These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Player Features and Ideas Discussion

 
  • Topic is locked indefinitely.
12Next page
 

[API] Several Security Measures that are easy to implement
Author
Previous Topic Next Topic
BigSako
Aliastra
Gallente Federation
#1 - 2013-08-02 12:32:39 UTC
I would ilke to propose the following features for the EvE Online Character (and potentially also Corp API).


  1. Possibility to limit APIs to a certain IP address:
    2. APIs can be stolen by/leaked from services and or tools (not calling anyone out here). Therefore limiting the API access to a certain IP address (e.g. eve-kill) would help a lot to secure the API.
    This doesn't need to be an extensive feature, just needs to be ONE IP address or leave empty (= ANY IP address) otherwise.


  2. Show more details in the API Access Log:
    3. While the API Access Log is nice to have, it doesn't really help much at the moment. One can only see the IP address, a timestamp and the information accessed, but not which API key was used.
    For security purpose it would be nice to see what API key (only the ID, not the vcode) was used to access said information, therefore providing information whether or not the API key is used by somebody else.

  3. Possibility to EXPORT the API Log:
    4. Most players won't know what this API Log is about. Site-Admins and some few others will do, so it would be nice if one could just export the API Log into a CSV file, so it can be parsed by external tools (more) easily.




These features should really be easy to implement and would provide capsuleers more control about their API keys, as you don't know where the API keys are going after you entered them on a website (e.g. your alliance forum). I am hopeing that the community will support these ideas and that we can see these implemented soon.
Tu'yak Marowshay
Original Sinners
Pandemic Legion
#2 - 2013-08-02 12:39:25 UTC
This should be a "thing" already! +1 op
Ncc 1709
Fusion Enterprises Ltd
Pandemic Horde
#3 - 2013-08-02 13:44:35 UTC
+1
Rented
Hunter Heavy Industries
#4 - 2013-08-02 14:05:05 UTC
You're concerned about people seeing your API data.... which you're already giving away for other people to see in the first place... wait wut?
BigSako
Aliastra
Gallente Federation
#5 - 2013-08-02 14:23:53 UTC
Rented wrote:
You're concerned about people seeing your API data.... which you're already giving away for other people to see in the first place... wait wut?

You're assuming I am "giving away" an API key. Players, including me, are forced to enter their API key when they apply to 0.0 (block) alliances. At the same time API keys are used for authenticating against services like alliance/corp/coalition forums and teamspeak servers.

So somebody "stealing" the API key could authenticate as me without being me, which is authentication theft and technically a crime.
Rutger Centemus
Joint Empire Squad
#6 - 2013-08-02 15:26:34 UTC
+1
Malleus Sicarius
FinFleet
Northern Coalition.
#7 - 2013-08-02 15:27:32 UTC  |  Edited by: Malleus Sicarius
+1

indeed too many API farms and than use it to spy coms ...
spoils the beauty of the game

ShockedShocked
Shadow Leigon
Azrael's Dogs
#8 - 2013-08-02 15:27:58 UTC
+1
Azlana
Sebiestor Tribe
Minmatar Republic
#9 - 2013-08-02 15:28:01 UTC
+1
killerkeano
Doomheim
#10 - 2013-08-02 15:29:29 UTC
Definite +1

Rented wrote:
You're concerned about people seeing your API data.... which you're already giving away for other people to see in the first place... wait wut?


and if they were maliciously stolen, copied..? theoretically..

without reading all the games terms and conditions, im not sure how far the misuse of API information is protected.? If it isn't then it should be.
DJ REUNION
Melphalan
Curatores Veritatis Alliance
#11 - 2013-08-02 15:39:43 UTC
+1
DarkBridge TheSith
Viziam
Amarr Empire
#12 - 2013-08-02 16:05:35 UTC
+1
DaSumpf
Perkone
Caldari State
#13 - 2013-08-02 16:06:58 UTC  |  Edited by: DaSumpf
+1

There is a lot of 3rd party tools out there that requires API keys (many killboards, EFT, EVEMon, JEveAssets to name just a few of them). Once you gave away your API key (customized key in most cases, but in a few rare cases the full API as well) you have no control about whether your key and code are transmitted somewhere else or not.
In 0.0 alliances (yes, we are all paranoid) its pretty common to hand out a full API to your director or whoever keeps track on members and member activities. If said (trustful) person uses the above mentioned 3rd party tools in order to do his work the full APIs are no longer under control of said (trustful) person.

So i fully support the mentioned changes (which should be really easy to implement anyways) for more safety.
Moon Rabit
Billionaires Club
#14 - 2013-08-02 16:10:33 UTC
+1
ReacT1337
Aperture Technologies
#15 - 2013-08-02 16:29:01 UTC
+1

CCP is talking about accountsecurity all the time...but making it for 3rd party hosters too easy to use the API-Information with bad intensions.
Massa S
Aperture Technologies
#16 - 2013-08-02 16:33:03 UTC
+1

Make us more savety when we use a feature you gave us.
Totalani
Grim Determination
Manifest Destiny.
#17 - 2013-08-02 16:34:36 UTC
+1
Icantspellwell
State Strategic Services
Templis Strategic Division
#18 - 2013-08-02 17:04:05 UTC
+1
Aliventi
Rattini Tribe
Minmatar Fleet Alliance
#19 - 2013-08-02 17:16:54 UTC
+1
Demotress
Systems High Guard
Tactical Narcotics Team
#20 - 2013-08-02 17:27:58 UTC
where is the like button? i must like this idea, seems like a good one
12Next page