|
Author |
Thread Statistics | Show CCP posts - 8 post(s) |
|
CCP Navigator
C C P C C P Alliance
97
|
Posted - 2011.09.20 17:40:00 -
[1] - Quote
I have spoken with the developers who manage and maintain the EVE API. They have assured me that evewho is not conducting any illegal or underhand method of obtaining API information. All information gathered has been posted publicly in one form or another. We maintain a very close eye on what is happening with the API and will continue to do so. CCP Navigator - Lead Community Representative |
|
|
CCP Navigator
C C P C C P Alliance
97
|
Posted - 2011.09.20 17:48:00 -
[2] - Quote
Miilla wrote:CCP Navigator wrote:I have spoken with the developers who manage and maintain the EVE API. They have assured me that evewho is not conducting any illegal or underhand method of obtaining API information. All information gathered has been posted publicly in one form or another. We maintain a very close eye on what is happening with the API and will continue to do so. So it is ok to scan the API? CONFIRMED, get those API scanners going people
I suggest you refrain from confirming anything. the details of what is allowed with the EVE API is decided by the developers who work on that code.
CCP Navigator - Lead Community Representative |
|
|
CCP Stillman
C C P C C P Alliance
59
|
Posted - 2011.09.20 17:55:00 -
[3] - Quote
Miilla wrote:CCP Navigator wrote:I have spoken with the developers who manage and maintain the EVE API. They have assured me that evewho is not conducting any illegal or underhand method of obtaining API information. All information gathered has been posted publicly in one form or another. We maintain a very close eye on what is happening with the API and will continue to do so. So it is ok to scan the API? CONFIRMED, get those API scanners going people I just want to clarify:
We have very clear policies about what's allowed and not. As you will know, we will throttle invalid calls, as we do not allow throwing 10 million random IDs at the API and hoping they return data.
Scraping through characterIDs hoping to hit a valid one is NOT allowed. Doing so will get your IP blocked from the API. But if you do valid calls because you know it's a valid ID is fine. But generating excess errors will get your IP blocked.
Associate QA Tester for Team EVESec. |
|
|
CCP Stillman
C C P C C P Alliance
59
|
Posted - 2011.09.20 18:00:00 -
[4] - Quote
Miilla wrote:
So it is allowed if we generate a low ratio of errors to success API calls.
Just to clarify.
That is easy to do. Just keep repeating SUCCESSFUL calls if you see 2 or 3 errors.
Nice try. But no. Just doing simple valid calls won't make us forget that you just did 3 bad calls Associate QA Tester for Team EVESec. |
|
|
CCP Stillman
C C P C C P Alliance
59
|
Posted - 2011.09.20 18:05:00 -
[5] - Quote
Othran wrote:CCP Stillman wrote:Miilla wrote:
So it is allowed if we generate a low ratio of errors to success API calls.
Just to clarify.
That is easy to do. Just keep repeating SUCCESSFUL calls if you see 2 or 3 errors.
Nice try. But no. Just doing simple valid calls won't make us forget that you just did 3 bad calls Do you consider it good design that the API confirms or refutes the existence of a character ID without a key? The fact it doesn't require a key is an issue in the original design we wanted to changed for the Incarna release, but wasn't done soon enough.
We're of course concerned with backwards compatibility, and doing such changes late in the development cycle would not be good.
But then again, a key is very easy to get hold of. Associate QA Tester for Team EVESec. |
|
|
CCP Stillman
C C P C C P Alliance
59
|
Posted - 2011.09.20 18:07:00 -
[6] - Quote
Miilla wrote:CCP Stillman wrote:Miilla wrote:
So it is allowed if we generate a low ratio of errors to success API calls.
Just to clarify.
That is easy to do. Just keep repeating SUCCESSFUL calls if you see 2 or 3 errors.
Nice try. But no. Just doing simple valid calls won't make us forget that you just did 3 bad calls So spread them over multiple proxies, API calls are lightweight on a proxy/VPN. What you're pointing to is an inherent issue with the internet: Anonymity.
The developer license, as discussed at fanfest, was one aspect of ensuring that any traffic can always be tracked back to a developer. But of course, there were some fundamental issues with that system, as I'm sure we all remember. But we of course want to keep people responsible if they're abusing the API service. And we do so, on a regular basis. If people abuse the characterInfo/CharacterName calls, then they WILL feel the consequences Associate QA Tester for Team EVESec. |
|
|
CCP Stillman
C C P C C P Alliance
59
|
Posted - 2011.09.20 18:08:00 -
[7] - Quote
Miilla wrote:Are you going to require that applications be "authorised" by some kind of unique APP certificate so you can tell which apps are putting what loading on the servers etc?
I can't speak in certain terms, as the plans aren't done at this point. But does it make sense to me? Yes. Associate QA Tester for Team EVESec. |
|
|
CCP Stillman
C C P C C P Alliance
59
|
Posted - 2011.09.20 18:19:00 -
[8] - Quote
Othran wrote:CCP Stillman wrote:Othran wrote:CCP Stillman wrote:Miilla wrote:
So it is allowed if we generate a low ratio of errors to success API calls.
Just to clarify.
That is easy to do. Just keep repeating SUCCESSFUL calls if you see 2 or 3 errors.
Nice try. But no. Just doing simple valid calls won't make us forget that you just did 3 bad calls Do you consider it good design that the API confirms or refutes the existence of a character ID without a key? The fact it doesn't require a key is an issue in the original design we wanted to changed for the Incarna release, but wasn't done soon enough. We're of course concerned with backwards compatibility, and doing such changes late in the development cycle would not be good. But then again, a key is very easy to get hold of. Would you like to stop with weasel words? Its appallingly bad design practice is it not? The fact you seem to consider it acceptable makes me wonder what else in your infrastructure you consider acceptable. So when will it be fixed? I'm not saying it's acceptable. I'm saying that it's how the API was originally designed and that changing that shouldn't be done over night, as we don't want to break applications from functioning. We want to give people a heads up and make sure they can adjust their applications in time before a such change hits. Doing so in the Incarna patch would be too many changes at once.
I can't confirm exactly when we'd deploy a such change. But I'll have a talk with Elerhino and see what we can do. Associate QA Tester for Team EVESec. |
|
|
|
|