These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
 

Dev blog: EVE Online SSO and what you need to know

First post First post
Author
Ten Bulls
Sons of Olsagard
#81 - 2014-07-04 01:45:15 UTC
"Sadly, EVE is full of fraudsters lingering around and waiting for a chance to make profit or gain some benefits and they are happy to do this any way you could potentially think of. They try to trick you into [insert latest scam here] with the help of social and technical measures including phishing and spoofing of authorities as well as web portals."
Max Kolonko
Caldari Provisions
Caldari State
#82 - 2014-07-04 06:03:57 UTC
Slicr wrote:
Tau Cabalander wrote:
I really hope SSO doesn't use OAuth 2.0

Having the lead OAuth developers leave and demand their names taken off of it, plus the inherent security flaws, doesn't bode well.



Is CCP dodging this legitimate question?

Please make this an opt-in requirement as I pay to play this game and thus protect my login information for this game and not other 3rd party sites.

Please link the passage that says CCP has the right to allow access to my login information from other 3rd parties?
The fact that a 3rd party can attempt to get my acct access is not right.
When a hack happens (it is not if but when) your customers will not know which 3rd parties have been affected and then it becomes our problem.

It is crazy stuff like this that one has to protect themselves from cuz a company could care less as long as it can make money.
Also, it is the main reason I pay month to month since there have been times and games in the past that one would have wished they only paid monthly.


LOL, dont want it? Dont use it. Its that simple.

Ofc You may soon realize that you cant use dotlan without loging in (just an example)
Max Kolonko
Caldari Provisions
Caldari State
#83 - 2014-07-04 06:05:56 UTC
Rain6637 wrote:
what will be the customer support policy in the case of accounts compromised to phishing? will accounts be returned or will players be told it is their responsibility to verify the address and authentication of websites? as in, how much compassion will customer support have for players who fell victim in those cases.


Thats a valid point and I think that CCP already have policies for that (people fall for phising for eve accounts credentials all the time and ccp have to deal with it quite regurarly i presume)
Irumani
ICE is Coming to EVE
Goonswarm Federation
#84 - 2014-07-04 06:24:59 UTC
That is a very cool addition, that'll help reduce the amount of accounts I have to create on the myriad of EVE-related websites.
Please don't mind the idiots unable to understand what all of this means.

It looks like no one mentioned it before, but are you looking into a possible integration of two-factor auth for EVE and/or website logins? More and more services and games make use of it.

Also, if you do add 2FA, please ensure corp leaders can see who's got it activated and who hasn't (Github does that for Teams) to help reduce the potential damage caused by an account hack.

You're not supposed to feel like you're logging in to a happy, happy, fluffy, fluffy lala land filled with fun and adventures, that's what hello kitty online is for.

  • CCP Wrangler
Schmata Bastanold
In Boobiez We Trust
#85 - 2014-07-04 06:41:23 UTC
CCP Explorer wrote:
Vincent Athena wrote:
Waving the "legacy code" flag just makes it look like you are looking for excuses to not do your job.
I wasn't waiving any flags, just explaining the facts. I don't understand why you feel the need to be so antagonistic.


Because anything even remotely useful and desired by players is always behind that barb-wire fence with "Legacy code" sign all over it. Maybe that's why.

Invalid signature format

Dinsdale Pirannha
Pirannha Corp
#86 - 2014-07-04 07:17:17 UTC
Steve Ronuken wrote:
Terminator 2 wrote:
How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.


You have to explicitly authenticate against those sites, picking the character that you want them to see.

Nothing automatic.

(And it has been stated, you're already using it. It's how you sign into any CCP site. Third party sites have an additional step, not seeing the account level, just a character you select as part of the auth process)

Dinsdale Pirannha
Pirannha Corp
#87 - 2014-07-04 07:19:32 UTC
Steve Ronuken wrote:
Terminator 2 wrote:
How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.


You have to explicitly authenticate against those sites, picking the character that you want them to see.

Nothing automatic.

(And it has been stated, you're already using it. It's how you sign into any CCP site. Third party sites have an additional step, not seeing the account level, just a character you select as part of the auth process)



And how long before TMC catches the unwary and trusting, gaining their IP, user name, and possibly password, and wrecking the game for so many.

And please don't tell me they will use the honour system.
Dinsdale Pirannha
Pirannha Corp
#88 - 2014-07-04 07:23:23 UTC
Blastcaps Madullier wrote:
this is a SERIOUSLY bad idea from start to finish, it doesn't matter how good you make it, someone WILL hack it or find a exploit and by using this you are only going to see a flood of hacked accounts in the near future.

Congratulations on another ill thought out idea and I'm going to be LMFAO when it happens and you start getting a flood of comprimised accounts, all because someone at CCP thought this was a GOOD idea.... maybe next time try thinking up good idea's while under the influance of drink or drugs.....

A better idea would have been to use the API system, not "hey here's all my account details you need to go take over my eve account...."

oh and before you say it won't happen, I'll remind you of a hat community group called lolsec who got into your own servers....


This was likely proposed to CCP by the very people that will exploit the hell out of it, but hey, we already know that in CCP's eyes this group can do no wrong.
Ereshgikal
Wharf Crusaders
#89 - 2014-07-04 08:47:06 UTC
Aalysia Valkeiper wrote:

I'm studying Network Security and Digital Forensics under scholarship. With one program, I'm learning how to keep computers safe from intrusion. With the other program, I'm learning how to break into them.



Aalysia Valkeiper wrote:
Steve Ronuken wrote:
Aalysia Valkeiper wrote:
Terminator 2 wrote:
How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.


I can answer that, judging from what I have seen regarding CCP's policies 'behind the scene'.

The third parties won't get your IP address if you go to them after logging in with EvE online. Instead, they will get CCP's IP as your proxy.


Nope. No proxy.

They'll get your IP address. Just like they would if you went to their site anyway.


The process is:


  • Go to the 3rd party site.
  • Click the login link.
  • This sends you to the login.eveonline.com site (for the live version. sisilogin.testeveonline.com for the dev), with an identifier saying which site you're coming from.
  • You log onto that site.
  • You pick a character.
  • You get sent back to the original site, onto a particular url that the site owner specified. A code is passed as part of the redirect.
  • That code is checked by the original site (talking to login.eveonline.com) with a secret that's not shared. If everything matches, the character id etc is sent back.


hmmm... I misunderstood what I was looking at. That was a very basic mistake, too. I guess I still have quite a bit more to look thru.



Good luck with your studies. You seem to need it. Lol

There are so many hobby tinfoil hat wearers out there with an opinion how stuff works lacking the knowledge how it really works that there are few comments in this thread even worth listening to other than as signs of people being paranoid about changes (which is no surprise, this is EVE).
Tarsas Phage
Freight Club
#90 - 2014-07-04 08:49:26 UTC
Uncertain Fate wrote:
Forgive my ignorance, but how is this different (better?) than simply entering your API keys? The significance seems to be lost on me.


In security parlance, there is an important distinction between Authentication (ergo "I can prove who I am") versus Authori(sz)ation (ergo "This is what this person can do")

API keys are just a blanket form of Authorization - Just because you have someone's API keys, you are not proving that you're actually the person that made them, or who they belong to. They can be stolen API keys, copied from somewhere else and being used unbeknownst to the actual owner.

SSO provides the ability for someone to prove who they are - "I am this person and I know their password to prove it" and if CCP ever does 2-factor auth that would be "I am this person, this is what I know (password) and this is what I have (token generator) to prove it"

The nice thing about SSO systems is that a participating site can utilize it, but doesn't have to handle and sensitive info such as account names and passwords. Basically, it's CCP saying "It's cool, he is who he says he is" to a participating site. CCP can change how auth is done without the participating sites having to alter their code because in the end that short little conversion stays the same (cookie in your browser that says so)
Tarsas Phage
Freight Club
#91 - 2014-07-04 08:58:53 UTC  |  Edited by: Tarsas Phage
Dinsdale Pirannha wrote:
Blastcaps Madullier wrote:
this is a SERIOUSLY bad idea from start to finish, it doesn't matter how good you make it, someone WILL hack it or find a exploit and by using this you are only going to see a flood of hacked accounts in the near future.

Congratulations on another ill thought out idea and I'm going to be LMFAO when it happens and you start getting a flood of comprimised accounts, all because someone at CCP thought this was a GOOD idea.... maybe next time try thinking up good idea's while under the influance of drink or drugs.....

A better idea would have been to use the API system, not "hey here's all my account details you need to go take over my eve account...."

oh and before you say it won't happen, I'll remind you of a hat community group called lolsec who got into your own servers....


This was likely proposed to CCP by the very people that will exploit the hell out of it, but hey, we already know that in CCP's eyes this group can do no wrong.



Security is a complex thing, and when people can't wrap their head around a specific topic or its specific, often complex implementation, we see their brains short circuit in a cloud of tinfoil smoke, such as the gentleman you replied to.

They know they should understand it because hey, they're a first-year undergrad Java programmer, they should know all the things and be Web 3.0 and just learned what a linked list is right? But they don't, so they default to spewing tinhattery gibberish and saying those incredibly generalized sound bites that were cribbed from some mass-market online news site.
Ereshgikal
Wharf Crusaders
#92 - 2014-07-04 09:03:38 UTC
Reboot Mizuno wrote:
Other uses should be banned and no player should be allowed for force another player to reveal information that is not available in the client. That would make EVE a much more fun game to play again.


Who is forcing anyone to reveal information? If corporation A says "No, you can't join us unless we get access to your API" and you don't want to hand over your API...well, then you don't get to join corporation A. vOv
There is no one forcing you anywhere in EVE.

You are not entitled to join any corporation or alliance just because you want to.
Ereshgikal
Wharf Crusaders
#93 - 2014-07-04 09:06:22 UTC
Terminator 2 wrote:
Steve Ronuken wrote:
Aalysia Valkeiper wrote:
Terminator 2 wrote:
How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.


I can answer that, judging from what I have seen regarding CCP's policies 'behind the scene'.

The third parties won't get your IP address if you go to them after logging in with EvE online. Instead, they will get CCP's IP as your proxy.



Nope. No proxy.

They'll get your IP address. Just like they would if you went to their site anyway.


The process is:


  • Go to the 3rd party site.
  • Click the login link.
  • This sends you to the login.eveonline.com site (for the live version. sisilogin.testeveonline.com for the dev), with an identifier saying which site you're coming from.
  • You log onto that site.
  • You pick a character.
  • You get sent back to the original site, onto a particular url that the site owner specified. A code is passed as part of the redirect.
  • That code is checked by the original site (talking to login.eveonline.com) with a secret that's not shared. If everything matches, the character id etc is sent back.


So what is preventing any EVE related site, even the ones in fact authorized by CCP to fake the looks of such a login and steal my account name and password?


Nothing. Exactly how it is today. If someone want to set up a honeypot and lure gullible players to give their login/password then they could do it today already.
Aalysia Valkeiper
Imperial Shipment
Amarr Empire
#94 - 2014-07-04 10:19:38 UTC
Slicr wrote:
Is CCP dodging this legitimate question?


It's more a case of "what do we reveal to potential hackers?"

If you try to reassure players by telling them you won't be using this, you are helping the unethical hacker determine his best mode of attack.
In that case, if you have monitors set up to alert you to attempts to exploit this, they avoid those monitors (by not trying to use it) and may actually find a useful mode.
If you were planning to use it, you don't want the unethical hacker to know it before you fix the vulnerabilities.

Please, realize CCP security professionals walk a very difficult path. Providing security for a global community like EvE online is not a joyride and they deserve a lot of respect for how well they have done.

Sure, they may have failed on occasion, but that is not because they weren't trying. NOBODY can do such a job flawlessly.
Tarsas Phage
Freight Club
#95 - 2014-07-04 10:30:18 UTC
Ten Bulls wrote:
"Sadly, EVE is full of fraudsters lingering around and waiting for a chance to make profit or gain some benefits and they are happy to do this any way you could potentially think of. They try to trick you into [insert latest scam here] with the help of social and technical measures including phishing and spoofing of authorities as well as web portals."


"HI I don't understand how this stuff works but in an attempt to look insightful I'm going to quote something that someone else said in hope that I might at some future date feel smug in that I might have been somewhat correct."
Jessica Danikov
Network Danikov
#96 - 2014-07-04 11:05:51 UTC  |  Edited by: Jessica Danikov
Oh, CCP. I think you've fallen into a semantic trap.

SSO = Single Sign-On... the idea is you sign on once and you're automatically signed into multiple systems, e.g. I sign into account management, I can freely browse to the forums, dotlan, any other supported website or even open the EVE client and I am still logged in. I have signed in a single time, hence, SSO.

I believe what you've implemented is federated identity management (which SSO can be a part of, but isn't necessarily so). It's something like Facebook connect- various websites may use your EVE account as the basis for an account on their system, federating authentication to CCP. In essence, single login credentials (which is not the same thing as SSO).

As we don't have Single Sign On on the EVE website currently, only federated identity between the sub-sites, the dev blog sounds like CCP are merely extending that federation to third-party sites. If that isn't the case and you have implemented true SSO, I'd love for a clarification on the matter.
Rook Sasen
School of Applied Knowledge
Caldari State
#97 - 2014-07-04 11:06:38 UTC
I find it hard to exchange any information with a site not directly tied to the original gaming site, and even then it isn't always to be considered safe. I was a long time WoW player who had my account hacked, and the hack that was done, was admitted by Wow, to have come from an employee that was later fired, however, I never got a damn thing back that I had lost after over 5 years of play. I quit, and have never been back. I now have money invested in Eve Online, and if this new SSO system allows me to get hacked again, I will never get back on Eve again either, and that is a promise.
Wollari
Dirt Nap Squad
#98 - 2014-07-04 11:33:34 UTC
Rook Sasen wrote:
... I now have money invested in Eve Online, and if this new SSO system allows me to get hacked again, I will never get back on Eve again either, and that is a promise.

As other people said earlier: You don't have to use the SSO. It's an additional service that allows 3rd party web pages to authenticate you via eveonline.com (similar to google or facebook login). I you don't trust the 3rd party page or the application you don't have to use it and not get tricked into entering your account informations on a phising page.

Don't like it, don't use it. I guess most 3rd party sites will offer other login services like username/password, google, facebook, other what so ever. Only when your alliance or corp leadership thinks about switching their member management application to sso-only you might come in trouble with do I trust my corp or don't I. In every case you've to be careful where you enter your credentials.

P.S: if you're already logged in into login.eveonline.com you'll directly see the character selection window and no further account credentails are required. If you know exactly that you're logged in (most people are due to forums, etc) and you should enter your credentials, be careful and double/triple check the valid redirect.

DOTLAN EveMaps | Your out-of-game map, navigation toolset, sov database, etc. since 2008

Wollari
Dirt Nap Squad
#99 - 2014-07-04 11:44:05 UTC
What people might have not realized yet. The SSO is the initial step for Authenticated CREST. If (one day) CCP will provide read/write API Calls via CREST to your character you'll be forced to authenticate via SSO and then approve the requested scopes (access level) that the application is asking for. (You likely all know it from facebook. If some funky application requests write access to my fb wall they usually can die in hell and I'll not use them, while other applications might be okay and get my approval).

In the end it's always up to the user if they make use of SSO login on a 3rd party page and if they be careful during the login procedure.

One last thing to Authenticated CREST (future thing). You can bet that if in some couple Years CCP will start with authenticated crest they'll be very careful with what access level they'll provide. No one wants a 3rd party application that micro manages the market ingame, etc.

But right now it's only authentication which returns the information below (not more, taken from the SSO documentation)
Quote:
{
CharacterID: 273042051
CharacterName: "CCP illurkall"
ExpiresOn: "2014-05-23T15:01:15.182864Z"
Scopes: " "
TokenType: "Character"
CharacterOwnerHash: "XM4D...FoY="
}

This is all what we application developer will get to see right now. Okay, with the characterID I can do public API requests to get more public information about the given character (like alliance, corp, secstatus, etc) but that's not critical IMHO.

DOTLAN EveMaps | Your out-of-game map, navigation toolset, sov database, etc. since 2008

Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#100 - 2014-07-04 11:53:02 UTC
As an aside, the possible game issues with Authenticated CREST are one of the reasons I wanted to get onto the CSM.

They have a lot of scope for making the game more fun for people, where they can take out the annoying management crap (Standing management, fitting a thousand ships, managing your SRP).

They also have scope for breaking things, to the point you have to use a third party app to be competitive. That I want to avoid. In general, if it makes ISK (directly or indirectly. Market for direct, industry for indirect) I'd want to avoid making it writable. The good news is, CCP seem to feel the same

Then you have edge conditions, like the skill queue. Because if you give api access to it, well, you've just set up an infinite queue. (unless something is done to stop it. Might be possible)

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter