These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Player Features and Ideas Discussion

 
  • Topic is locked indefinitely.
 

First impressions of using the EVE SSO
Author
Previous Topic Next Topic
Jen Moriarty
Republic University
Minmatar Republic
#1 - 2014-11-27 07:49:02 UTC  |  Edited by: Jen Moriarty
Hi there,

So I've just finished integrating the EVE SSO into my site, and the first impressions of the user base kinda surprised me. It seems that almost all of them are unwilling to provide their login details as they fear I may have access to them. Even showing them the SSO Devblog doesn't help. Perhaps CCP should be more vocal about the SSO and its security, cause it seems nobody knows about it.

Jen
Rivr Luzade
Coreli Corporation
Pandemic Legion
#2 - 2014-11-27 08:18:21 UTC
That's what I would call properly educated player base: paranoid and distrustful, both because of EVE's society as well as real-life events. Big smile

UI Improvement Collective

My ridicule, heavy criticism and general pale outlook about your or CCP's ideas is nothing but an encouragement to prove me wrong. Give it a try.
elitatwo
Zansha Expansion
#3 - 2014-11-27 10:15:02 UTC
Jen Moriarty wrote:
Hi there,

So I've just finished integrating the EVE SSO into my site, and the first impressions of the user base kinda surprised me. It seems that almost all of them are unwilling to provide their login details as they fear I may have access to them. Even showing them the SSO Devblog doesn't help. Perhaps CCP should be more vocal about the SSO and its security, cause it seems nobody knows about it.

Jen


Okay, let me translate that back to a language we all speak:

Hi, I made a website that gives me access to your accounts, all you need to do is to give me your passwords so I can go on and steal your pixels.

Thanks for your cooperation!

Eve Minions is recruiting.

This is the law of ship progression!

Aura sound-clips: Aura forever
Takeshi Kumamato
Blaze Orange Expeditions
#4 - 2014-11-27 10:43:22 UTC
Apparently nobody in this forum knows about it either.
Ix Method
Doomheim
#5 - 2014-11-27 10:50:43 UTC
elitatwo wrote:
Okay, let me translate that back to a language we all speak:

Hi, I made a website that gives me access to your accounts, all you need to do is to give me your passwords so I can go on and steal your pixels.

Thanks for your cooperation!

*facepalm*

Travelling at the speed of love.
elitatwo
Zansha Expansion
#6 - 2014-11-27 15:40:33 UTC
Ix Method wrote:
*facepalm*


What? I was giving in to Rivr's joke Smile

I know what Single Sign One means and how it works. Facebook uses it, Google, twitter and some others and the cool-kids site which I am too old to use.

Eve Minions is recruiting.

This is the law of ship progression!

Aura sound-clips: Aura forever
Zan Shiro
Doomheim
#7 - 2014-11-27 16:41:30 UTC  |  Edited by: Zan Shiro
Rivr Luzade wrote:
That's what I would call properly educated player base: paranoid and distrustful, both because of EVE's society as well as real-life events. Big smile



this...

their is a lot of implicit trust in that sso. I tbh am leary of even more accepted ones at times. Only because I cannot know what was done on the websites end to secure the servers touched in the chain. As a prep for recent auditing/inspection between 1 admin and mysellf working in conjunction with the security manager we put in some hours to make sure our scans to meet compliancy came up clean.

In our case we had the option to write some off as a business need exception as a get out of jail free card as it where. We opted to work our asses off to just slay those dragons instead. Some of these dragons resided in our SSO to get network resource access externally (webmail for example).


I cannot and will not assume every website/server admin out there does the same. Or the host they run on if not a local web server. Take away is a good computer user should be paranoid. Just because you re paranoid does not mean something is not out to get you.

Well that I am in the minoriy of the antifacebook crowd so don't even use that. About to switch phone service provider and get new phones. I am so anti Facebook I will pay for iexplorer (or apps like it) to copy games saves to migrate them when all I have to do is make a cheesy FB account to do the same thing. I still prefer the former. My hate of FB has a long backstory, too long to cover here lol.
Jen Moriarty
Republic University
Minmatar Republic
#8 - 2014-11-27 17:09:53 UTC
... meanwhile, on topic:

The SSO is miles better than previous authentication methods. While previously you needed to provide an API (which was entirely in the hands of the service provider), with the SSO you give away nothing. I don't even...
Def Monk
Phoenix Naval Operations
Phoenix Naval Systems
#9 - 2014-11-27 17:32:43 UTC
Zan Shiro wrote:
Rivr Luzade wrote:
That's what I would call properly educated player base: paranoid and distrustful, both because of EVE's society as well as real-life events. Big smile



this...

their is a lot of implicit trust in that sso. I tbh am leary of even more accepted ones at times. Only because I cannot know what was done on the websites end to secure the servers touched in the chain. As a prep for recent auditing/inspection between 1 admin and mysellf working in conjunction with the security manager we put in some hours to make sure our scans to meet compliancy came up clean.

In our case we had the option to write some off as a business need exception as a get out of jail free card as it where. We opted to work our asses off to just slay those dragons instead. Some of these dragons resided in our SSO to get network resource access externally (webmail for example).


I cannot and will not assume every website/server admin out there does the same. Or the host they run on if not a local web server. Take away is a good computer user should be paranoid. Just because you re paranoid does not mean something is not out to get you.

Well that I am in the minoriy of the antifacebook crowd so don't even use that. About to switch phone service provider and get new phones. I am so anti Facebook I will pay for iexplorer (or apps like it) to copy games saves to migrate them when all I have to do is make a cheesy FB account to do the same thing. I still prefer the former. My hate of FB has a long backstory, too long to cover here lol.

You seem to be mixing up your dragons a little here. There is a difference between an internal SSO in the sense of, for example, an LDAP setup commonly used in businesses, and an external OAuth SSO used for Eve/Google/FB/Twitter/Git/etc. The workflows and access granted by the setups have some differences.

If the service using the OAuth setup is properly running SSL with a valid cert (OAuth requires the requests and redirects to come from specific URIs you pre-define as from https addresses and forces you to follow a specific workflow), all the traffic is secure. Any information you can gain from the Eve SSO will have the user warned from the Eve website and allow you to decline if you don't trust the service.

The only issue from there is how the end-service handles storage of any information you choose to give them, which still falls on them and your trust of them, but that's the same for any web service.

====

For everyone else worried about it: THE SSO WILL REDIRECT YOU TO THE EVE WEBSITE. If you see your URL as https://login.eveonline.com/ when inputting your credentials, no end service using the SSO will be able to steal your accounts or information. Being CAREFUL and INFORMED is good - being paranoid can be excessive.