These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
 

Dev blog: EVE Online SSO and what you need to know

First post First post
Author
CCP Explorer
C C P
C C P Alliance
#41 - 2014-07-03 18:47:36 UTC
IceGuerilla wrote:
We have this total rubbish, but we still can't change characters without relogging? What a load of poppycock.
You need to explain to me how these two things are linked. One is the login mechanism used by our web sites and services and the launcher, the other is a large repository of legacy code that assumes the character ID won't change while the session is active.

Erlendur S. Thorsteinsson | Senior Development Director | EVE Online // CCP Games | @CCP_Explorer

CCP Explorer
C C P
C C P Alliance
#42 - 2014-07-03 18:54:47 UTC
Kenneth Feld wrote:
What about Amazon??

I **THOUGHT** I was using SSO to sign on there for like a year now???
Can you detail this question a bit more, please.

Erlendur S. Thorsteinsson | Senior Development Director | EVE Online // CCP Games | @CCP_Explorer

Lothros Andastar
The Scope
Gallente Federation
#43 - 2014-07-03 19:08:59 UTC  |  Edited by: Lothros Andastar
CCP Explorer wrote:
IceGuerilla wrote:
We have this total rubbish, but we still can't change characters without relogging? What a load of poppycock.
You need to explain to me how these two things are linked. One is the login mechanism used by our web sites and services and the launcher, the other is a large repository of legacy code that assumes the character ID won't change while the session is active.

He is referring to the fact that Eve players have been pissed off for quite a while now, because CCP seems to have time and resources for this project that literally zero people wanted or asked for and will cause phishing to go though the damn roof because no matter how secure you make it people are still stupid, but on the other hand finding time to, literally widdle away close to 2 million dollars on failed game projects, but at the same time lack time and resources to providing BASIC functionality and UI customisability that other games have had for decades.

I know that (probably) has nothing to do with you personally, but it still annoys people.

We already have API keys for logging into external sites, we don't need the risk of exposing passwords either through user error, webmaster error or plain simply tech error. We know that SSL is probably compromised if not already but soon.
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#44 - 2014-07-03 19:21:42 UTC
Aalysia Valkeiper wrote:
how can anyone say facebook is involved with enhanced security... unless it's because they're a breech?

I don't care who else authenticates the information. If facebook's involved, it's a leaky sieve. There is NO security.



Facebook aren't involved. They were mentioned as an example of an SSO service. Nothing else.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter

Tam Althor
Commonwealth Industries
#45 - 2014-07-03 19:25:51 UTC
Lothros Andastar wrote:
CCP Explorer wrote:
IceGuerilla wrote:
We have this total rubbish, but we still can't change characters without relogging? What a load of poppycock.
You need to explain to me how these two things are linked. One is the login mechanism used by our web sites and services and the launcher, the other is a large repository of legacy code that assumes the character ID won't change while the session is active.

He is referring to the fact that Eve players have been pissed off for quite a while now, because CCP seems to have time and resources for this project that literally zero people wanted or asked for and will cause phishing to go though the damn roof because no matter how secure you make it people are still stupid, but on the other hand finding time to, literally widdle away close to 2 million dollars on failed game projects, but at the same time lack time and resources to providing BASIC functionality and UI customisability that other games have had for decades.

I know that (probably) has nothing to do with you personally, but it still annoys people.

We already have API keys for logging into external sites, we don't need the risk of exposing passwords either through user error, webmaster error or plain simply tech error. We know that SSL is probably compromised if not already but soon.


Add to this, two factor authentication that was promised and then forgotten about. CCP is getting back on the path of delivering crap that they want and that players don't care about.
Terminator 2
Omega Boost
#46 - 2014-07-03 19:29:32 UTC  |  Edited by: Terminator 2
How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.
Aalysia Valkeiper
Imperial Shipment
Amarr Empire
#47 - 2014-07-03 19:31:19 UTC
whatsin aname01 wrote:
I do understand that it is usefull for some. Cool Is there however a way to disable sso for all sites except the eve sites from ccp? Roll
I have a very nasty habbit not to trust any other site. Pirate Maybe that has something to with my day job. I test software for a rather big organisation. TwistedTwisted About 30k employees

Btw I have 15 different passwords for 15 different sites. And I don't use a program to manage that. Big smile


I'm studying Network Security and Digital Forensics under scholarship. With one program, I'm learning how to keep computers safe from intrusion. With the other program, I'm learning how to break into them.

Like you, I've gotten a severe case of paranioa when it pertains to 'third party' applications... especially the "single-signon-services". The so-called 'social sites' rate on the 'trustworthy' scale just above politicians and facebook rates as the lowest of all those.

I want nothing to do with any services outside EvE online.

I want to know if we will have the option to NOT use this SSO.
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#48 - 2014-07-03 19:34:34 UTC  |  Edited by: Steve Ronuken
Terminator 2 wrote:
How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.


You have to explicitly authenticate against those sites, picking the character that you want them to see.

Nothing automatic.

(And it has been stated, you're already using it. It's how you sign into any CCP site. Third party sites have an additional step, not seeing the account level, just a character you select as part of the auth process)

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter

Aalysia Valkeiper
Imperial Shipment
Amarr Empire
#49 - 2014-07-03 19:42:52 UTC
Dread Nanana wrote:
Lando Cenvax wrote:

Consequently, if you see RC4 in your browsers connection-security window, your data is not secure. Not because someone is going to crack your connection, but because the admin has obviously no idea about properly securing a webserver.


Well, there is only speculation that it is insecure. Though Microsoft indicated to disable RC4 stream ciphers completely.

http://en.wikipedia.org/wiki/RC4

But yes, it's not so good for this to be preferred over higher ciphers. If I disable RC4 stuff in Firefox, it connects with something a little better,

TLS_RSA_WITH_AES_256_CBC_SHA

Still no perfect forward secrecy, but better. I don't know why servers seem to prefer crappier crypto over better crypto out of the box.


Maintaining and updating the older encryption takes less time (costs less) than develping a new encryption. New encryption by default must be radically different from the encryptions they replace, otherwise, their 'shelf-life' is severely curtailed.

Digital Security is a very dynamic field. Malware developers are being paid big money for their product and security firms are as well. There is only one way to 'complete and perfect security'... don't get online and don't provide services to anyone.
Kale Freeman
Garoun Investment Bank
Gallente Federation
#50 - 2014-07-03 19:51:50 UTC  |  Edited by: Kale Freeman
Steve Ronuken wrote:
Terminator 2 wrote:
How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.


You have to explicitly authenticate against those sites, picking the character that you want them to see.

Nothing automatic.

(And it has been stated, you're already using it. It's how you sign into any CCP site. Third party sites have an additional step, not seeing the account level, just a character you select as part of the auth process)


How is it going to work for someone who wants to be one character when logging into this alliances infrastructure and another character when logging into another alliances infrastructure? I guess he will just have login with username and password each time he goes to either forum. No more cookies for him.
Aalysia Valkeiper
Imperial Shipment
Amarr Empire
#51 - 2014-07-03 19:52:05 UTC
Steve Ronuken wrote:
Aalysia Valkeiper wrote:
how can anyone say facebook is involved with enhanced security... unless it's because they're a breech?

I don't care who else authenticates the information. If facebook's involved, it's a leaky sieve. There is NO security.



Facebook aren't involved. They were mentioned as an example of an SSO service. Nothing else.



That is good. I guess my opinion was a bit too blatant. sorry.

I've gotten a little too close a look at many companies' security systems in the last 3 years and it's made me a bit paraniod.

Facebook has been a shining example of how NOT to run security throughout my study's.

CCP, on the other hand gets a MUCH better grade. You guys seem to know what you're doing in security. I know it isn't easy in the type of industry you're in.

Aalysia Valkeiper
Imperial Shipment
Amarr Empire
#52 - 2014-07-03 19:55:54 UTC
Terminator 2 wrote:
How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.


I can answer that, judging from what I have seen regarding CCP's policies 'behind the scene'.

The third parties won't get your IP address if you go to them after logging in with EvE online. Instead, they will get CCP's IP as your proxy.
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#53 - 2014-07-03 19:56:55 UTC
Kale Freeman wrote:
Steve Ronuken wrote:
Terminator 2 wrote:
How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.


You have to explicitly authenticate against those sites, picking the character that you want them to see.

Nothing automatic.

(And it has been stated, you're already using it. It's how you sign into any CCP site. Third party sites have an additional step, not seeing the account level, just a character you select as part of the auth process)


How is it going to work for someone who wants to be one character when logging into this alliances infrastructure and another character when logging into another alliances infrastrcuture? I guess he will just have login with username and password each time he goes to either forum. No more cookies for him.



If you want to auth with a different account, then you'll need to change your log on for login.eveonline.com. If it's just another character on the same account, you won't. (There's a very basic version up and running on my site, if you want to see it in action. I'd suggest logging onto the https://sisilogin.testeveonline.com/ site first, if you've never done it before. )

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter

Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#54 - 2014-07-03 20:03:04 UTC
Aalysia Valkeiper wrote:
Terminator 2 wrote:
How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.


I can answer that, judging from what I have seen regarding CCP's policies 'behind the scene'.

The third parties won't get your IP address if you go to them after logging in with EvE online. Instead, they will get CCP's IP as your proxy.



Nope. No proxy.

They'll get your IP address. Just like they would if you went to their site anyway.


The process is:


  • Go to the 3rd party site.
  • Click the login link.
  • This sends you to the login.eveonline.com site (for the live version. sisilogin.testeveonline.com for the dev), with an identifier saying which site you're coming from.
  • You log onto that site.
  • You pick a character.
  • You get sent back to the original site, onto a particular url that the site owner specified. A code is passed as part of the redirect.
  • That code is checked by the original site (talking to login.eveonline.com) with a secret that's not shared. If everything matches, the character id etc is sent back.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter

Aalysia Valkeiper
Imperial Shipment
Amarr Empire
#55 - 2014-07-03 20:16:15 UTC
Steve Ronuken wrote:
Aalysia Valkeiper wrote:
Terminator 2 wrote:
How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.


I can answer that, judging from what I have seen regarding CCP's policies 'behind the scene'.

The third parties won't get your IP address if you go to them after logging in with EvE online. Instead, they will get CCP's IP as your proxy.



Nope. No proxy.

They'll get your IP address. Just like they would if you went to their site anyway.


The process is:


  • Go to the 3rd party site.
  • Click the login link.
  • This sends you to the login.eveonline.com site (for the live version. sisilogin.testeveonline.com for the dev), with an identifier saying which site you're coming from.
  • You log onto that site.
  • You pick a character.
  • You get sent back to the original site, onto a particular url that the site owner specified. A code is passed as part of the redirect.
  • That code is checked by the original site (talking to login.eveonline.com) with a secret that's not shared. If everything matches, the character id etc is sent back.


hmmm... I misunderstood what I was looking at. That was a very basic mistake, too. I guess I still have quite a bit more to look thru.
Rain6637
NulzSec
#56 - 2014-07-03 20:37:27 UTC  |  Edited by: Rain6637
that's pretty slick. so these sites -won't- see my account name and login?

I've read through the dev blog twice now, and that part is still unclear.

//ok. i see it now. took 3 tries: middle of the second paragraph.

I think the title of the dev blog should be more like: SSO: log in to third party sites without revealing account info

main idea up-front/cut to the chase... because attention span. as hard as I tried, my pupils dilated as I began reading that article (in that way when it's just like 'ok i dunno wtf').
Vincent Athena
Photosynth
Just let it happen
#57 - 2014-07-03 21:04:29 UTC
CCP Explorer wrote:
IceGuerilla wrote:
We have this total rubbish, but we still can't change characters without relogging? What a load of poppycock.
You need to explain to me how these two things are linked. One is the login mechanism used by our web sites and services and the launcher, the other is a large repository of legacy code that assumes the character ID won't change while the session is active.

One is a way to log into a service.
The other is a way to log into a service.

You can see why, to us users, it seems to be the same thing.

Waving the "legacy code" flag just makes it look like you are looking for excuses to not do your job.

Know a Frozen fan? Check this out

Frozen fanfiction

Tzar Sinak
Mythic Heights
#58 - 2014-07-03 21:04:55 UTC
Thank you for the dev blog. I am not certain if I read it or not but I do not think i saw a "why". Why is CCP doing this? Thanks.

Hydrostatic Podcast First class listening of all things EVE

Check out the Eve-Prosper show for your market updates!

Lando Cenvax
The Nose Picker Clown Group
#59 - 2014-07-03 21:05:33 UTC
Aalysia Valkeiper wrote:
Maintaining and updating the older encryption takes less time (costs less) than develping a new encryption. New encryption by default must be radically different from the encryptions they replace, otherwise, their 'shelf-life' is severely curtailed.
Digital Security is a very dynamic field. Malware developers are being paid big money for their product and security firms are as well. There is only one way to 'complete and perfect security'... don't get online and don't provide services to anyone.
The encryption-libraries are available for free and/or are built into webservers. All you need to do is to have a current version and specify which ciphers you allow and which not. You don't need to be a crypto-specialist at all, just need to know that RC4, MD5, DSA are not that good and that elliptic curves (ECDHE-Ciphers) provide forward secrecy. A simple approach to secure HTTPS is using a few ECDHE-Ciphers on top of the list and weak ciphers for older clients on the bottom.

Anyway, to not cause any concerns, https://secure.eveonline.com is actually secure, so your credit card data is safe.

B2T: SSO is Token/Ticket-based as far as I understood. From security point of view this is secure by design.
Basic principle to my understanding: you want to Login at a external website, click on "Login" there and are redirected to login.eveonline.com on separate window/tab/pop-up. Together with this login-Redirection the external site passes a ticket (like session-id) it to login.eveonline.com. When you logged in at login.eveonline.com this ticket is validated and sent back to the external page giving the external page your Char-Name. Login at external Page with your character completed. => Entire Login-Process takes places at login.eveonline.com.
Uncertain Fate
Deep Core Mining Inc.
Caldari State
#60 - 2014-07-03 21:07:10 UTC
Forgive my ignorance, but how is this different (better?) than simply entering your API keys? The significance seems to be lost on me.