Security in Verse is a complicated topic. Security concepts fit at two different levels of the system: at the network level, to protect the data that gets sent, and at a higher level, in the form of access restrictions and similar.
For a long time, all the way back to the initial version of Verse developed at the Interactive Institute in 1999, Verse had no network security at all. The network traffic was not encrypted or protected in any way, all data was sent in clear text.
In the more recent second version, which has been further developed during the Uni-Verse project, network security has been added as one of the basic requirements for the platform.
Verse's network security aims to make the data passing on the wire harder for an attacker to read. This is done by encrypting the packets sent by Verse, using two distinct types of encryption: one during connection establishment, and a different one once connected.
During connection establishment, the focus is on security. Thus, data sent then (which includes potentially sensitive information such as the username and password of the client trying to connect) is protected using relatively "heavy" encryption (RSA, currently with a key length of just 512 bits though). The performance penalty caused by the complicated encryption/decryption algorithms is offset by the fact that a client only connects once, and that the total number of packets exchanged using this encryption is fairly low.
Once connected, performance becomes more critical. Therefore, Verse switches to a simple and fast XOR-based encryption algorithm for data sent when connected. The key used for the XOR encryption is created by the server during the connection establishment, and thus protected by RSA when sent to the client. The key is indexed by the packet number, and the result (modulo the key size) is then used as a new starting position in the key, for the packet's contents. This should make it more difficult for an attacker to figure out the key.
In addition to the low-level network security, which prevents an attacker from seeing the data stream and possibly interfering with it (or just eaves-dropping it to learn potentially sensitive information), Verse needs a higher-level security mechanism. It should be the responsibility of this mechanism to allow the administrator of a Verse server to implement restrictions on what users can do on the server. For instance, it might be valuable to set up a limit, so that no user can create a geometry node with more than N vertices or polygons, to conserve memory. Or, you might want to limit the total number of nodes a single client is allowed to create, again to limit memory use.
Access restrictions are currently not implemented in Verse. There has been some rough sketching, but no full specification or code exist. It is anticipated that defining a usable model for controlling access to Verse nodes is a quite complex and difficult problem. Suggestions welcome.