These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
 

EVESSO VS. API Player perceptions

First post
Author
Previous Topic Next Topic
Zee Sebiestor
Sebiestor Tribe
Minmatar Republic
#1 - 2015-11-05 17:21:49 UTC
Simple question to 3rd party developers. Do you feel the player base has a fear of using the evesso? I have had several players say they would not participate with my 3rd party website because they did not trust me with their eve login. I tried to explain how the evesso works but was faced with distrust. Has anyone else experienced simular issues?
Pete Butcher
The Scope
Gallente Federation
#2 - 2015-11-05 19:01:00 UTC
Zee Sebiestor wrote:
Simple question to 3rd party developers. Do you feel the player base has a fear of using the evesso? I have had several players say they would not participate with my 3rd party website because they did not trust me with their eve login. I tried to explain how the evesso works but was faced with distrust. Has anyone else experienced simular issues?


Yes I did, but I have a desktop app. Users tend not to trust 3rd party apps, and that's generally good. The best we can do is explain the safety of the operation. CCP can also add some text to the login page about it.

http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool
Hel O'Ween
Men On A Mission
#3 - 2015-11-06 16:13:00 UTC
Currnetly not using SSO myself, but I can see the trust issue, given that this is EVE we're talking about, where you should trust no one and we're asking for "giv real credentials, pls!"

Even I as a dev was scared off the first time I encountered a SSO login screen at a 3rd party site/app (didn't got the memo about SSO being available).

Not sure how to deal with it, though. On the one hand, CCP could "advertise" SSO (and how it works) more offensive to the players. On the other hand, doing so will make SSO "legit" and I'm sure some scammers will come up with a fake SSO login screen and abuse it. I doubt that a none-techie will be able to spot the fake.

EVEWalletAware - an offline wallet manager.
Pete Butcher
The Scope
Gallente Federation
#4 - 2015-11-06 16:19:04 UTC
Hel O'Ween wrote:
Currnetly not using SSO myself, but I can see the trust issue, given that this is EVE we're talking about, where you should trust no one and we're asking for "giv real credentials, pls!"

Even I as a dev was scared off the first time I encountered a SSO login screen at a 3rd party site/app (didn't got the memo about SSO being available).

Not sure how to deal with it, though. On the one hand, CCP could "advertise" SSO (and how it works) more offensive to the players. On the other hand, doing so will make SSO "legit" and I'm sure some scammers will come up with a fake SSO login screen and abuse it. I doubt that a none-techie will be able to spot the fake.


Personally, I doubt in game scammers will make fake login pages. All player actions are traceable and the people behind it would surely be found, if they ever used the credentials. Also, we have two factor auth nowadays.

http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool
Zee Sebiestor
Sebiestor Tribe
Minmatar Republic
#5 - 2015-11-06 19:41:40 UTC
I think ccp should put out a video about the evesso and explain it's workings. That would help alot.
SJ Astralana
Syncore
#6 - 2015-11-08 01:09:09 UTC
Pete Butcher wrote:
Also, we have two factor auth nowadays.


2fa can be bypassed by starting exefile directly, so it's basically useless.

Hyperdrive your production business: Eve Production Manager

Pete Butcher
The Scope
Gallente Federation
#7 - 2015-11-08 05:44:01 UTC
SJ Astralana wrote:
Pete Butcher wrote:
Also, we have two factor auth nowadays.


2fa can be bypassed by starting exefile directly, so it's basically useless.


I'm assuming it will be fixed one day.

http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool
salacious necrosis
Garoun Investment Bank
Gallente Federation
#8 - 2015-11-09 03:01:48 UTC
Pete Butcher wrote:
Hel O'Ween wrote:
Currnetly not using SSO myself, but I can see the trust issue, given that this is EVE we're talking about, where you should trust no one and we're asking for "giv real credentials, pls!"

Even I as a dev was scared off the first time I encountered a SSO login screen at a 3rd party site/app (didn't got the memo about SSO being available).

Not sure how to deal with it, though. On the one hand, CCP could "advertise" SSO (and how it works) more offensive to the players. On the other hand, doing so will make SSO "legit" and I'm sure some scammers will come up with a fake SSO login screen and abuse it. I doubt that a none-techie will be able to spot the fake.


Personally, I doubt in game scammers will make fake login pages. All player actions are traceable and the people behind it would surely be found, if they ever used the credentials. Also, we have two factor auth nowadays.


Is faking an EVE SSO site bannable? I'm sure that would be a possible end result if this ever came up, but is it stated explicitly anywhere?

Use EveKit ! - Tools for EVE Online 3rd party development
CCP FoxFour
C C P
C C P Alliance
#9 - 2015-11-09 14:09:19 UTC
salacious necrosis wrote:
Pete Butcher wrote:
Hel O'Ween wrote:
Currnetly not using SSO myself, but I can see the trust issue, given that this is EVE we're talking about, where you should trust no one and we're asking for "giv real credentials, pls!"

Even I as a dev was scared off the first time I encountered a SSO login screen at a 3rd party site/app (didn't got the memo about SSO being available).

Not sure how to deal with it, though. On the one hand, CCP could "advertise" SSO (and how it works) more offensive to the players. On the other hand, doing so will make SSO "legit" and I'm sure some scammers will come up with a fake SSO login screen and abuse it. I doubt that a none-techie will be able to spot the fake.


Personally, I doubt in game scammers will make fake login pages. All player actions are traceable and the people behind it would surely be found, if they ever used the credentials. Also, we have two factor auth nowadays.


Is faking an EVE SSO site bannable? I'm sure that would be a possible end result if this ever came up, but is it stated explicitly anywhere?


Yes. 100% so.

This is generally the article I link people when asking about the SSO: https://support.eveonline.com/hc/en-us/articles/205381192-Single-Sign-On-SSO-

I am working on getting a link to it added to the SSO login page itself. Apparently takes time for a modification like that to happen...

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
Max Kolonko
Caldari Provisions
Caldari State
#10 - 2015-11-09 16:34:10 UTC
Hel O'Ween wrote:
Currnetly not using SSO myself, but I can see the trust issue, given that this is EVE we're talking about, where you should trust no one and we're asking for "giv real credentials, pls!"

Even I as a dev was scared off the first time I encountered a SSO login screen at a 3rd party site/app (didn't got the memo about SSO being available).

Not sure how to deal with it, though. On the one hand, CCP could "advertise" SSO (and how it works) more offensive to the players. On the other hand, doing so will make SSO "legit" and I'm sure some scammers will come up with a fake SSO login screen and abuse it. I doubt that a none-techie will be able to spot the fake.


One way to be certain is to go to any eveonline page (forum, gate, account) and log in there and select to remember you. Then go to third party site a click on eve login. If it didn't ask for password and go straight to scope and character selection you are safe. If not be suspicious.

Read and support: Don't mess with OUR WH's What is Your stance on WH stuff?
Hel O'Ween
Men On A Mission
#11 - 2015-11-09 17:30:02 UTC
Max Kolonko wrote:

One way to be certain is to go to any eveonline page (forum, gate, account) and log in there and select to remember you. Then go to third party site a click on eve login. If it didn't ask for password and go straight to scope and character selection you are safe. If not be suspicious.


That's only true for web apps, not desktop applications, I fear. Or is it?

EVEWalletAware - an offline wallet manager.
Max Kolonko
Caldari Provisions
Caldari State
#12 - 2015-11-09 17:39:28 UTC
Hel O'Ween wrote:
Max Kolonko wrote:

One way to be certain is to go to any eveonline page (forum, gate, account) and log in there and select to remember you. Then go to third party site a click on eve login. If it didn't ask for password and go straight to scope and character selection you are safe. If not be suspicious.


That's only true for web apps, not desktop applications, I fear. Or is it?


I actually dont know. But even standalone apps open a web interface for login, arent they?

Read and support: Don't mess with OUR WH's What is Your stance on WH stuff?
CCP FoxFour
C C P
C C P Alliance
#13 - 2015-11-10 08:01:48 UTC
Hel O'Ween wrote:
Max Kolonko wrote:

One way to be certain is to go to any eveonline page (forum, gate, account) and log in there and select to remember you. Then go to third party site a click on eve login. If it didn't ask for password and go straight to scope and character selection you are safe. If not be suspicious.


That's only true for web apps, not desktop applications, I fear. Or is it?


If it works for one it would work for both.

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
Hel O'Ween
Men On A Mission
#14 - 2015-11-10 17:36:21 UTC
Quote:

I actually dont know. But even standalone apps open a web interface for login, arent they?


I have no clue either ... Oops

Quote:

If it works for one it would work for both.


So the server does the "remember me"-magic? How so?

I'm trying to understand how a valid SSO login can be persisted if on the client side two different applications (web browser + 3rd party desktop application), which share no connection/data with each other, other than running on the same machine, be identified as being already authenticated.

Sorry, if this is trivial question for "web pros", but inquiring minds want to know. Blink

EVEWalletAware - an offline wallet manager.
Pete Butcher
The Scope
Gallente Federation
#15 - 2015-11-10 18:46:33 UTC
Hel O'Ween wrote:
Quote:

I actually dont know. But even standalone apps open a web interface for login, arent they?


I have no clue either ... Oops


They can. In Evernus I used both methods - internal and external browser. External one can take advantage of remember me functionality.

Hel O'Ween wrote:

Quote:

If it works for one it would work for both.


So the server does the "remember me"-magic? How so?

I'm trying to understand how a valid SSO login can be persisted if on the client side two different applications (web browser + 3rd party desktop application), which share no connection/data with each other, other than running on the same machine, be identified as being already authenticated.

Sorry, if this is trivial question for "web pros", but inquiring minds want to know. Blink


3rd party app only needs a token to authenticate. Where that token comes from is pretty much irrelevant. Therefore, one can use a browser to log in (with remember me on) and the browser will redirect back locally to the application with appropriate code. This can often fail for many reasons (if someone tells you otherwise - he's an idiot with no real experience), but it usually works.

http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool