EVE Information Portal

You need to explain to me how these two things are linked. One is the login mechanism used by our web sites and services and the launcher, the other is a large repository of legacy code that assumes the character ID won't change while the session is active.

He is referring to the fact that Eve players have been pissed off for quite a while now, because CCP seems to have time and resources for this project that literally zero people wanted or asked for and will cause phishing to go though the damn roof because no matter how secure you make it people are still stupid, but on the other hand finding time to, literally widdle away close to 2 million dollars on failed game projects, but at the same time lack time and resources to providing BASIC functionality and UI customisability that other games have had for decades.

I know that (probably) has nothing to do with you personally, but it still annoys people.

We already have API keys for logging into external sites, we don't need the risk of exposing passwords either through user error, webmaster error or plain simply tech error. We know that SSL is probably compromised if not already but soon.

Add to this, two factor authentication that was promised and then forgotten about. CCP is getting back on the path of delivering crap that they want and that players don't care about.

I'm studying Network Security and Digital Forensics under scholarship. With one program, I'm learning how to keep computers safe from intrusion. With the other program, I'm learning how to break into them.

Like you, I've gotten a severe case of paranioa when it pertains to 'third party' applications... especially the "single-signon-services". The so-called 'social sites' rate on the 'trustworthy' scale just above politicians and facebook rates as the lowest of all those.

I want nothing to do with any services outside EvE online.

I want to know if we will have the option to NOT use this SSO.

Maintaining and updating the older encryption takes less time (costs less) than develping a new encryption. New encryption by default must be radically different from the encryptions they replace, otherwise, their 'shelf-life' is severely curtailed.

Digital Security is a very dynamic field. Malware developers are being paid big money for their product and security firms are as well. There is only one way to 'complete and perfect security'... don't get online and don't provide services to anyone.

That is good. I guess my opinion was a bit too blatant. sorry.

I've gotten a little too close a look at many companies' security systems in the last 3 years and it's made me a bit paraniod.

Facebook has been a shining example of how NOT to run security throughout my study's.

CCP, on the other hand gets a MUCH better grade. You guys seem to know what you're doing in security. I know it isn't easy in the type of industry you're in.

If you want to auth with a different account, then you'll need to change your log on for login.eveonline.com. If it's just another character on the same account, you won't. (There's a very basic version up and running on my site, if you want to see it in action. I'd suggest logging onto the https://sisilogin.testeveonline.com/ site first, if you've never done it before. )

hmmm... I misunderstood what I was looking at. That was a very basic mistake, too. I guess I still have quite a bit more to look thru.

One is a way to log into a service.
The other is a way to log into a service.

You can see why, to us users, it seems to be the same thing.

Waving the "legacy code" flag just makes it look like you are looking for excuses to not do your job.

The encryption-libraries are available for free and/or are built into webservers. All you need to do is to have a current version and specify which ciphers you allow and which not. You don't need to be a crypto-specialist at all, just need to know that RC4, MD5, DSA are not that good and that elliptic curves (ECDHE-Ciphers) provide forward secrecy. A simple approach to secure HTTPS is using a few ECDHE-Ciphers on top of the list and weak ciphers for older clients on the bottom.

Anyway, to not cause any concerns, https://secure.eveonline.com is actually secure, so your credit card data is safe.

B2T: SSO is Token/Ticket-based as far as I understood. From security point of view this is secure by design.
Basic principle to my understanding: you want to Login at a external website, click on "Login" there and are redirected to login.eveonline.com on separate window/tab/pop-up. Together with this login-Redirection the external site passes a ticket (like session-id) it to login.eveonline.com. When you logged in at login.eveonline.com this ticket is validated and sent back to the external page giving the external page your Char-Name. Login at external Page with your character completed. => Entire Login-Process takes places at login.eveonline.com.