This is an opinion post, but I highlight some concerns that users have had regarding integrating MRE’s into the AltSpace platform.
One of the common concerns is exploits vulnerabilities that get addressed promptly by the AltSpaceVR team, and in general, MRE’s are reasonably secure because they don’t run scripts on the client’s end. Scripts can be malicious if they are executed in a particular way, so AltSpace has not allowed Unity scripts on their platform, for instance.
One active security concern is the exposure of user’s IP addresses to the MRE server.
This is a valid security concern that I can share with the users who are concerned. However, I want to explain this in the right context before we go into the AltSpace specifics. When you connect to another server, even browsing AussieGuy92.com, your IP address is being recorded. Now I have the ability to track things such as which pages on my site are popular and what people look for.
Because of the traffic my website gets, it’s really difficult for me, for example, to send someone to my website for the sake of grabbing their IP address to attack them maliciously. It’s possible, but the problem is there are so many IP addresses from the same countries connecting to my site it’s not really a concern. And obviously, I don’t use that information – I just run the website.
However, if you were to get invited to a world that is running an MRE, that person hosting that MRE can see your IP address connect to the MRE and as you interact with the MRE, that IP connects to the host to send information to and from the MRE.
This is not usually a problem as developers care more about their reputation, and all in all, I haven’t heard of developers targeting user’s IP addresses. But there is the potential for it to happen, and AltSpace is becoming larger and larger as a community, and these things could potentially become a future problem.
As a general rule of surfing online, you should only allow applications you trust on your PC, and you are wary of unfamiliar sites. The problem is that when you connect to an MRE, you are connecting to an unknown server. By unknown, I define that you may not personally know the developer. If the developer had malicious intent, such as targeting a user, they could source their IP address and keep such logs. These IP addresses could be sniffed or even DDossed, which would prevent that user from connecting to the internet properly.
For the most part, users would mostly be okay unless they are port forwarding or have open ports through their firewalls on inbound that could be exploited, for instance, for remote access. Although these are extreme cases, the risk is somewhat there, and thankfully it isn’t being ignored.
It would be great if IP’s could be masked on the AltSpace end so that they weren’t delivered to the host node, but instead, the IP translates to another ID that could be used the same way (every user/device gets assigned an internal ID that proxy’s back to an IP on AltSpace’s end).
