These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
 

Dev blog: EVE Online SSO and what you need to know

First post First post
Author
Rain6637
Simulacra and Simulation
Goonswarm Federation
#121 - 2014-07-07 21:35:41 UTC
not participating is simple: don't use sites that ask for SSO. the two sites I participate in currently are Eveboard (EB) and zkillboard, EB via API and zkillboard via manually/selectively submitting killmails. There's a lot that I don't let EB see, and opening my CREST is a bit of a jump... opening it to other sites is most likely not something I will do.

yeah, i'm paranoid. (don't hate the player hate the metagame).
Zanthra Shard
Sebiestor Tribe
Minmatar Republic
#122 - 2014-07-08 06:34:52 UTC  |  Edited by: Zanthra Shard
Blastcaps Madullier wrote:
Dinsdale Pirannha wrote:
Blastcaps Madullier wrote:
this is a SERIOUSLY bad idea from start to finish, it doesn't matter how good you make it, someone WILL hack it or find a exploit and by using this you are only going to see a flood of hacked accounts in the near future.

Congratulations on another ill thought out idea and I'm going to be LMFAO when it happens and you start getting a flood of comprimised accounts, all because someone at CCP thought this was a GOOD idea.... maybe next time try thinking up good idea's while under the influance of drink or drugs.....

A better idea would have been to use the API system, not "hey here's all my account details you need to go take over my eve account...."

oh and before you say it won't happen, I'll remind you of a hat community group called lolsec who got into your own servers....


This was likely proposed to CCP by the very people that will exploit the hell out of it, but hey, we already know that in CCP's eyes this group can do no wrong.


one of the easiest ways of comprimise is going to be man in the middle attacks...


A man in the middle attack would require both a signed certificate for login.eveonline.com , and the private key to go with that certificate. No trusted certificate authority would sign a certificate for that website without verifying your identiry.


As to giving third party websites your login info, it does not happen in this system. As I understand it the process works like this:

When you go to the third party website and ask to authenticate yourself, they forward you to CCPs website, which includes enough information for CCP to know what website it was that sent you to their site.

Your Web Browser leaves the Third Party Site, and connects to the login.eveonline.com website. There, if you are not already logged in from some other visit, you can enter your Username and Password. When you login that information goes to CCP and only CCP.

After you login, or if you already logged in on a previous visit to CCPs page (possibly forwarded from another Third Party site, or possibly through some integration with the Ingame Browser authenticating you client), you will get the option to select a character, and you will be asked if you want to let the website access your information. Because each website is required to provide various information to CCP, such as the name and description of the website, and the address, you can verify that there, and it will be listed on CCPs website what information that website can get from CCP. If you reject this, the Third Party Site will not get any information.

If you accept, the login page will send you back to the Third Party Website with a key that that website can use through CREST to access information on your account.


It's actually really handy even though there is only just the Character ID and Character+Account hash, as this can be used in leu of a websites standard login procedure that would require they store a username and password on their site. You are identified by CCP rather than having to identify yourself to the website.

The reasonable concern have is that someone will create a fake Third Party Tool webpage, and pretend to redirect to the login page, and instead redirect to some webpage they control which looks just like CCPs page. They will not be able to make your Web Browser display https://login.eveonline.com/ as their URL. It almost certainly will happen, and it will almost certainly get people hacked, but anyone who is careful enough to not use the same username/password on third party websites as they do for their game account should be careful enough to check the domain name. I think an overall a move to single sign on will be less risky than the alternative where Third Party Sites could have databases containing passwords or password hashes stolen, along with persistent api keys.

PS: A concern I do have is if this is used in desktop or mobile applications, then the application can control things such that it creates even a fake browser, which could easialy trick even computer savvy people who are not looking for such a trick (and if done well enough, even them too). I would propose that a one time use, single sign on only token be creatable on a CCP website, such that you can use that instead of username/password, allowing you to avoid providing full credentials to untrusted applications. I feel this would probably be of little use on web apps however, because anyone savvy enough to use it could get the same protection faster by checking the ssl certificate.
Kenneth Feld
Habitual Euthanasia
Pandemic Legion
#123 - 2014-07-08 23:28:46 UTC
CCP Explorer wrote:
Kenneth Feld wrote:
What about Amazon??

I **THOUGHT** I was using SSO to sign on there for like a year now???
Can you detail this question a bit more, please.



If you go to Amazon.com and purchase a plex, it comes up in the box for you to login to your account and link the account to amazon, then when you buy a pled it goes directly to your redeemed items.

last year when they had the pled mess up and were selling 3 for $4 or whatever the deal was, I had to keep signing into separate accounts as it would only let you buy 4 deals for a single account.

I assumed that was SSO, but it isn't listed in the Dev Blog as being one of the ones running, wasn't sure if it was legit or not, and well, i have been using it for a while, wondering if I need to change my passwords or not?
KIller Wabbit
MEME Thoughts
#124 - 2014-07-09 02:35:06 UTC
Steve Ronuken wrote:
IceGuerilla wrote:
We have this total rubbish, but we still can't change characters without relogging? What a load of poppycock.



Uh, One's extending the login tech that's already in use with CCP (take a look at logging into the community site, the wiki, and the forums), and the other is going through the entirety of the eve client code, looking for code where the assumption was made that the character id wouldn't change.

Teeny difference there.



One we really don't care about and the other is a pain in the ass every single day. Wanna guess which is which?

SSO - so gonna be a favorite with hackers...
KIller Wabbit
MEME Thoughts
#125 - 2014-07-09 02:41:16 UTC
Steve Ronuken wrote:


Rein in your hyperbole.


Who went and made you a moderator?

Some minimal work that benefits a double handful of third parties and maybe a few thousand people that deal with those site versus the (supposedly) 20K+ people that login in each day, some of them several times across multiple characters. Gee... maybe the ENTIRE community would be happier with something getting fixed that irritates the hell out of them daily.


Slicr
#126 - 2014-07-09 02:43:38 UTC
KIller Wabbit wrote:
Steve Ronuken wrote:
IceGuerilla wrote:
We have this total rubbish, but we still can't change characters without relogging? What a load of poppycock.



Uh, One's extending the login tech that's already in use with CCP (take a look at logging into the community site, the wiki, and the forums), and the other is going through the entirety of the eve client code, looking for code where the assumption was made that the character id wouldn't change.

Teeny difference there.



One we really don't care about and the other is a pain in the ass every single day. Wanna guess which is which?

SSO - so gonna be a favorite with hackers...



CCP bringing game mechanics to real life business.
Only CCP would think it was okay to bring such a flawed system to it's customer base.

I believe in being Pro-Active as Opposed to Reactive. Reactive tends to be more costly in time and money.

KIller Wabbit
MEME Thoughts
#127 - 2014-07-09 02:48:49 UTC
Terminator 2 wrote:
Steve Ronuken wrote:
Aalysia Valkeiper wrote:
Terminator 2 wrote:
How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.


I can answer that, judging from what I have seen regarding CCP's policies 'behind the scene'.

The third parties won't get your IP address if you go to them after logging in with EvE online. Instead, they will get CCP's IP as your proxy.



Nope. No proxy.

They'll get your IP address. Just like they would if you went to their site anyway.


The process is:


  • Go to the 3rd party site.
  • Click the login link.
  • This sends you to the login.eveonline.com site (for the live version. sisilogin.testeveonline.com for the dev), with an identifier saying which site you're coming from.
  • You log onto that site.
  • You pick a character.
  • You get sent back to the original site, onto a particular url that the site owner specified. A code is passed as part of the redirect.
  • That code is checked by the original site (talking to login.eveonline.com) with a secret that's not shared. If everything matches, the character id etc is sent back.


So what is preventing any EVE related site, even the ones in fact authorized by CCP to fake the looks of such a login and steal my account name and password?


The only way I can see that you could prove that a site is not a phishing attack is to provide a fake name/pwd combination - if it "passes" then it is a fake. However, since phishing often faults with a fake failure ("Your login failed, please try again") before passing off to the real site you were intending to go to. Dunno how many level's of fake/fake/real.... levels the phisher's will build in to try to fake out even this attempt to protect ourselves.

Ms Michigan
Aviation Professionals for EVE
Virtus Crusade Protectorate
#128 - 2014-07-09 02:51:01 UTC
Steve Ronuken wrote:
Ms Michigan wrote:
Ahh...Now I get it. I couldn't figure out why you were posting more than the devs ; didn't know the META. You have a vested interest in said technology. Which site do you run?


All there in my Sig Blink

Yes, I'd like to see it out there, mostly because I don't want to have to put up with the annoyance of managing a database of usernames and passwords, along with the paraphernalia that goes with it (resets and the like)

Ms Michigan wrote:

All that aside, my original post stands. IF CCP can't just bring these tools/sites on property and pay the people properly who developed them, then I still have a hard time with this. Not only on security, but principal. Yes, people don't have to use it...just like facebook. But again, the phishing scams alone are of concern as this involves money. As one user mentioned. What is CCP's policy going to be on this with third party websites?



As for bringing in third party devs, to make them into official applications, the vast majority aren't enough to keep a full time developer going for extended periods of time. Or are of low utility to most people. Or are specific to some corporations. One example is the class of 3rd party devs that maintain things like private corporation/alliance forums/wikis/voice coms and so on. (SSO will be very useful there)



Policy I can't speak to.



Glad we cleared that part up; at least you aren't hiding your bias.

Here is my counter Steve. You quoted me but didn't really follow through. My problem is this to your response. Not that CCP hire you full time, but maybe part-time or buy you out for your work with a percentage of profits long term (much like Gates did with MS.) Everyone wins. The tools people like yourself and others provide improve EVE, are brought in game, and most importantly, CCP has an OFFICIAL OBLIGATION like any GOOD (i.e. not lazy or cheap) corporate entity SHOULD do. Corporate ethics (at least in the States) are so bad these days. This just reminds me of sub-contracting in that regard. And when you farm things out to save cash (whether you are okay with it or not) you get sub-par solutions like this. A corporation (like a person - and in the states the Supreme Court ruled corps are people in this regard) has a moral obligation to do things right. CCP operates in the USA. Not to mention, Iceland is pretty moral people. This just reeks of a "creative techno-babble" solution to the real problem. That is what I mean when I say all this. TLDR I wish. Sorry for the wall o' text.
Ms Michigan
Aviation Professionals for EVE
Virtus Crusade Protectorate
#129 - 2014-07-09 02:54:27 UTC
Slicr wrote:
I am playing Eve Online.
I have agreed to pay CCP to play this game.
In order for me to fulfill that agreement I have a login ID and password that I use to provide CCP with my payment particulars.

I do not want CCP to make money off of endangering my personal information.

Make this OPT-IN only






Exactly...like API and like setting your friends dark blue in EVE gate. Make this OPT-IN account setting. All will be happy! : )

Ms Michigan
Aviation Professionals for EVE
Virtus Crusade Protectorate
#130 - 2014-07-09 03:13:47 UTC  |  Edited by: Ms Michigan
Zanthra Shard wrote:

A man in the middle attack would require both a signed certificate for login.eveonline.com , and the private key to go with that certificate. No trusted certificate authority would sign a certificate for that website without verifying your identiry.


Oh how soon we forget heart-bleed. Did we EVER get a verification out of CCP that these Official EVE sites (and any certificates used elsewhere on third part sites in the future) are not OPEN SSL? It is on the site admin to make sure this has been fixed. Just saying.

Zanthra Shard wrote:


The reasonable concern have is that someone will create a fake Third Party Tool webpage, and pretend to redirect to the login page, and instead redirect to some webpage they control which looks just like CCPs page. They will not be able to make your Web Browser display https://login.eveonline.com/ as their URL.


Again - heartbleed, redirect DNS attacks - websites can actually appear in the address bar as actual websites and NOT be them. False certificates. See this link.

http://mashable.com/2014/04/17/heartbleed-digital-certificates/

Zanthra Shard wrote:


It almost certainly will happen, and it will almost certainly get people hacked, but anyone who is careful enough to not use the same username/password on third party websites as they do for their game account should be careful enough to check the domain name. I think an overall a move to single sign on will be less risky than the alternative where Third Party Sites could have databases containing passwords or password hashes stolen, along with persistent api keys.

PS: A concern I do have is if this is used in desktop or mobile applications, then the application can control things such that it creates even a fake browser, which could easialy trick even computer savvy people who are not looking for such a trick (and if done well enough, even them too). I would propose that a one time use, single sign on only token be creatable on a CCP website, such that you can use that instead of username/password, allowing you to avoid providing full credentials to untrusted applications. I feel this would probably be of little use on web apps however, because anyone savvy enough to use it could get the same protection faster by checking the ssl certificate.


I agree.
Zanthra Shard
Sebiestor Tribe
Minmatar Republic
#131 - 2014-07-09 06:44:45 UTC  |  Edited by: Zanthra Shard
Ms Michigan wrote:
Zanthra Shard wrote:

A man in the middle attack would require both a signed certificate for login.eveonline.com , and the private key to go with that certificate. No trusted certificate authority would sign a certificate for that website without verifying your identiry.


Oh how soon we forget heart-bleed. Did we EVER get a verification out of CCP that these Official EVE sites (and any certificates used elsewhere on third part sites in the future) are not OPEN SSL? It is on the site admin to make sure this has been fixed. Just saying.

Zanthra Shard wrote:


The reasonable concern have is that someone will create a fake Third Party Tool webpage, and pretend to redirect to the login page, and instead redirect to some webpage they control which looks just like CCPs page. They will not be able to make your Web Browser display https://login.eveonline.com/ as their URL.


Again - heartbleed, redirect DNS attacks - websites can actually appear in the address bar as actual websites and NOT be them. False certificates. See this link.

http://mashable.com/2014/04/17/heartbleed-digital-certificates/



I have only seen IIS used by CCP, have they ever had an SSL secured website hosted on a non IIS server? A lot of their job offerings say: "Experience creating web services using ASP.NET". They might be using ASP.NET on mono or something, but it seems extreemly unlikely.

I'll concede that it is possible to run the attack you purpose, although it would be technically very difficult, and Single Sign on or not, you are still vulnerable to it. I don't feel that it is something to be concerned about. If someone with the technical knowledge and tools to pull off a DNS redirect, and has the private key to a CCP certificate, then you are already at risk on CCP websites. At some point you are going to have to accept some risk when doing anything online. I don't believe that the Sngle Sign on appreciably increases that risk.

PS: I don't quite understand what you mean by, "(and any certificates used elsewhere on third part sites in the future)". Third party sites can have all the vulnerabilities in the world, but the idea is that you will only ever send your username and password to a server that is wholely controlled by CCP. The concern about the third party site is that they could be hacked such that the attacker can use the token they have with CCP to do stuff with your account (when CREST enables changes through SSO and you authorised that site to use those features). They would have no access to login, or affect your account in any way that was not authorized to that site, and CCP has the power to revoke all the tokens that were issued to that site in a major breach. It's up to you if you want to trust the Third Party site with security enough to allow them to have that access, but that would be equally true of traditional API alternative with the same access.
Terminator 2
Omega Boost
#132 - 2014-07-10 20:03:21 UTC  |  Edited by: Terminator 2
Wollari wrote:
What people might have not realized yet. The SSO is the initial step for Authenticated CREST. If (one day) CCP will provide read/write API Calls via CREST to your character you'll be forced to authenticate via SSO and then approve the requested scopes (access level) that the application is asking for. (You likely all know it from facebook. If some funky application requests write access to my fb wall they usually can die in hell and I'll not use them, while other applications might be okay and get my approval).

In the end it's always up to the user if they make use of SSO login on a 3rd party page and if they be careful during the login procedure.

One last thing to Authenticated CREST (future thing). You can bet that if in some couple Years CCP will start with authenticated crest they'll be very careful with what access level they'll provide. No one wants a 3rd party application that micro manages the market ingame, etc.

But right now it's only authentication which returns the information below (not more, taken from the SSO documentation)
Quote:
{
CharacterID: 273042051
CharacterName: "CCP illurkall"
ExpiresOn: "2014-05-23T15:01:15.182864Z"
Scopes: " "
TokenType: "Character"
CharacterOwnerHash: "XM4D...FoY="
}

This is all what we application developer will get to see right now. Okay, with the characterID I can do public API requests to get more public information about the given character (like alliance, corp, secstatus, etc) but that's not critical IMHO.



Well there you already have it...

1) With CharacterName i can search for your posts/opinions/killmails/whatnot...would prefer to keep that private

2) With ExpiresOn you can prepare for Wardecs to take POSes down, if someone goes on vacation...would prefer to keep that private

3) With CharacterOwnerHash you can crossreference on your own and other sites that you own or with ones that are willing to share who one's alts are, without even having access to a fullapi key...would prefer to keep that private


This seemingly unimportant information can already lead to exploit and metagaming cases...who knows what the final implementation will yield...

Also the malicious website owner will have more info which will be worth a lot more when you are identified...like your browsing history, IP and so on. He could for example DDOS you if you were a known Titan Pilot and he has your IP.
CCP FoxFour
C C P
C C P Alliance
#133 - 2014-07-11 09:21:55 UTC
Terminator 2 wrote:
Wollari wrote:
What people might have not realized yet. The SSO is the initial step for Authenticated CREST. If (one day) CCP will provide read/write API Calls via CREST to your character you'll be forced to authenticate via SSO and then approve the requested scopes (access level) that the application is asking for. (You likely all know it from facebook. If some funky application requests write access to my fb wall they usually can die in hell and I'll not use them, while other applications might be okay and get my approval).

In the end it's always up to the user if they make use of SSO login on a 3rd party page and if they be careful during the login procedure.

One last thing to Authenticated CREST (future thing). You can bet that if in some couple Years CCP will start with authenticated crest they'll be very careful with what access level they'll provide. No one wants a 3rd party application that micro manages the market ingame, etc.

But right now it's only authentication which returns the information below (not more, taken from the SSO documentation)
Quote:
{
CharacterID: 273042051
CharacterName: "CCP illurkall"
ExpiresOn: "2014-05-23T15:01:15.182864Z"
Scopes: " "
TokenType: "Character"
CharacterOwnerHash: "XM4D...FoY="
}

This is all what we application developer will get to see right now. Okay, with the characterID I can do public API requests to get more public information about the given character (like alliance, corp, secstatus, etc) but that's not critical IMHO.



Well there you already have it...

1) With CharacterName i can search for your posts/opinions/killmails/whatnot...would prefer to keep that private

2) With ExpiresOn you can prepare for Wardecs to take POSes down, if someone goes on vacation...would prefer to keep that private

3) With CharacterOwnerHash you can crossreference on your own and other sites that you own or with ones that are willing to share who one's alts are, without even having access to a fullapi key...would prefer to keep that private


This seemingly unimportant information can already lead to exploit and metagaming cases...who knows what the final implementation will yield...

Also the malicious website owner will have more info which will be worth a lot more when you are identified...like your browsing history, IP and so on. He could for example DDOS you if you were a known Titan Pilot and he has your IP.


You are misunderstanding:

1) The whole point of singing in with the SSO is to give just your character. One and only one at a time. If you don't want to give that out... well don't sign in.

2) The ExpiresOn is when the token expires, nothing to do with the account. It's for the developer of the application or web site to know how long they have to do things they need to do.

3) No. That CharacterOwnerHash is unique to your character and account. You cannot use it to link multiple characters to the same account. A goal of the SSO for third party devs is, unless you specifically tell them, developers should NOT be able to link multiple characters from the same account together. So if you sign into the site twice with the SSO using the same account but different characters there is no way for them to know those characters are from the same account. At least not from us. You could tell them or they could guess based on the fact both signins were from the same IP, or things like that.

Your points about browsing history and DDOSing titan pilots is nothing to do with the SSO. The point of the SSO is to identify yourself as a specific character. If you don't want them to know that don't sign into their site. Web sites already ask you to confirm you are a specific person, just this makes it easier. It's still up to you if you let them know.

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.

Sentient Blade
Crisis Atmosphere
Coalition of the Unfortunate
#134 - 2014-07-11 09:31:50 UTC
CCP FoxFour wrote:
You are misunderstanding:


Don't mind him. He forgot to add an extra layer of tinfoil that morning.
Rain6637
Simulacra and Simulation
Goonswarm Federation
#135 - 2014-07-11 15:20:57 UTC
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#136 - 2014-07-11 17:49:27 UTC
Rain6637 wrote:
can I limit CREST access like I can with an API access mask



Authenticated CREST will be handled in a similar fashion to Facebook and twitter.

It'll tell you what privileges it wants, as part of the authentication. So you have to approve those, to continue.

Just another screen during the log in process.

Now, CREST will also introduce something else. A 'refresh token'. When you auth, it'll only be good for X period of time. So you get a refresh token that can be used to regain the privileges. If you want to revoke them, you'll go to a site (which doesn't exist yet, but will before release.) and revoke the privilege.


(we keep going back to facebook and twitter as examples, as the systems are very similar)

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter

Rain6637
Simulacra and Simulation
Goonswarm Federation
#137 - 2014-07-12 07:24:36 UTC
ok, cool. that was going to be my next question. if i want to cut off a site, i can do it from a dashboard CCP-side like an API.

the likes of yourself and chribba are as trustworthy as anyone can expect, and i'm not questioning that. it's just my paranoia. as powerful as CREST is promised to be, the thought of opening it and leaving it open is unsettling.
Chribba
Otherworld Enterprises
Otherworld Empire
#138 - 2014-07-12 07:43:21 UTC
Rain6637 wrote:
ok, cool. that was going to be my next question. if i want to cut off a site, i can do it from a dashboard CCP-side like an API.

the likes of yourself and chribba are as trustworthy as anyone can expect, and i'm not questioning that. it's just my paranoia. as powerful as CREST is promised to be, the thought of opening it and leaving it open is unsettling.

This need to be possible regardless of trusting or not, one should have the ability to revoke access (plus I would need to know how to handle those errors when I suddenly cannot use the tokens).

/c

★★★ Secure 3rd party service ★★★

Visit my in-game channel 'Holy Veldspar'

Twitter @ChribbaVeldspar

Rain6637
Simulacra and Simulation
Goonswarm Federation
#139 - 2014-07-13 16:29:35 UTC
I am curious to hear third party developer thoughts on SSO as a single point of failure.
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#140 - 2014-07-13 17:06:13 UTC
Rain6637 wrote:
I am curious to hear third party developer thoughts on SSO as a single point of failure.



It is a single point of failure, but it's a pretty robust one. (though right now, with the launcher problems, my timing is impeccable ;) )

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter