, Jay Jay is participating in the UWA’s 2014 3-Minute Thesis competition, in which students were asked to speak for 3 minutes on their PhD research using no technology or props aside from a single image. His presentation, directly referencing the power of virtual worlds to help those with disabilities – indeed, all of us -, is both beautiful and direct; so why not take a moment to listen to his impassioned explanation of the empowering freedom virtual worlds offer?

I’d also like to take this opportunity of thanking Jay Jay for his generosity and kindness in sending me a copy of the Freedom Project book, which is a fabulous publication, lavishly illustrated with pictures of the works submitted to the project, biographies of the artists, and much more besides. It is very much a must-have for anyone with and appreciation of virtual world art. Copies can be obtained for L$5000 (around $20.00 US), shipped anywhere in the world. Those wishing to purchase a copy should contact Jayjay Zifanwe in-world for ordering information.

SL project updates week 42/2: Monty’s HTTP update and the HTTP pipelining viewer

On Wednesday October 15th, Monty Linden blogged about his HTTP work and the CDN, using the rather unusual title, The Sky Over Berlin (and Elsewhere). It’s a great piece of reading, although I can’t help thinking that Monty’s sign-off at this end of it would have perhaps suited the subject matter far better: nous sommes embarqués – “adventure is ours for the taking”!

The first part of the post recaps on Monty’s initial work in improving Second Life via the HTTP project. This started as far back as mid-2012, with the first pass focused on improving the   mechanism by which textures could be obtained for rendering via HTTP, which entered widespread use around  November 2012, with the release of the 3.4.3267135 viewer.

This work was followed by Monty labouring to improve mesh fetching as well, and to improve the overall reliability of HTTP, which I blogged about in March 2013.

At the start of 2014, Monty blogged on his work up to that point, and looked ahead to future activities. As a part of the post, he included a graph showing how the work carried out up to that point improved texture and mesh request handling.

The HTTP project has improved "under the hood" performance in SL in a number of areas, starting with texture fetching, anf through greater robustness of connections through the use of "keepalives"

In January 2014, Monty blogged about his HTTP work, and indicated how the work had raised the request rate ceiling within the viewer for texture and mesh data from A up to the blue line of C

In his latest post, Monty picks-up where his January post left off, demonstrating how more recent improvements are starting to improve things further – notably through the use of HTTP pipelining (the release candidate viewer for which has now been issued – see below), and the ongoing deployment of the Content Delivery Network service for texture and mesh data delivery.

In his latest blog post, Monty indicates how both HTTP pipelining and the use of the Highwinds CDN service should further help improve data transmissions and  performance

In his latest blog post, Monty indicates how both HTTP pipelining (the “post 3.7.16″ markers, denoting the introduction of the pipelining viewer) and the use of the Highwinds CDN service (denoted by the DRTSIM-258 markers) should further help improve data transmissions and performance

All told, Monty’s work has been a remarkable undertaking which benefits Second Life enormously, and helps to set the path towards possible further improvements in the future. As such, he really is one of the heroes of Second Life and the Lab.

HTTP Pipelining RC Viewer

The HTTP Pipelining viewer was issued as a release candidate viewer shortly after Monty’s post went to press.

Version 3.7.18.295372 enables the viewer to issue multiple asset fetches on a connection without waiting for responses to earlier requests. This should help inprove things like initial scene loading quite aside from any additional benefits gained through the CDN deployment work. In addition, the viewer includes improvements to inventory fetching, as Monty noted in his blog post:

The HTTP Project has focused on textures and meshes. But the inventory system, which maintains item ownership, is often described as… sluggish. So as an exercise in expanding the use of the new HTTP library, the pipelining viewer was modified to use it for inventory fetches. As with textures and meshes before, inventory is now fetching in the ‘C’ region of its specific performance graph. The difference can be surprising.

Having had the opportunity to test the pipelining viewer somewhat prior to its appearance as an RC, I can attest to this. While I keep my “active” inventory to a modest size (around 10,000 items unpacked, the rest boxed until needed), I found that an inventory download with a cleared inventory cache (nothing saved on my computer) averaged 9-10 seconds using the pipelining viewer, compared with an average of 2 minutes 50 seconds to 3 minutes with the current release viewer (3.7.17.294959). Whirly Fizzle, using a 105K inventory had even more impressive results: with a cleared cache, her inventory loaded in under 3 minutes on the pipelining viewer, compared to 16-18 minutes on the release viewer.

The release notes for the viewer contain additional information about the updates, again written by Monty, and these make worthwhile reading alongside of his blog post.

Related Links

The ghost of the Premium Membership offer returns …

preimiumThe Lab has announced the latest round of the Premium Membership promotions – this one with a decidedly Halloween feel.

As usual, the offer is 50% off of membership for those upgrading, but only if they opt for the Quarterly billing plan, and the discount is applied only to the first quarter billing period. The offer begins on Wednesday the 15th of October at 08:00 am Pacific Daylight Time (PDT) and expires on Monday the 3rd of November 2014 at 08:00 am Pacific Standard Time (PST).

Alongside of the membership discount, comes the Premium gift offer, which this time has a Halloween theme, which includes “jack o’lanterns, witches’ brooms and more – including a bone-shaking skeleton avatar”. The gift pack can be obtained through the Premium Gift kiosks.

I admit I’ve not picked-up my gift, as it doesn’t really appeal. This being the case, I’ll also avoid my usual grumblings about the way Premium membership is pitched, and instead say that whether or not you feel upgrading to Premium is worthwhile is purely a matter of individual choice. However, I would say that if you’re considering on the basis of “exclusive gifts” or “more privacy”, then you’re probably better off sitting down and thinking again.

Part of the Halloween 2014 Premium Gift (image va Linden Lab)

Part of the Halloween 2014 Premium Gift (image va Linden Lab)

Launched alongside the Premium Membership offer, and included in the same blog post as the Premium offer stuff, is news about the Haunted Halloween Tour, the latest offering from the Lab to feature Experience Keys. This can be accessed via the Lab’s Portal Park, and I’ve covered it in a companion article to this one.