These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Player Features and Ideas Discussion

 
  • Topic is locked indefinitely.
Previous page12
 

[API] Several Security Measures that are easy to implement
Author
Previous Topic Next Topic
Laendra
Universalis Imperium
Goonswarm Federation
#21 - 2013-08-02 19:22:19 UTC
I would think something like registering your API application with CCP and obtaining a public vCode, which then would be part of the API access process, would HELP eliminate these API identity thefts.

For instance,

wi-alliance.com applies for a public vCode. This vCode is autogenerated and cannot be manually selected.
If I want to access their forums, I must provide an API key, so I get their public vCode, and then generate a vCode of my own that utilizes the public vCode
Unscrupulous MetaPlayer X somehow manages to obtain my keyID and vCode and tries to apply it to goonfleet.com as if they were me. Since the goonfleet.com has a different public vCode the key wouldn't work, and access would be denied, and access attempt would be logged on both goonfleet.com and api.eveonline.com
Sebastian Hoch
Deep Core Mining Inc.
Caldari State
#22 - 2013-08-02 21:20:38 UTC  |  Edited by: Sebastian Hoch
BigSako wrote:
I would ilke to propose the following features for the EvE Online Character (and potentially also Corp API).

[list=1]
  • Possibility to limit APIs to a certain IP address:
    • APIs can be stolen by/leaked from services and or tools (not calling anyone out here). Therefore limiting the API access to a certain IP address (e.g. eve-kill) would help a lot to secure the API.

    ....

    So somebody "stealing" the API key could authenticate as me without being me, which is authentication theft and technically a crime.


    Maybe you should consider only giving your API out to organizations that are competent and you can trust? I am under the impression that compromising API's is a time honored part CCP's beloved meta-game.

    I have never used an API to comprise an external service, but since the only real world identity you have in Eve is carried by your account and not your character(s), I am not so sure its same thing as "identity or authentication theft", especially since its an acknowledged part of the game. I am not a lawyer, but I don't see why would the law care if part of the game takes place on CCP's servers, and part if it takes place on player systems especially if there are never any damages from the act outside the context of the game?

    "Your honor, he pretended to be the spaceman I was pretending to be!"
    Nofearion
    Destructive Brothers
    Fraternity.
    #23 - 2013-08-02 22:06:44 UTC
    +1 and the like button is on the post at the upper right corner
    BigSako
    Aliastra
    Gallente Federation
    #24 - 2013-08-03 14:23:27 UTC
    Laendra wrote:
    I would think something like registering your API application with CCP and obtaining a public vCode, which then would be part of the API access process, would HELP eliminate these API identity thefts.

    For instance,

    wi-alliance.com applies for a public vCode. This vCode is autogenerated and cannot be manually selected.
    If I want to access their forums, I must provide an API key, so I get their public vCode, and then generate a vCode of my own that utilizes the public vCode
    Unscrupulous MetaPlayer X somehow manages to obtain my keyID and vCode and tries to apply it to goonfleet.com as if they were me. Since the goonfleet.com has a different public vCode the key wouldn't work, and access would be denied, and access attempt would be logged on both goonfleet.com and api.eveonline.com


    this seems like a good idea too.
    Vasilissa Dragomere
    Veni Vidi Vici Reloaded
    #25 - 2013-08-03 15:47:29 UTC
    +1
    BigSako
    Aliastra
    Gallente Federation
    #26 - 2013-08-04 22:05:37 UTC
    now that the AT is over, I'm going to push this again.
    Kimpaz
    The Stooges
    #27 - 2013-08-04 22:08:24 UTC
    +1
    Six Strangelove
    Quam Singulari
    #28 - 2013-08-04 22:09:59 UTC
    +1
    Kylie Cole
    The n00b Experience
    #29 - 2013-08-05 03:59:00 UTC
    Laendra wrote:
    I would think something like registering your API application with CCP and obtaining a public vCode, which then would be part of the API access process, would HELP eliminate these API identity thefts.

    For instance,

    wi-alliance.com applies for a public vCode. This vCode is autogenerated and cannot be manually selected.
    If I want to access their forums, I must provide an API key, so I get their public vCode, and then generate a vCode of my own that utilizes the public vCode
    Unscrupulous MetaPlayer X somehow manages to obtain my keyID and vCode and tries to apply it to goonfleet.com as if they were me. Since the goonfleet.com has a different public vCode the key wouldn't work, and access would be denied, and access attempt would be logged on both goonfleet.com and api.eveonline.com


    This sounds good to me. Extra bonus of the API application admin just needing to regenerate a vCode to require everyone to re-verify their keys.
    Alundil
    Rolled Out
    #30 - 2013-08-05 04:54:49 UTC
    You received my "like"

    I'm right behind you
    Sable Moran
    Moran Light Industries
    #31 - 2013-08-05 08:49:08 UTC
    +1

    Sable's Ammo Shop at Alentene V - Moon 4 - Duvolle Labs Factory. Hybrid charges, Projectile ammo, Missiles, Drones, Ships, Need'em? We have'em, at affordable prices. Pop in at our Ammo Shop in sunny Alentene.
    DaSumpf
    Perkone
    Caldari State
    #32 - 2013-08-07 14:13:22 UTC
    Bump
    ... for important security stuff.
    BigSako
    Aliastra
    Gallente Federation
    #33 - 2013-08-11 06:57:21 UTC
    Bump - because it's really easy to implement some changes and they could help a lot towards account security...
    BigSako
    Aliastra
    Gallente Federation
    #34 - 2013-09-19 20:36:02 UTC
    Bump - in confirmation with the new TOS about impersonating people.

    Quote:
    You may not impersonate or falsely present yourself to be a representative of another player, group of players, character or NPC entity.


    Can CCP implement some of the changes I recommended for the API to prevent abuseing APIs?
    Antillie Sa'Kan
    Imperial Shipment
    Amarr Empire
    #35 - 2013-09-19 20:46:13 UTC  |  Edited by: Antillie Sa'Kan
    Laendra wrote:
    I would think something like registering your API application with CCP and obtaining a public vCode, which then would be part of the API access process, would HELP eliminate these API identity thefts.

    For instance,

    wi-alliance.com applies for a public vCode. This vCode is autogenerated and cannot be manually selected.
    If I want to access their forums, I must provide an API key, so I get their public vCode, and then generate a vCode of my own that utilizes the public vCode
    Unscrupulous MetaPlayer X somehow manages to obtain my keyID and vCode and tries to apply it to goonfleet.com as if they were me. Since the goonfleet.com has a different public vCode the key wouldn't work, and access would be denied, and access attempt would be logged on both goonfleet.com and api.eveonline.com


    I approve of this product and/or service as it is grounded in industry standard public-key cryptography.
    Previous page12