Pages: 1 2 [3] 4 5 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 7 post(s) |
Reboot Mizuno
Deliverers of Pain
2
|
Posted - 2014.07.03 21:16:00 -
[61] - Quote
So I guess this should replace the most used purpose for the API, verify that someone is the owner of a character.
Sadly the API is also used by corporations and alliances to force people to reveal account information like other characters, assets and transactions. I guess it would be hard to disallow use of the API like this, as long as there is no alternative for character verififcation. But now that this is available, i hope CCP will do something about the API mess, and bring it back to the purpose of retrieving information for tools that you run yourself and have control over. Other uses should be banned and no player should be allowed for force another player to reveal information that is not available in the client. That would make EVE a much more fun game to play again. |
Lando Cenvax
State War Academy Caldari State
4
|
Posted - 2014.07.03 21:21:00 -
[62] - Quote
SSO & API Key work similar, but are not the same. API-Key gives someone access to your Information while SSO only provides a website an instant proof that you are the owner of that char. |
Terminator 2
Omega Boost
5
|
Posted - 2014.07.03 21:44:00 -
[63] - Quote
Steve Ronuken wrote:Aalysia Valkeiper wrote:Terminator 2 wrote:How about anonymity and privacy?
What happens when i have signed into EVE and then browse one of those sites?
Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...
Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?
I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it. Also am i forced to use it?
It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy. I can answer that, judging from what I have seen regarding CCP's policies 'behind the scene'. The third parties won't get your IP address if you go to them after logging in with EvE online. Instead, they will get CCP's IP as your proxy. Nope. No proxy. They'll get your IP address. Just like they would if you went to their site anyway. The process is:
- Go to the 3rd party site.
- Click the login link.
- This sends you to the login.eveonline.com site (for the live version. sisilogin.testeveonline.com for the dev), with an identifier saying which site you're coming from.
- You log onto that site.
- You pick a character.
- You get sent back to the original site, onto a particular url that the site owner specified. A code is passed as part of the redirect.
- That code is checked by the original site (talking to login.eveonline.com) with a secret that's not shared. If everything matches, the character id etc is sent back.
So what is preventing any EVE related site, even the ones in fact authorized by CCP to fake the looks of such a login and steal my account name and password? |
Steve Ronuken
Fuzzwork Enterprises Vote Steve Ronuken for CSM
3491
|
Posted - 2014.07.03 21:48:00 -
[64] - Quote
Uncertain Fate wrote:Forgive my ignorance, but how is this different (better?) than simply entering your API keys? The significance seems to be lost on me.
Using an api key can, if done properly, prove you have access to the api control panel, thus, the account.
This requires you to create an API key /just/ for that service, with something that service provides to you in the key. (otherwise it could be someone that runs a service that you use, reusing a key)
So it's a bit of a pain. And you still need to use a username and password for that site.
SSO allows you to skip that. And for the owner of the site to not have to deal with managing users. Woo! CSM 9! http://fuzzwork.enterprises/ Twitter: @fuzzysteve on Twitter |
Rain6637
Team Evil
15275
|
Posted - 2014.07.03 21:49:00 -
[65] - Quote
is this some sort of compromise regarding the one-site-one-API rule from not too long ago? President of the Commissar Kate Fanclub | Rainfleet on Twitch | Twitter | Rainfleet mk.III | Imgur |
Steve Ronuken
Fuzzwork Enterprises Vote Steve Ronuken for CSM
3491
|
Posted - 2014.07.03 21:50:00 -
[66] - Quote
Terminator 2 wrote: So what is preventing any EVE related site, even the ones in fact authorized by CCP to fake the looks of such a login and steal my account name and password?
You, paying attention to what the URL is. Woo! CSM 9! http://fuzzwork.enterprises/ Twitter: @fuzzysteve on Twitter |
Rain6637
Team Evil
15275
|
Posted - 2014.07.03 21:51:00 -
[67] - Quote
that part I see going bad, and the dev blog struck me as a visual how-to-phish guide President of the Commissar Kate Fanclub | Rainfleet on Twitch | Twitter | Rainfleet mk.III | Imgur |
Steve Ronuken
Fuzzwork Enterprises Vote Steve Ronuken for CSM
3491
|
Posted - 2014.07.03 21:53:00 -
[68] - Quote
Rain6637 wrote:is this some sort of compromise regarding the one-site-one-API rule from not too long ago?
It's a requirement for CREST (The auth for crest is just an extension of this. For long term things, the site would get a token allowing it to reauthenticate, without needing your credentials. Which can be revoked from the management site. None of that's in place right now, or needed). And convenient. Woo! CSM 9! http://fuzzwork.enterprises/ Twitter: @fuzzysteve on Twitter |
Tvashnar Crendraven
The Scope Gallente Federation
0
|
Posted - 2014.07.03 21:54:00 -
[69] - Quote
The derp is strong in this one:
"How to do it the secure way"
You're counting on users to comple a complex multi-step process in order to maintain security. Because this isn't automated, it won't happen, ergo insecure. |
Steve Ronuken
Fuzzwork Enterprises Vote Steve Ronuken for CSM
3491
|
Posted - 2014.07.03 21:58:00 -
[70] - Quote
Tvashnar Crendraven wrote:The derp is strong in this one:
"How to do it the secure way"
You're counting on users to comple a complex multi-step process in order to maintain security. Because this isn't automated, it won't happen, ergo insecure.
'complex'.
Click a link. Check the url. give a username/password. pick a character Be logged in.
The only step that you have any chance of screwing up is the 'check the url'
And that's the same step anyone using facebook/twitter/et al to auth needs.
And if you've told the auth site to remember who you are, you don't even really need to do that. As you're not giving it any details.
(yes, it's a bit more complex server side. But I implemented it in a decent fashion, including a bunch of api integration, in about an hour. And made that code available on github. Feel free to check it for mistakes) Woo! CSM 9! http://fuzzwork.enterprises/ Twitter: @fuzzysteve on Twitter |
|
Lothros Andastar
The Minutemen The Bastion
137
|
Posted - 2014.07.03 22:15:00 -
[71] - Quote
Steve Ronuken wrote:Tvashnar Crendraven wrote:The derp is strong in this one:
"How to do it the secure way"
You're counting on users to comple a complex multi-step process in order to maintain security. Because this isn't automated, it won't happen, ergo insecure. 'complex'. Click a link. Check the url. give a username/password. pick a character Be logged in. The only step that you have any chance of screwing up is the 'check the url' And that's the same step anyone using facebook/twitter/et al to auth needs. And if you've told the auth site to remember who you are, you don't even really need to do that. As you're not giving it any details. (yes, it's a bit more complex server side. But I implemented it in a decent fashion, including a bunch of api integration, in about an hour. And made that code available on github. Feel free to check it for mistakes) You misunderestimate how stupid people as a whole are. Eve is no exception to this rule. It's a ticking timebomb waiting to explode, so don't cry when we say "I told you so" six months down the line. |
James Amril-Kesh
4S Corporation Goonswarm Federation
10579
|
Posted - 2014.07.03 22:21:00 -
[72] - Quote
While you're at it could you please fix the forum theme resetting itself to default every single time I log on? No, this isn't it at all. Make it more... psssshhhh. |
James Amril-Kesh
4S Corporation Goonswarm Federation
10579
|
Posted - 2014.07.03 22:38:00 -
[73] - Quote
Reboot Mizuno wrote:So I guess this should replace the most used purpose for the API, verify that someone is the owner of a character.
Sadly the API is also used by corporations and alliances to force people to reveal account information like other characters, assets and transactions. I guess it would be hard to disallow use of the API like this, as long as there is no alternative for character verififcation. But now that this is available, i hope CCP will do something about the API mess, and bring it back to the purpose of retrieving information for tools that you run yourself and have control over. Other uses should be banned and no player should be allowed for force another player to reveal information that is not available in the client. That would make EVE a much more fun game to play again. Nobody forces you to apply to corps that want an API key. Don't want to provide one? Don't apply. It's that simple. No, this isn't it at all. Make it more... psssshhhh. |
Antillie Sa'Kan
Forging Industries Silent Infinity
511
|
Posted - 2014.07.03 23:22:00 -
[74] - Quote
I seriously hope that people are not still using RC4 for HTTPS web sites. AES or go home. |
|
CCP Explorer
C C P C C P Alliance
2250
|
Posted - 2014.07.03 23:38:00 -
[75] - Quote
Vincent Athena wrote:CCP Explorer wrote:IceGuerilla wrote:We have this total rubbish, but we still can't change characters without relogging? What a load of poppycock. You need to explain to me how these two things are linked. One is the login mechanism used by our web sites and services and the launcher, the other is a large repository of legacy code that assumes the character ID won't change while the session is active. One is a way to log into a service. The other is a way to log into a service. You can see why, to us users, it seems to be the same thing. One is a way to log into a service, the other is how the service the login tokens and caches session information. I can understand how this may appear to be the same, but I hope you understand when we say it isn't.
Vincent Athena wrote:Waving the "legacy code" flag just makes it look like you are looking for excuses to not do your job. I wasn't waiving any flags, just explaining the facts. I don't understand why you feel the need to be so antagonistic. Erlendur S. Thorsteinsson | Senior Development Director | EVE Online // CCP Games | @erlendur |
|
Tarsas Phage
Freight Club
319
|
Posted - 2014.07.04 00:05:00 -
[76] - Quote
Kale Freeman wrote:
How many people are going to check the domain and validate the certificate and all that?
Strictly speaking, you're supposed to do that for any public key-based encryption you interact with, such as SSL.
But in the case of web sites, most people just blindly trust that the browser will tell them something is wrong when in some cases it can't make that determination.
|
Blastcaps Madullier
Handsome Millionaire Playboys Mordus Angels
152
|
Posted - 2014.07.04 01:16:00 -
[77] - Quote
this is a SERIOUSLY bad idea from start to finish, it doesn't matter how good you make it, someone WILL hack it or find a exploit and by using this you are only going to see a flood of hacked accounts in the near future.
Congratulations on another ill thought out idea and I'm going to be LMFAO when it happens and you start getting a flood of comprimised accounts, all because someone at CCP thought this was a GOOD idea.... maybe next time try thinking up good idea's while under the influance of drink or drugs.....
A better idea would have been to use the API system, not "hey here's all my account details you need to go take over my eve account...."
oh and before you say it won't happen, I'll remind you of a hat community group called lolsec who got into your own servers.... |
Aalysia Valkeiper
Imperial Shipment Amarr Empire
52
|
Posted - 2014.07.04 01:29:00 -
[78] - Quote
Lando Cenvax wrote:Aalysia Valkeiper wrote:Maintaining and updating the older encryption takes less time (costs less) than develping a new encryption. New encryption by default must be radically different from the encryptions they replace, otherwise, their 'shelf-life' is severely curtailed. Digital Security is a very dynamic field. Malware developers are being paid big money for their product and security firms are as well. There is only one way to 'complete and perfect security'... don't get online and don't provide services to anyone. The encryption-libraries are available for free and/or are built into webservers. All you need to do is to have a current version and specify which ciphers you allow and which not. You don't need to be a crypto-specialist at all, just need to know that RC4, MD5, DSA are not that good and that elliptic curves (ECDHE-Ciphers) provide forward secrecy. A simple approach to secure HTTPS is using a few ECDHE-Ciphers on top of the list and weak ciphers for older clients on the bottom. Anyway, to not cause any concerns, https://secure.eveonline.com is actually secure, so your credit card data is safe. B2T: SSO is Token/Ticket-based as far as I understood. From security point of view this is secure by design. Basic principle to my understanding: you want to Login at a external website, click on "Login" there and are redirected to login.eveonline.com on separate window/tab/pop-up. Together with this login-Redirection the external site passes a ticket (like session-id) it to login.eveonline.com. When you logged in at login.eveonline.com this ticket is validated and sent back to the external page giving the external page your Char-Name. Login at external Page with your character completed. => Entire Login-Process takes places at login.eveonline.com.
Agreed. EvE online sites are more secure than most (if not all) other gaming sites. They truly seem to know what they're doing.
Just remember there are others out there being paid big money to creat malware.
Thankfully, gaming companies are pretty low on the list of targets for the professional malware developer. Companies like CCP are more likely to be targetted by 'script-kitties'. These are people who can not / do not develope the programs they use and can only wait for the true developers to make something available.
This gives the eventual targets (like CCP) a chance to prepare for the newer iterations, of which CCP's security staff has proven they are very good. |
Slicr
2
|
Posted - 2014.07.04 01:34:00 -
[79] - Quote
Tau Cabalander wrote:I really hope SSO doesn't use OAuth 2.0
Having the lead OAuth developers leave and demand their names taken off of it, plus the inherent security flaws, doesn't bode well.
Is CCP dodging this legitimate question?
Please make this an opt-in requirement as I pay to play this game and thus protect my login information for this game and not other 3rd party sites.
Please link the passage that says CCP has the right to allow access to my login information from other 3rd parties? The fact that a 3rd party can attempt to get my acct access is not right. When a hack happens (it is not if but when) your customers will not know which 3rd parties have been affected and then it becomes our problem.
It is crazy stuff like this that one has to protect themselves from cuz a company could care less as long as it can make money. |
Rain6637
Team Evil
15275
|
Posted - 2014.07.04 01:36:00 -
[80] - Quote
what will be the customer support policy in the case of accounts compromised to phishing? will accounts be returned or will players be told it is their responsibility to verify the address and authentication of websites? as in, how much compassion will customer support have for players who fell victim in those cases. President of the Commissar Kate Fanclub | Rainfleet on Twitch | Twitter | Rainfleet mk.III | Imgur |
|
Ten Bulls
Sons of Olsagard
276
|
Posted - 2014.07.04 01:45:00 -
[81] - Quote
"Sadly, EVE is full of fraudsters lingering around and waiting for a chance to make profit or gain some benefits and they are happy to do this any way you could potentially think of. They try to trick you into [insert latest scam here] with the help of social and technical measures including phishing and spoofing of authorities as well as web portals." |
Max Kolonko
High Voltage Industries Ash Alliance
430
|
Posted - 2014.07.04 06:03:00 -
[82] - Quote
Slicr wrote:Tau Cabalander wrote:I really hope SSO doesn't use OAuth 2.0
Having the lead OAuth developers leave and demand their names taken off of it, plus the inherent security flaws, doesn't bode well. Is CCP dodging this legitimate question?Please make this an opt-in requirement as I pay to play this game and thus protect my login information for this game and not other 3rd party sites. Please link the passage that says CCP has the right to allow access to my login information from other 3rd parties? The fact that a 3rd party can attempt to get my acct access is not right. When a hack happens (it is not if but when) your customers will not know which 3rd parties have been affected and then it becomes our problem. It is crazy stuff like this that one has to protect themselves from cuz a company could care less as long as it can make money. Also, it is the main reason I pay month to month since there have been times and games in the past that one would have wished they only paid monthly.
LOL, dont want it? Dont use it. Its that simple.
Ofc You may soon realize that you cant use dotlan without loging in (just an example) Read and support: Don't mess with OUR WH's What is Your stance on WH stuff? |
Max Kolonko
High Voltage Industries Ash Alliance
430
|
Posted - 2014.07.04 06:05:00 -
[83] - Quote
Rain6637 wrote:what will be the customer support policy in the case of accounts compromised to phishing? will accounts be returned or will players be told it is their responsibility to verify the address and authentication of websites? as in, how much compassion will customer support have for players who fell victim in those cases.
Thats a valid point and I think that CCP already have policies for that (people fall for phising for eve accounts credentials all the time and ccp have to deal with it quite regurarly i presume) Read and support: Don't mess with OUR WH's What is Your stance on WH stuff? |
Irumani
GoonWaffe Goonswarm Federation
136
|
Posted - 2014.07.04 06:24:00 -
[84] - Quote
That is a very cool addition, that'll help reduce the amount of accounts I have to create on the myriad of EVE-related websites. Please don't mind the idiots unable to understand what all of this means.
It looks like no one mentioned it before, but are you looking into a possible integration of two-factor auth for EVE and/or website logins? More and more services and games make use of it.
Also, if you do add 2FA, please ensure corp leaders can see who's got it activated and who hasn't (Github does that for Teams) to help reduce the potential damage caused by an account hack. You're not supposed to feel like you're logging in to a happy, happy, fluffy, fluffy lala land filled with fun and adventures, that's what hello kitty online is for.
- CCP Wrangler |
Schmata Bastanold
Black Rebel Rifter Club The Devil's Tattoo
2096
|
Posted - 2014.07.04 06:41:00 -
[85] - Quote
CCP Explorer wrote:Vincent Athena wrote:Waving the "legacy code" flag just makes it look like you are looking for excuses to not do your job. I wasn't waiving any flags, just explaining the facts. I don't understand why you feel the need to be so antagonistic.
Because anything even remotely useful and desired by players is always behind that barb-wire fence with "Legacy code" sign all over it. Maybe that's why. I am not my skills but... http://eveboard.com/pilot/Schmata_Bastanold |
Dinsdale Pirannha
Pirannha Corp
3206
|
Posted - 2014.07.04 07:17:00 -
[86] - Quote
Steve Ronuken wrote:Terminator 2 wrote:How about anonymity and privacy?
What happens when i have signed into EVE and then browse one of those sites?
Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...
Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?
I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it. Also am i forced to use it?
It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy. You have to explicitly authenticate against those sites, picking the character that you want them to see. Nothing automatic. (And it has been stated, you're already using it. It's how you sign into any CCP site. Third party sites have an additional step, not seeing the account level, just a character you select as part of the auth process)
Most people viewed Orwell's writings as a warning. The harper regime and the goons treat them as a guidebook. |
Dinsdale Pirannha
Pirannha Corp
3206
|
Posted - 2014.07.04 07:19:00 -
[87] - Quote
Steve Ronuken wrote:Terminator 2 wrote:How about anonymity and privacy?
What happens when i have signed into EVE and then browse one of those sites?
Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...
Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?
I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it. Also am i forced to use it?
It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy. You have to explicitly authenticate against those sites, picking the character that you want them to see. Nothing automatic. (And it has been stated, you're already using it. It's how you sign into any CCP site. Third party sites have an additional step, not seeing the account level, just a character you select as part of the auth process)
And how long before TMC catches the unwary and trusting, gaining their IP, user name, and possibly password, and wrecking the game for so many.
And please don't tell me they will use the honour system. Most people viewed Orwell's writings as a warning. The harper regime and the goons treat them as a guidebook. |
Dinsdale Pirannha
Pirannha Corp
3206
|
Posted - 2014.07.04 07:23:00 -
[88] - Quote
Blastcaps Madullier wrote:this is a SERIOUSLY bad idea from start to finish, it doesn't matter how good you make it, someone WILL hack it or find a exploit and by using this you are only going to see a flood of hacked accounts in the near future.
Congratulations on another ill thought out idea and I'm going to be LMFAO when it happens and you start getting a flood of comprimised accounts, all because someone at CCP thought this was a GOOD idea.... maybe next time try thinking up good idea's while under the influance of drink or drugs.....
A better idea would have been to use the API system, not "hey here's all my account details you need to go take over my eve account...."
oh and before you say it won't happen, I'll remind you of a hat community group called lolsec who got into your own servers....
This was likely proposed to CCP by the very people that will exploit the hell out of it, but hey, we already know that in CCP's eyes this group can do no wrong. Most people viewed Orwell's writings as a warning. The harper regime and the goons treat them as a guidebook. |
Ereshgikal
Pigs and Sows Tactical Narcotics Team
31
|
Posted - 2014.07.04 08:47:00 -
[89] - Quote
Aalysia Valkeiper wrote: I'm studying Network Security and Digital Forensics under scholarship. With one program, I'm learning how to keep computers safe from intrusion. With the other program, I'm learning how to break into them.
Aalysia Valkeiper wrote:Steve Ronuken wrote:Aalysia Valkeiper wrote:Terminator 2 wrote:How about anonymity and privacy?
What happens when i have signed into EVE and then browse one of those sites?
Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...
Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?
I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it. Also am i forced to use it?
It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy. I can answer that, judging from what I have seen regarding CCP's policies 'behind the scene'. The third parties won't get your IP address if you go to them after logging in with EvE online. Instead, they will get CCP's IP as your proxy. Nope. No proxy. They'll get your IP address. Just like they would if you went to their site anyway. The process is:
- Go to the 3rd party site.
- Click the login link.
- This sends you to the login.eveonline.com site (for the live version. sisilogin.testeveonline.com for the dev), with an identifier saying which site you're coming from.
- You log onto that site.
- You pick a character.
- You get sent back to the original site, onto a particular url that the site owner specified. A code is passed as part of the redirect.
- That code is checked by the original site (talking to login.eveonline.com) with a secret that's not shared. If everything matches, the character id etc is sent back.
hmmm... I misunderstood what I was looking at. That was a very basic mistake, too. I guess I still have quite a bit more to look thru.
Good luck with your studies. You seem to need it.
There are so many hobby tinfoil hat wearers out there with an opinion how stuff works lacking the knowledge how it really works that there are few comments in this thread even worth listening to other than as signs of people being paranoid about changes (which is no surprise, this is EVE). |
Tarsas Phage
Freight Club
319
|
Posted - 2014.07.04 08:49:00 -
[90] - Quote
Uncertain Fate wrote:Forgive my ignorance, but how is this different (better?) than simply entering your API keys? The significance seems to be lost on me.
In security parlance, there is an important distinction between Authentication (ergo "I can prove who I am") versus Authori(sz)ation (ergo "This is what this person can do")
API keys are just a blanket form of Authorization - Just because you have someone's API keys, you are not proving that you're actually the person that made them, or who they belong to. They can be stolen API keys, copied from somewhere else and being used unbeknownst to the actual owner.
SSO provides the ability for someone to prove who they are - "I am this person and I know their password to prove it" and if CCP ever does 2-factor auth that would be "I am this person, this is what I know (password) and this is what I have (token generator) to prove it"
The nice thing about SSO systems is that a participating site can utilize it, but doesn't have to handle and sensitive info such as account names and passwords. Basically, it's CCP saying "It's cool, he is who he says he is" to a participating site. CCP can change how auth is done without the participating sites having to alter their code because in the end that short little conversion stays the same (cookie in your browser that says so) |
|
|
|
|
Pages: 1 2 [3] 4 5 :: one page |
First page | Previous page | Next page | Last page |