These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
 

Dev blog: EVE Online SSO and what you need to know

First post First post
Author
Previous Topic Next Topic
IceGuerilla
Viziam
Amarr Empire
#101 - 2014-07-04 14:56:02 UTC
Talking of logins, on a somewhat unrelated note: logging in to the forums while viewing this thread for example dumps me to the forum front page, rather than back at the thread. I'm sure people, including our illustrious CSM members, have noted this elsewhere, but just something else to note.

Oh, but I'm sure there's a totally legitimate "legacy code" reason for this.
Tam Althor
Commonwealth Industries
#102 - 2014-07-04 17:21:26 UTC
IceGuerilla wrote:
Talking of logins, on a somewhat unrelated note: logging in to the forums while viewing this thread for example dumps me to the forum front page, rather than back at the thread. I'm sure people, including our illustrious CSM members, have noted this elsewhere, but just something else to note.

Oh, but I'm sure there's a totally legitimate "legacy code" reason for this.



Na, that one is the other excuse that CCP falls back on, they will fix it later(never)
Jessica Danikov
Network Danikov
#103 - 2014-07-04 20:00:59 UTC
IceGuerilla wrote:
Talking of logins, on a somewhat unrelated note: logging in to the forums while viewing this thread for example dumps me to the forum front page, rather than back at the thread. I'm sure people, including our illustrious CSM members, have noted this elsewhere, but just something else to note.

Oh, but I'm sure there's a totally legitimate "legacy code" reason for this.


Should be fairly easy on a technical level to recall and redirect you to your preceding page, so it'll more be a case of priority I imagine.
Jinn Aideron
#104 - 2014-07-04 20:11:11 UTC
While we are at it:

I'd like to have a shared secret with CCP as fallback authentication for the time when normal account credentials, entered daily into various browsers and OSs, will eventually be compromised.


Seems a reasonable enough request to me.

Have a nice weekend! :)

Stealth deletes are bad.
Slicr
#105 - 2014-07-05 01:27:36 UTC  |  Edited by: Slicr
Max Kolonko wrote:
Slicr wrote:
Tau Cabalander wrote:
I really hope SSO doesn't use OAuth 2.0

Having the lead OAuth developers leave and demand their names taken off of it, plus the inherent security flaws, doesn't bode well.



Is CCP dodging this legitimate question?

Please make this an opt-in requirement as I pay to play this game and thus protect my login information for this game and not other 3rd party sites.

Please link the passage that says CCP has the right to allow access to my login information from other 3rd parties?
The fact that a 3rd party can attempt to get my acct access is not right.
When a hack happens (it is not if but when) your customers will not know which 3rd parties have been affected and then it becomes our problem.

It is crazy stuff like this that one has to protect themselves from cuz a company could care less as long as it can make money.
Also, it is the main reason I pay month to month since there have been times and games in the past that one would have wished they only paid monthly.


LOL, dont want it? Dont use it. Its that simple.

Ofc You may soon realize that you cant use dotlan without loging in (just an example)


CCP is making a bridge from 3rd party websites to our login information - the fact that one does not use it does not mean someone else cannot try and use it.
Ever wonder how scam emails found your Hotmail account?

I believe in being Pro-Active as Opposed to Reactive. Reactive tends to be more costly in time and money.
Ms Michigan
Aviation Professionals for EVE
#106 - 2014-07-05 03:34:05 UTC
Steve Ronuken wrote:
As an aside, the possible game issues with Authenticated CREST are one of the reasons I wanted to get onto the CSM.

They have a lot of scope for making the game more fun for people, where they can take out the annoying management crap (Standing management, fitting a thousand ships, managing your SRP).

They also have scope for breaking things, to the point you have to use a third party app to be competitive. That I want to avoid. In general, if it makes ISK (directly or indirectly. Market for direct, industry for indirect) I'd want to avoid making it writable. The good news is, CCP seem to feel the same

Then you have edge conditions, like the skill queue. Because if you give api access to it, well, you've just set up an infinite queue. (unless something is done to stop it. Might be possible)


Ahh...Now I get it. I couldn't figure out why you were posting more than the devs ; didn't know the META. You have a vested interest in said technology. Which site do you run?

All that aside, my original post stands. IF CCP can't just bring these tools/sites on property and pay the people properly who developed them, then I still have a hard time with this. Not only on security, but principal. Yes, people don't have to use it...just like facebook. But again, the phishing scams alone are of concern as this involves money. As one user mentioned. What is CCP's policy going to be on this with third party websites?
Maru Sha
The Department of Justice
#107 - 2014-07-05 07:34:56 UTC
So what do you think: how many of your players will read this dev blog and follow your rules, and how many will get to know about it (the idea of SSO for non-CCP-webage) by word of mouth and then possibly fall to fishing websites, because they don't follow your rules?
Deacon Abox
Black Eagle5
#108 - 2014-07-05 15:38:23 UTC
Maru Sha wrote:
So what do you think: how many of your players will read this dev blog and follow your rules, and how many will get to know about it (the idea of SSO for non-CCP-webage) by word of mouth and then possibly fall to fishing websites, because they don't follow your rules?

I agree. This is so open to player mistakes. There is bound to be an increase in stolen accounts and stolen account petitions. Is CCP going to hire new people to address the stolen accounts after just laying off so many people?

Also, with everything in computers, I'm sure there are people right now figuring out how to bust through the "gates" created with this SSO system. It will get compromised.

So, again, is this a needed change? or is it just more of the oh look a shiney new thing and we can do that. See my signature. Still waiting for some off buttons. Just because something new comes along doesn't make it better.Straight

CCP, there are off buttons for ship explosions, missile effects, turret effects, etc. "Immersion" does not seem to be harmed by those. So, [u]please[/u] give us a persisting off button for the jump gate and autoscan visuals.

Blastcaps Madullier
Handsome Millionaire Playboys
Sedition.
#109 - 2014-07-05 15:41:17 UTC
Dinsdale Pirannha wrote:
Blastcaps Madullier wrote:
this is a SERIOUSLY bad idea from start to finish, it doesn't matter how good you make it, someone WILL hack it or find a exploit and by using this you are only going to see a flood of hacked accounts in the near future.

Congratulations on another ill thought out idea and I'm going to be LMFAO when it happens and you start getting a flood of comprimised accounts, all because someone at CCP thought this was a GOOD idea.... maybe next time try thinking up good idea's while under the influance of drink or drugs.....

A better idea would have been to use the API system, not "hey here's all my account details you need to go take over my eve account...."

oh and before you say it won't happen, I'll remind you of a hat community group called lolsec who got into your own servers....


This was likely proposed to CCP by the very people that will exploit the hell out of it, but hey, we already know that in CCP's eyes this group can do no wrong.


one of the easiest ways of comprimise is going to be man in the middle attacks...
Blastcaps Madullier
Handsome Millionaire Playboys
Sedition.
#110 - 2014-07-05 15:49:57 UTC
Tarsas Phage wrote:
Dinsdale Pirannha wrote:
Blastcaps Madullier wrote:
this is a SERIOUSLY bad idea from start to finish, it doesn't matter how good you make it, someone WILL hack it or find a exploit and by using this you are only going to see a flood of hacked accounts in the near future.

Congratulations on another ill thought out idea and I'm going to be LMFAO when it happens and you start getting a flood of comprimised accounts, all because someone at CCP thought this was a GOOD idea.... maybe next time try thinking up good idea's while under the influance of drink or drugs.....

A better idea would have been to use the API system, not "hey here's all my account details you need to go take over my eve account...."

oh and before you say it won't happen, I'll remind you of a hat community group called lolsec who got into your own servers....


This was likely proposed to CCP by the very people that will exploit the hell out of it, but hey, we already know that in CCP's eyes this group can do no wrong.



Security is a complex thing, and when people can't wrap their head around a specific topic or its specific, often complex implementation, we see their brains short circuit in a cloud of tinfoil smoke, such as the gentleman you replied to.

They know they should understand it because hey, they're a first-year undergrad Java programmer, they should know all the things and be Web 3.0 and just learned what a linked list is right? But they don't, so they default to spewing tinhattery gibberish and saying those incredibly generalized sound bites that were cribbed from some mass-market online news site.


Actually not at all, EVERY single PC game protection has been cracked usually within a matter of hours, if you think someone cant crack a security system usualy by finding a exploit among other things then your perceptions of things need serious relooking at.
Hell banks have had their security broken on numourus occasions, and you think they dont throw a metric f**k ton of money at things to ensure they have the best possible security avail both in terms of software or personal?
Karbowiak
Sacred Templars
Fraternity.
#111 - 2014-07-05 17:56:04 UTC
To those morons amongst you who think we 3rd party devs will get access to your account details, please read the following:

WE WILL NOT GET ACCESS TO YOUR ACCOUNT DETAILS

Read it? Understood it? if not, read it again..
Ok, lets move on.

The SSO (Which is OAUTH2 based for those of you who need to know that) works by telling us that your login is real,what your character name+id is, and a unique id that is bound to your character for the duration it's on the same account.

So lets sum up

1. We do not get your account details
2. We get the characterID and characterName of the character YOU selected to use
3. We get a unique id that is bound to the character you selected, as long as it's on the same account

The SSO will actually make you all safer overall, since 3rd party devs aren't holding your account information anymore, AND it will make lives for us easier, since we don't have to hope you'll register to use extended features.

It will only get more glorious once CREST gets opened up, and we can start requesting more data from it using scopes and whatnot. (That's where we ask you for extra information when you login via the SSO)

tl;dr: we will not get access to your account details
Rain6637
GoonWaffe
Goonswarm Federation
#112 - 2014-07-05 18:40:26 UTC
yeah, that's not a problem. the issue is these input fields becoming associated with sites that aren't strictly CCP, opening the door to phishing. as a percentage, there will be players who type their account name and password into a fake SSO page.

Help, I can't download EVE

President of the Commissar Kate Fanclub

PLEX: A Giffen good? (It's 1B?)
Ereshgikal
Wharf Crusaders
#113 - 2014-07-05 19:49:56 UTC
Slicr wrote:
Max Kolonko wrote:
Slicr wrote:
Tau Cabalander wrote:
I really hope SSO doesn't use OAuth 2.0

Having the lead OAuth developers leave and demand their names taken off of it, plus the inherent security flaws, doesn't bode well.



Is CCP dodging this legitimate question?

Please make this an opt-in requirement as I pay to play this game and thus protect my login information for this game and not other 3rd party sites.

Please link the passage that says CCP has the right to allow access to my login information from other 3rd parties?
The fact that a 3rd party can attempt to get my acct access is not right.
When a hack happens (it is not if but when) your customers will not know which 3rd parties have been affected and then it becomes our problem.

It is crazy stuff like this that one has to protect themselves from cuz a company could care less as long as it can make money.
Also, it is the main reason I pay month to month since there have been times and games in the past that one would have wished they only paid monthly.


LOL, dont want it? Dont use it. Its that simple.

Ofc You may soon realize that you cant use dotlan without loging in (just an example)


CCP is making a bridge from 3rd party websites to our login information - the fact that one does not use it does not mean someone else cannot try and use it.
Ever wonder how scam emails found your Hotmail account?


"Making a bridge"....

Please, Glenn Beck, stop frequenting these pages and go back to spouting your nonsense elsewhere.

Sorry, had to get that off my chest.

Please enlighten us how this "bridge" is any different from the log in procedure that exist today, and how someone else will be given more possibility to access your account when this feature is introduced compared with today....

You do know that you can't access someones account using the API today, right? Sure, you can look up information, but that is it. The SSO has less information exposed than the API. But please give us technical information why you think SSO is bad, not just Fox News-level fearmongering.
Nibbs Skor
Blackstar Warriors
#114 - 2014-07-06 08:56:22 UTC
Not sure we needed the anti-scam training in the original post. surely Jita local taught us all how to spot scams already
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#115 - 2014-07-07 01:28:03 UTC
Ms Michigan wrote:
Ahh...Now I get it. I couldn't figure out why you were posting more than the devs ; didn't know the META. You have a vested interest in said technology. Which site do you run?


All there in my Sig Blink

Yes, I'd like to see it out there, mostly because I don't want to have to put up with the annoyance of managing a database of usernames and passwords, along with the paraphernalia that goes with it (resets and the like)

Ms Michigan wrote:

All that aside, my original post stands. IF CCP can't just bring these tools/sites on property and pay the people properly who developed them, then I still have a hard time with this. Not only on security, but principal. Yes, people don't have to use it...just like facebook. But again, the phishing scams alone are of concern as this involves money. As one user mentioned. What is CCP's policy going to be on this with third party websites?



As for bringing in third party devs, to make them into official applications, the vast majority aren't enough to keep a full time developer going for extended periods of time. Or are of low utility to most people. Or are specific to some corporations. One example is the class of 3rd party devs that maintain things like private corporation/alliance forums/wikis/voice coms and so on. (SSO will be very useful there)



Policy I can't speak to.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Josef Djugashvilis
#116 - 2014-07-07 06:55:06 UTC  |  Edited by: Josef Djugashvilis
Steve Ronuken wrote:
Ms Michigan wrote:
So ...my 5 year old nephew with a laptop can break 128 bit encryption with a laptop in 45 seconds. There is that. Just so we are all on the same baseline. I get the whole internet uses it. But just for the lay-man reading my post. Just be aware.



Citation needed.


The five year old does not have an Eve Online account so cannot personally explain to you how he broke the encryption.

This is not a signature.
Lady Areola Fappington
#117 - 2014-07-07 07:05:15 UTC
This thread is just amazing. Jam packed with false assumptions and incorrect guesses.

SSO actually makes your account quite abit more secure. Rather than having seperate usernames for all your assorted third party websites, you just have one username and password to remember. Knowing people, all those user/pw combos are either the exact same as their EVE account, or just simple variations.

3rd party devs don't get your username/PW (as mentioned before). They'll be getting the same information they get now about you, only without the added burden of having to manage login credentials.

If you use google, facebook, steam, multiple telcom/cable providers, hulu, netflix, Amazon, most large banks, ebay, paypal, then you are using SSO already in your daily life. You do the same thing with CCP as you do with them...check the URL and make sure it's valid before blindly facerolling your credentials in.


Jeez folks, CCP could hand some of you a brick of solid gold, and you'd still be complaining it wasn't shiny enough.

7.2 CAN I AVOID PVP COMPLETELY? No; there are no systems or locations in New Eden where PvP may be completely avoided. --Eve New Player Guide
Wacktopia
Fleet-Up.com
Keep It Simple Software Group
#118 - 2014-07-07 19:32:12 UTC
KEEEEEEEEEEEEERRRRRRRRRRRRRCCHHHHHHHHOOOOOOOOOOOWWWWWWW!!!!!

Much thanks FoxFour, Phantom & anyone else involved in this. :)

Kitchen sink? Seriousy, get your ship together -  Fleet-Up.com
Rain6637
GoonWaffe
Goonswarm Federation
#119 - 2014-07-07 19:40:33 UTC  |  Edited by: Rain6637
Lady Areola Fappington wrote:
This thread is just amazing. Jam packed with false assumptions and incorrect guesses.

SSO actually makes your account quite abit more secure. Rather than having seperate usernames for all your assorted third party websites, you just have one username and password to remember. Knowing people, all those user/pw combos are either the exact same as their EVE account, or just simple variations.

3rd party devs don't get your username/PW (as mentioned before). They'll be getting the same information they get now about you, only without the added burden of having to manage login credentials.

If you use google, facebook, steam, multiple telcom/cable providers, hulu, netflix, Amazon, most large banks, ebay, paypal, then you are using SSO already in your daily life. You do the same thing with CCP as you do with them...check the URL and make sure it's valid before blindly facerolling your credentials in.


Jeez folks, CCP could hand some of you a brick of solid gold, and you'd still be complaining it wasn't shiny enough.

it might sound like a slippery slope fallacy followed by an appeal to emotion, to suggest players will get tricked into entering their login on a fake SSO page... but it isn't. especially for the player/victim/statistic whose account name matches their main's name, asking what customer service's policy will be in their case is an inquiry regarding the only recourse available to them.

...for when it works fine otherwise, sure: great/awesome.

Help, I can't download EVE

President of the Commissar Kate Fanclub

PLEX: A Giffen good? (It's 1B?)
Slicr
#120 - 2014-07-07 20:31:13 UTC
I am playing Eve Online.
I have agreed to pay CCP to play this game.
In order for me to fulfill that agreement I have a login ID and password that I use to provide CCP with my payment particulars.

I do not want CCP to make money off of endangering my personal information.

Make this OPT-IN only



I believe in being Pro-Active as Opposed to Reactive. Reactive tends to be more costly in time and money.