New (by 2024.12.11) age verification system is worse?
kawashirov
So now, not only birthday but other (not named) data will be sent to VRChat, but extra. I assume it is
real full name
and/or serial number of the paper
and/or issuer of the paper
.Huh?
Now instead of
trust one
subject (Persona), we have to trust two
subjects (VRChat and Persona) and communication channels between them.You might write more paragraphs on Ask FAQ about how secure hashes is, but with this new system **the surface of attack is much much larger**.
Now it might be almost impossible to steal or leak stored data, but theoretically easier to steal or leak the data during the process.
Sorry guys, but security in VRChat is not what you can brave of. In other aspects of VRChat you guys shown how bad at security are: assume all client are trusted (which is the reason why malicious clients exists), trust other's client's data without sanitizing sent (ex. crashes through vrcobjectsync, I mentioned this in prev dev update), etc etc
It must be an enormous amount of trust to assume you will treat the data sent by Persona well.
I was OK to verify myself on previous system (If it's available in my place lol), but now I doubt.
Log In
buzer ~
Finally, someone said it. I was watching the video and couldn't understand how anyone could see this as an improvement.
The previous plan was for VRChat to get only your birth date from Persona. But now it's "your birth date and the minimum amount of personal data possible to calculate a sufficiently unique hash".
So they're not even telling us exactly what they're receiving anymore! (Aside from mentioning that "Images of IDs, selfies, and facial scans are not transmitted to VRChat")
Another issue is that instead of relying on Persona's established hashes and storage, VRChat is rolling out their brand-new, in-house personal data processing algorithm. Even if you trust VRChat's intentions, you still have to trust them to implement this securely.
kawashirov
gonna dupe that here too
nil
The new system keeps a hash of identifying information, and the explanation makes it sound like this is secure because it's a hash, but it's not really.
The purpose of storing the hash is to identify when the same identifying information is being used to verify multiple VRChat accounts. If VRChat suffers a data breach and the VRChat account names and hashes are leaked, the attacker only has the account names and hashes, and not the identifying information to go with those account names. Unless...
If the identifying information is already out there, for example the leak of nearly every American's social security number in August of this year, somebody with the VRChat data breach data would only need to apply the same hash function VRChat uses to detect duplicate ID data to the identifying information they have, and then the VRChat data would tell the attacker the VRChat account information of that person.
The ease of doing this depends on how much data VRChat is putting into the hash and how unlikely it is for an attacker to have this data, but obviously the more data you're giving VRChat and Persona the more likely something is going to happen as part of the verification data that either compromises the user's identity or VRChat's protection against duplicate accounts.
Thanks for listening and trying to improve it. Keeping hashes may be better but it's not that private either.
nil
If VRChat kept a record of how many times it had seen hashes, but not which accounts the hashes belonged to, that might be safe, but then if you ever deleted your account and tried to make a new one you'd be detected as a reuse and potentially prevented from reverifying.
kawashirov
nil Ah yes, you are right, I forgot about that part.
If both hashes and hash-function would leak, then already leaked data from other sources can be used to figure out links between users and their personas.
If it is only full name in the hash, then 3rd partly leaked data (like paper numbers) not even necessary. It' can be brute forced very quickly across popular names, a lot of cultures on the Earh has very common names and surnames. So, it's like your name is your password and simple name means simple "password" lol.
And computation complexity of the hash-function doesn't rly matter in this case.