These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
 

Dev blog: EVE Online SSO and what you need to know

First post First post
Author
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#21 - 2014-07-03 15:49:32 UTC
Rain6637 wrote:
suddenly I understand why forums.eveonline, secure.eveonline, and community.eveonline require separate logins.



For people that don't:


Logins on websites are managed by session cookies (generally these cookies also have the duration of a session.), which identify the session on the server. If different servers are handling the applications, they each need their own session cookie.

Thus, each needs you to log in.

Now, with the use of SSO, you sign into the login.eveonline.com server, and, if you tick the remember me box, it drops a cookie on your web browser, which identifies you the next time you come round (when you try logging into a different application) and removes the requirement to log in again.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter

Tam Althor
Commonwealth Industries
#22 - 2014-07-03 15:59:46 UTC
Steve Ronuken wrote:
IceGuerilla wrote:
We have this total rubbish, but we still can't change characters without relogging? What a load of poppycock.



Uh, One's extending the login tech that's already in use with CCP (take a look at logging into the community site, the wiki, and the forums), and the other is going through the entirety of the eve client code, looking for code where the assumption was made that the character id wouldn't change.

Teeny difference there.


Bigger difference is how few people care about logging to other eve sites vs how useful it would be to not have to close the client to switch characters. SSO is another waste of resources on the level of spacebook and CQ.
Karbowiak
The League Of Unwanted Capsuleers
#23 - 2014-07-03 16:50:23 UTC
Just the nitpicky side in me, but, how about upgrading the SSL cert so that it shows who owns it, right in the browser?

Paypal does this, for example, helps differentiate paypal from fakers much more easily than having to click the cert, and wading through it's information. Blink
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#24 - 2014-07-03 16:50:51 UTC
Tam Althor wrote:
Steve Ronuken wrote:
IceGuerilla wrote:
We have this total rubbish, but we still can't change characters without relogging? What a load of poppycock.



Uh, One's extending the login tech that's already in use with CCP (take a look at logging into the community site, the wiki, and the forums), and the other is going through the entirety of the eve client code, looking for code where the assumption was made that the character id wouldn't change.

Teeny difference there.


Bigger difference is how few people care about logging to other eve sites vs how useful it would be to not have to close the client to switch characters. SSO is another waste of resources on the level of spacebook and CQ.



Hmm. Maybe my classic british understatement wasn't obvious.

It's a hell of a lot of work to change things, so you can change character, without a client restart, while making sure there are no problems with it. With the ability to use the launcher to relog in quickly, for a single account (I'm asking for updates with this), that's a lot of effort, for a minor gain. (I run 3 accounts. 1 through the launcher, 2 not. I switch at least twice daily)

Putting SSO out for third parties: Other than legal work, this is mostly adding functionality to existing code. Not a huge investment of developer resource.

Especially not compared to the work put into CQ.

Rein in your hyperbole.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter

Chribba
Otherworld Enterprises
Otherworld Empire
#25 - 2014-07-03 16:59:43 UTC
nom nom nom

★★★ Secure 3rd party service ★★★

Visit my in-game channel 'Holy Veldspar'

Twitter @ChribbaVeldspar

Coffee Rocks
Caldari Provisions
Caldari State
#26 - 2014-07-03 17:11:20 UTC
Steve Ronuken wrote:


Hmm. Maybe my classic british understatement wasn't obvious.

It's a hell of a lot of work to change things, so you can change character, without a client restart, while making sure there are no problems with it. With the ability to use the launcher to relog in quickly, for a single account (I'm asking for updates with this), that's a lot of effort, for a minor gain. (I run 3 accounts. 1 through the launcher, 2 not. I switch at least twice daily)

Putting SSO out for third parties: Other than legal work, this is mostly adding functionality to existing code. Not a huge investment of developer resource.

Especially not compared to the work put into CQ.

Rein in your hyperbole.



This was like making love to my eyes. I know there's a reason I voted for you, and this is a wonderful example. <3
whatsin aname01
Science and Trade Institute
Caldari State
#27 - 2014-07-03 17:11:50 UTC  |  Edited by: whatsin aname01
I do understand that it is usefull for some. Cool Is there however a way to disable sso for all sites except the eve sites from ccp? Roll
I have a very nasty habbit not to trust any other site. Pirate Maybe that has something to with my day job. I test software for a rather big organisation. TwistedTwisted About 30k employees

Btw I have 15 different passwords for 15 different sites. And I don't use a program to manage that. Big smile
Tau Cabalander
Retirement Retreat
Working Stiffs
#28 - 2014-07-03 17:21:44 UTC
I really hope SSO doesn't use OAuth 2.0

Having the lead OAuth developers leave and demand their names taken off of it, plus the inherent security flaws, doesn't bode well.
Lando Cenvax
The Nose Picker Clown Group
#29 - 2014-07-03 17:26:17 UTC  |  Edited by: Lando Cenvax
Quote:
How to do it the secure way

While any encryption may better than plaintext, using RC4 is considered insecure. RC4 is only acceptable as backup for WinXP Internet Explorer Users -and even that is questionable. RC4 is a no go under normal circumstances.
You may want to review https://www.ssllabs.com/ssltest/analyze.html?d=login.eveonline.com
The supported TLS_RSA_WITH_AES_xxx_CBC_SHA is the absolute minimum I would use today and acceptable for now -but not more than hat.
Although, TLS 1.2 with ECDHE cipher-suites (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for example) would be much better since they also provide forward secrecy.
Unfortunately, the 2 RC4-Ciphers are prefered by server over the more secure AES-Ciphers:

Cipher Suites (SSL 3+ suites in server-preferred order, then SSL 2 suites where used)
  • TLS_RSA_WITH_RC4_128_SHA (0x5) 128 <- probably your current connection
  • TLS_RSA_WITH_RC4_128_MD5 (0x4) 128
  • TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
  • TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128

One might ask now: It's just EVE... not online banking... why bother with security hardening?
Because SSL-Tweaking takes not much time. In fact on most server it's done in a few minutes -assuming you actually do your server-maintenance and keep the software up to date.

Consequently, if you see RC4 in your browsers connection-security window, your data is not secure. Not because someone is going to crack your connection, but because the admin has very likely no idea about properly securing a webserver.

On another note: Enabling HSTS for Login.eveonline.com might be a good idea as well.
Alexis Nightwish
#30 - 2014-07-03 17:36:40 UTC
So you're planning on blasting this info (blog) out as many channels as possible right CCP? Because, shocking as it may seem, a very large portion of EVE players do not read dev blogs. Those are the people who have a much better chance at being duped and hacked simply because they are not informed. If you don't I get the feeling that a lot of the following will take place in the near future:

Player: My account got hacked.
CCP: Account security is the players' responsibility.
Player: **** this! I'm leaving, and I'm taking my money with me.

CCP approaches problems in one of two ways: nudge or cludge

EVE Online's "I win!" Button

Fixing bombs, not the bombers

Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#31 - 2014-07-03 17:39:55 UTC  |  Edited by: Steve Ronuken
whatsin aname01 wrote:
I do understand that it is usefull for some. Cool Is there however a way to disable sso for all sites except the eve sites from ccp? Roll
I have a very nasty habbit not to trust any other site. Pirate Maybe that has something to with my day job. I test software for a rather big organisation. TwistedTwisted About 30k employees

Btw I have 15 different passwords for 15 different sites. And I don't use a program to manage that. Big smile



You'll always have to click through (for character selection), and until you do, nothing gets sent to the site. (when you do, all the site gets is your character id and name, along with a hash to uniquely identify the combination of character and account. Sell the character, and it changes. No way to identify the account, just that it's changed.)

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter

Zalifer Esepula
Dreddit
Test Alliance Please Ignore
#32 - 2014-07-03 17:47:29 UTC
Love single sign on, bring on mobile authenticators and I'll be even happier!


Next up is can you please either :

A) Disassociate DUST 514 and EVE Online accounts so I can be logged into both forums at once. Currently if one is logged in, the other asks you to sign out.

B) Allow me to link my DUST 514 and EVE Online accounts, so that logging into one of them counts as logging into both. For example, with both forums being logged out, I log into forums.eveonline.com and can go straight to forums.dust514.com and be already logged in.

I don't use the DUST forums much, but when I do want to, it's really really annoying to have to log out of an account for a different game.
Kale Freeman
Garoun Investment Bank
Gallente Federation
#33 - 2014-07-03 17:48:15 UTC  |  Edited by: Kale Freeman
Steve Ronuken wrote:
whatsin aname01 wrote:
I do understand that it is usefull for some. Cool Is there however a way to disable sso for all sites except the eve sites from ccp? Roll
I have a very nasty habbit not to trust any other site. Pirate Maybe that has something to with my day job. I test software for a rather big organisation. TwistedTwisted About 30k employees

Btw I have 15 different passwords for 15 different sites. And I don't use a program to manage that. Big smile



You'll always have to click through (for character selection), and until you do, nothing gets sent to the site. (when you do, all the site gets is your character id and name, along with a hash to uniquely identify the combination of character and account. Sell the character, and it changes. No way to identify the account, just that it's changed.)



You're picturing a naughty site using the real CCP SSO page. The anughty site won't get any useful information until you pick the character, and even then the information isn't that useful. It would be much more effective to have a naughty site using a fake CCP SSO page.

How many people are going to check the domain and validate the certificate and all that?
Dread Nanana
Doomheim
#34 - 2014-07-03 17:48:36 UTC
Lando Cenvax wrote:

Consequently, if you see RC4 in your browsers connection-security window, your data is not secure. Not because someone is going to crack your connection, but because the admin has obviously no idea about properly securing a webserver.


Well, there is only speculation that it is insecure. Though Microsoft indicated to disable RC4 stream ciphers completely.

http://en.wikipedia.org/wiki/RC4

But yes, it's not so good for this to be preferred over higher ciphers. If I disable RC4 stuff in Firefox, it connects with something a little better,

TLS_RSA_WITH_AES_256_CBC_SHA

Still no perfect forward secrecy, but better. I don't know why servers seem to prefer crappier crypto over better crypto out of the box.
Dinsdale Pirannha
Pirannha Corp
#35 - 2014-07-03 17:51:17 UTC
For Luddites like myself, will we still be able to log onto the Eve site as we do today, or are we being forced to use this SSO nonsense?
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#36 - 2014-07-03 17:53:56 UTC
Dinsdale Pirannha wrote:
For Luddites like myself, will we still be able to log onto the Eve site as we do today, or are we being forced to use this SSO nonsense?




Pssst. You've been using the SSO for a fairly long time now.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter

Rain6637
NulzSec
#37 - 2014-07-03 17:57:53 UTC
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#38 - 2014-07-03 18:00:19 UTC
Kale Freeman wrote:
Steve Ronuken wrote:
whatsin aname01 wrote:
I do understand that it is usefull for some. Cool Is there however a way to disable sso for all sites except the eve sites from ccp? Roll
I have a very nasty habbit not to trust any other site. Pirate Maybe that has something to with my day job. I test software for a rather big organisation. TwistedTwisted About 30k employees

Btw I have 15 different passwords for 15 different sites. And I don't use a program to manage that. Big smile



You'll always have to click through (for character selection), and until you do, nothing gets sent to the site. (when you do, all the site gets is your character id and name, along with a hash to uniquely identify the combination of character and account. Sell the character, and it changes. No way to identify the account, just that it's changed.)



You're picturing a naughty site using the real CCP SSO page. The anughty site won't get any useful information until you pick the character, and even then the information isn't that useful. It would be much more effective to have a naughty site using a fake CCP SSO page.

How many people are going to check the domain and validate the certificate and all that?



That's a problem with any SSO solution (twitter, facebook, et al). However, if you've already signed into the SSO, and used the remember me option, it won't prompt for details, just to pick the character.

And the login page hasn't had autocomplete disabled, so it can have your browser remember your credentials. So you don't need to type them.

Yes, you'll get idiots who won't check the domain. The same idiots who get emails 'from amazon' (not an amazon address) to them (and a bunch of other people in the to line) for an invoice (in a zip file), and think it's legit.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter

Dinsdale Pirannha
Pirannha Corp
#39 - 2014-07-03 18:14:11 UTC
Steve Ronuken wrote:
Dinsdale Pirannha wrote:
For Luddites like myself, will we still be able to log onto the Eve site as we do today, or are we being forced to use this SSO nonsense?




Pssst. You've been using the SSO for a fairly long time now.



As long as I can log on the same way as I do today, without any more hoop-jumping, and without providing more personal information (love how many sites now require your facebook account to log on), I am fine.
Aalysia Valkeiper
Imperial Shipment
Amarr Empire
#40 - 2014-07-03 18:29:31 UTC
how can anyone say facebook is involved with enhanced security... unless it's because they're a breech?

I don't care who else authenticates the information. If facebook's involved, it's a leaky sieve. There is NO security.