These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
 

Dev blog: EVE Online SSO and what you need to know

First post First post
Author
Reboot Mizuno
Xtreme insidious Corporation
#61 - 2014-07-03 21:16:22 UTC
So I guess this should replace the most used purpose for the API, verify that someone is the owner of a character.

Sadly the API is also used by corporations and alliances to force people to reveal account information like other characters, assets and transactions. I guess it would be hard to disallow use of the API like this, as long as there is no alternative for character verififcation. But now that this is available, i hope CCP will do something about the API mess, and bring it back to the purpose of retrieving information for tools that you run yourself and have control over. Other uses should be banned and no player should be allowed for force another player to reveal information that is not available in the client. That would make EVE a much more fun game to play again.
Lando Cenvax
The Nose Picker Clown Group
#62 - 2014-07-03 21:21:18 UTC
SSO & API Key work similar, but are not the same. API-Key gives someone access to your Information while SSO only provides a website an instant proof that you are the owner of that char.
Terminator 2
Omega Boost
#63 - 2014-07-03 21:44:12 UTC
Steve Ronuken wrote:
Aalysia Valkeiper wrote:
Terminator 2 wrote:
How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.


I can answer that, judging from what I have seen regarding CCP's policies 'behind the scene'.

The third parties won't get your IP address if you go to them after logging in with EvE online. Instead, they will get CCP's IP as your proxy.



Nope. No proxy.

They'll get your IP address. Just like they would if you went to their site anyway.


The process is:


  • Go to the 3rd party site.
  • Click the login link.
  • This sends you to the login.eveonline.com site (for the live version. sisilogin.testeveonline.com for the dev), with an identifier saying which site you're coming from.
  • You log onto that site.
  • You pick a character.
  • You get sent back to the original site, onto a particular url that the site owner specified. A code is passed as part of the redirect.
  • That code is checked by the original site (talking to login.eveonline.com) with a secret that's not shared. If everything matches, the character id etc is sent back.


So what is preventing any EVE related site, even the ones in fact authorized by CCP to fake the looks of such a login and steal my account name and password?
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#64 - 2014-07-03 21:48:14 UTC
Uncertain Fate wrote:
Forgive my ignorance, but how is this different (better?) than simply entering your API keys? The significance seems to be lost on me.



Using an api key can, if done properly, prove you have access to the api control panel, thus, the account.

This requires you to create an API key /just/ for that service, with something that service provides to you in the key. (otherwise it could be someone that runs a service that you use, reusing a key)


So it's a bit of a pain. And you still need to use a username and password for that site.

SSO allows you to skip that. And for the owner of the site to not have to deal with managing users.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter

Rain6637
Simulacra and Simulation
Goonswarm Federation
#65 - 2014-07-03 21:49:59 UTC
is this some sort of compromise regarding the one-site-one-API rule from not too long ago?
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#66 - 2014-07-03 21:50:04 UTC
Terminator 2 wrote:

So what is preventing any EVE related site, even the ones in fact authorized by CCP to fake the looks of such a login and steal my account name and password?


You, paying attention to what the URL is.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter

Rain6637
Simulacra and Simulation
Goonswarm Federation
#67 - 2014-07-03 21:51:56 UTC
that part I see going bad, and the dev blog struck me as a visual how-to-phish guide
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#68 - 2014-07-03 21:53:33 UTC
Rain6637 wrote:
is this some sort of compromise regarding the one-site-one-API rule from not too long ago?



It's a requirement for CREST (The auth for crest is just an extension of this. For long term things, the site would get a token allowing it to reauthenticate, without needing your credentials. Which can be revoked from the management site. None of that's in place right now, or needed). And convenient.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter

Tvashnar Crendraven
The Scope
Gallente Federation
#69 - 2014-07-03 21:54:08 UTC
The derp is strong in this one:

"How to do it the secure way"

You're counting on users to comple a complex multi-step process in order to maintain security. Because this isn't automated, it won't happen, ergo insecure.
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#70 - 2014-07-03 21:58:45 UTC  |  Edited by: Steve Ronuken
Tvashnar Crendraven wrote:
The derp is strong in this one:

"How to do it the secure way"

You're counting on users to comple a complex multi-step process in order to maintain security. Because this isn't automated, it won't happen, ergo insecure.



'complex'.

Click a link.
Check the url.
give a username/password.
pick a character
Be logged in.

The only step that you have any chance of screwing up is the 'check the url'

And that's the same step anyone using facebook/twitter/et al to auth needs.

And if you've told the auth site to remember who you are, you don't even really need to do that. As you're not giving it any details.


(yes, it's a bit more complex server side. But I implemented it in a decent fashion, including a bunch of api integration, in about an hour. And made that code available on github. Feel free to check it for mistakes)

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter

Lothros Andastar
The Scope
Gallente Federation
#71 - 2014-07-03 22:15:36 UTC
Steve Ronuken wrote:
Tvashnar Crendraven wrote:
The derp is strong in this one:

"How to do it the secure way"

You're counting on users to comple a complex multi-step process in order to maintain security. Because this isn't automated, it won't happen, ergo insecure.



'complex'.

Click a link.
Check the url.
give a username/password.
pick a character
Be logged in.

The only step that you have any chance of screwing up is the 'check the url'

And that's the same step anyone using facebook/twitter/et al to auth needs.

And if you've told the auth site to remember who you are, you don't even really need to do that. As you're not giving it any details.


(yes, it's a bit more complex server side. But I implemented it in a decent fashion, including a bunch of api integration, in about an hour. And made that code available on github. Feel free to check it for mistakes)

You misunderestimate how stupid people as a whole are. Eve is no exception to this rule. It's a ticking timebomb waiting to explode, so don't cry when we say "I told you so" six months down the line.
James Amril-Kesh
Viziam
Amarr Empire
#72 - 2014-07-03 22:21:21 UTC
While you're at it could you please fix the forum theme resetting itself to default every single time I log on?

Enjoying the rain today? ;)

James Amril-Kesh
Viziam
Amarr Empire
#73 - 2014-07-03 22:38:41 UTC
Reboot Mizuno wrote:
So I guess this should replace the most used purpose for the API, verify that someone is the owner of a character.

Sadly the API is also used by corporations and alliances to force people to reveal account information like other characters, assets and transactions. I guess it would be hard to disallow use of the API like this, as long as there is no alternative for character verififcation. But now that this is available, i hope CCP will do something about the API mess, and bring it back to the purpose of retrieving information for tools that you run yourself and have control over. Other uses should be banned and no player should be allowed for force another player to reveal information that is not available in the client. That would make EVE a much more fun game to play again.

Nobody forces you to apply to corps that want an API key. Don't want to provide one? Don't apply. It's that simple.

Enjoying the rain today? ;)

Antillie Sa'Kan
Imperial Shipment
Amarr Empire
#74 - 2014-07-03 23:22:50 UTC  |  Edited by: Antillie Sa'Kan
I seriously hope that people are not still using RC4 for HTTPS web sites. AES or go home.
CCP Explorer
C C P
C C P Alliance
#75 - 2014-07-03 23:38:43 UTC
Vincent Athena wrote:
CCP Explorer wrote:
IceGuerilla wrote:
We have this total rubbish, but we still can't change characters without relogging? What a load of poppycock.
You need to explain to me how these two things are linked. One is the login mechanism used by our web sites and services and the launcher, the other is a large repository of legacy code that assumes the character ID won't change while the session is active.

One is a way to log into a service.
The other is a way to log into a service.

You can see why, to us users, it seems to be the same thing.
One is a way to log into a service, the other is how the service the login tokens and caches session information. I can understand how this may appear to be the same, but I hope you understand when we say it isn't.
Vincent Athena wrote:
Waving the "legacy code" flag just makes it look like you are looking for excuses to not do your job.
I wasn't waiving any flags, just explaining the facts. I don't understand why you feel the need to be so antagonistic.

Erlendur S. Thorsteinsson | Senior Development Director | EVE Online // CCP Games | @CCP_Explorer

Tarsas Phage
Freight Club
#76 - 2014-07-04 00:05:12 UTC
Kale Freeman wrote:


How many people are going to check the domain and validate the certificate and all that?


Strictly speaking, you're supposed to do that for any public key-based encryption you interact with, such as SSL.

But in the case of web sites, most people just blindly trust that the browser will tell them something is wrong when in some cases it can't make that determination.

Blastcaps Madullier
The Scope
Gallente Federation
#77 - 2014-07-04 01:16:22 UTC  |  Edited by: Blastcaps Madullier
this is a SERIOUSLY bad idea from start to finish, it doesn't matter how good you make it, someone WILL hack it or find a exploit and by using this you are only going to see a flood of hacked accounts in the near future.

Congratulations on another ill thought out idea and I'm going to be LMFAO when it happens and you start getting a flood of comprimised accounts, all because someone at CCP thought this was a GOOD idea.... maybe next time try thinking up good idea's while under the influance of drink or drugs.....

A better idea would have been to use the API system, not "hey here's all my account details you need to go take over my eve account...."

oh and before you say it won't happen, I'll remind you of a hat community group called lolsec who got into your own servers....
Aalysia Valkeiper
Imperial Shipment
Amarr Empire
#78 - 2014-07-04 01:29:51 UTC
Lando Cenvax wrote:
Aalysia Valkeiper wrote:
Maintaining and updating the older encryption takes less time (costs less) than develping a new encryption. New encryption by default must be radically different from the encryptions they replace, otherwise, their 'shelf-life' is severely curtailed.
Digital Security is a very dynamic field. Malware developers are being paid big money for their product and security firms are as well. There is only one way to 'complete and perfect security'... don't get online and don't provide services to anyone.
The encryption-libraries are available for free and/or are built into webservers. All you need to do is to have a current version and specify which ciphers you allow and which not. You don't need to be a crypto-specialist at all, just need to know that RC4, MD5, DSA are not that good and that elliptic curves (ECDHE-Ciphers) provide forward secrecy. A simple approach to secure HTTPS is using a few ECDHE-Ciphers on top of the list and weak ciphers for older clients on the bottom.

Anyway, to not cause any concerns, https://secure.eveonline.com is actually secure, so your credit card data is safe.

B2T: SSO is Token/Ticket-based as far as I understood. From security point of view this is secure by design.
Basic principle to my understanding: you want to Login at a external website, click on "Login" there and are redirected to login.eveonline.com on separate window/tab/pop-up. Together with this login-Redirection the external site passes a ticket (like session-id) it to login.eveonline.com. When you logged in at login.eveonline.com this ticket is validated and sent back to the external page giving the external page your Char-Name. Login at external Page with your character completed. => Entire Login-Process takes places at login.eveonline.com.


Agreed. EvE online sites are more secure than most (if not all) other gaming sites. They truly seem to know what they're doing.

Just remember there are others out there being paid big money to creat malware.

Thankfully, gaming companies are pretty low on the list of targets for the professional malware developer. Companies like CCP are more likely to be targetted by 'script-kitties'. These are people who can not / do not develope the programs they use and can only wait for the true developers to make something available.

This gives the eventual targets (like CCP) a chance to prepare for the newer iterations, of which CCP's security staff has proven they are very good.
Slicr
#79 - 2014-07-04 01:34:26 UTC  |  Edited by: Slicr
Tau Cabalander wrote:
I really hope SSO doesn't use OAuth 2.0

Having the lead OAuth developers leave and demand their names taken off of it, plus the inherent security flaws, doesn't bode well.



Is CCP dodging this legitimate question?

Please make this an opt-in requirement as I pay to play this game and thus protect my login information for this game and not other 3rd party sites.

Please link the passage that says CCP has the right to allow access to my login information from other 3rd parties?
The fact that a 3rd party can attempt to get my acct access is not right.
When a hack happens (it is not if but when) your customers will not know which 3rd parties have been affected and then it becomes our problem.

It is crazy stuff like this that one has to protect themselves from cuz a company could care less as long as it can make money.
Also, it is the main reason I pay month to month since there have been times and games in the past that one would have wished they only paid monthly.

I believe in being Pro-Active as Opposed to Reactive. Reactive tends to be more costly in time and money.

Rain6637
Simulacra and Simulation
Goonswarm Federation
#80 - 2014-07-04 01:36:25 UTC
what will be the customer support policy in the case of accounts compromised to phishing? will accounts be returned or will players be told it is their responsibility to verify the address and authentication of websites? as in, how much compassion will customer support have for players who fell victim in those cases.