Security

Security

We have implemented HTTPS over TLS/SSL using RSA encryption according to the industry standard. This is so that pages that send your password and email address are encrypted when you send them over the internet. It is not necessary for other pages. Any standard connections made to the grid itself, however, as with any OpenSim grid, are at your own risk and based on your own confidence in the server software. Put simply, we do our best.

Certificates

We use Let's Encrypt, which is a free but fully functional certificate authority, so you should no longer normally see certificate errors as you may have when we prevously used CAcert.org, the free community certificate authority.

Why trust our secure connection?

What HTTPS does ensure is that only you and the recipient will see what you transmit on the internet. It does not in itself guarantee their identity. Consider that ordinary HTTP would transmit your password, email etc in plain text for all the world to see.

If you do get a certificate error for any reason

Major browsers sometimes give errors when you first connect to sites over HTTPS. Generally, apart from Let's Encrypt, they only recognise commercial certificate authorities: these control the market and sell certificates for large sums when in reality they are extremely easy to produce. It is not necessarily any safer because these certificates have sometimes (albeit rarely) been compromised by hackers and could easily be compromised by governments through control over the root certificates being used by certificate authorities in their jurisdictions. We advise you that secure connections are always better than insecure ones when transmitting passwords or personal information, even if they are invalid or out of date: at least you only have to worry about who is receiving the data and whether they are who you think they are (i.e. the man-in-the-middle attack) rather than anybody on the entire Internet who could be (and probably is) snooping too. In such cases, we advise that you should allow and permanently store the exception if you wish to use the secure parts of web sites, and it is our opinion that free community certificate authorities are in no way inferior to their commercial counterparts. As supporters of the open source movement, we prefer to use CAcert.org and support the community. Ultimately it is your decision, not your browser's, about who to trust. Don't be scared by their warnings and learn how to interpret them.