Pages: [1] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Jen Moriarty
Snuff Box Snuffed Out
45
|
Posted - 2014.11.27 07:49:02 -
[1] - Quote
Hi there,
So I've just finished integrating the EVE SSO into my site, and the first impressions of the user base kinda surprised me. It seems that almost all of them are unwilling to provide their login details as they fear I may have access to them. Even showing them the SSO Devblog doesn't help. Perhaps CCP should be more vocal about the SSO and its security, cause it seems nobody knows about it.
Jen |
Rivr Luzade
Coreli Corporation Ineluctable.
999
|
Posted - 2014.11.27 08:18:21 -
[2] - Quote
That's what I would call properly educated player base: paranoid and distrustful, both because of EVE's society as well as real-life events. |
elitatwo
Eve Minions Poopstain Removal Team
485
|
Posted - 2014.11.27 10:15:02 -
[3] - Quote
Jen Moriarty wrote:Hi there,
So I've just finished integrating the EVE SSO into my site, and the first impressions of the user base kinda surprised me. It seems that almost all of them are unwilling to provide their login details as they fear I may have access to them. Even showing them the SSO Devblog doesn't help. Perhaps CCP should be more vocal about the SSO and its security, cause it seems nobody knows about it.
Jen
Okay, let me translate that back to a language we all speak:
Hi, I made a website that gives me access to your accounts, all you need to do is to give me your passwords so I can go on and steal your pixels.
Thanks for your cooperation!
signature
|
Takeshi Kumamato
Exiled Kings The Fearless Empire
1
|
Posted - 2014.11.27 10:43:22 -
[4] - Quote
Apparently nobody in this forum knows about it either. |
Ix Method
Brutor Tribe Minmatar Republic
340
|
Posted - 2014.11.27 10:50:43 -
[5] - Quote
elitatwo wrote:Okay, let me translate that back to a language we all speak:
Hi, I made a website that gives me access to your accounts, all you need to do is to give me your passwords so I can go on and steal your pixels.
Thanks for your cooperation! *facepalm*
Travelling at the speed of love.
|
elitatwo
Eve Minions Poopstain Removal Team
486
|
Posted - 2014.11.27 15:40:33 -
[6] - Quote
Ix Method wrote:*facepalm*
What? I was giving in to Rivr's joke
I know what Single Sign One means and how it works. Facebook uses it, Google, twitter and some others and the cool-kids site which I am too old to use.
signature
|
Zan Shiro
Alternative Enterprises
543
|
Posted - 2014.11.27 16:41:30 -
[7] - Quote
Rivr Luzade wrote:That's what I would call properly educated player base: paranoid and distrustful, both because of EVE's society as well as real-life events.
this...
their is a lot of implicit trust in that sso. I tbh am leary of even more accepted ones at times. Only because I cannot know what was done on the websites end to secure the servers touched in the chain. As a prep for recent auditing/inspection between 1 admin and mysellf working in conjunction with the security manager we put in some hours to make sure our scans to meet compliancy came up clean.
In our case we had the option to write some off as a business need exception as a get out of jail free card as it where. We opted to work our asses off to just slay those dragons instead. Some of these dragons resided in our SSO to get network resource access externally (webmail for example).
I cannot and will not assume every website/server admin out there does the same. Or the host they run on if not a local web server. Take away is a good computer user should be paranoid. Just because you re paranoid does not mean something is not out to get you.
Well that I am in the minoriy of the antifacebook crowd so don't even use that. About to switch phone service provider and get new phones. I am so anti Facebook I will pay for iexplorer (or apps like it) to copy games saves to migrate them when all I have to do is make a cheesy FB account to do the same thing. I still prefer the former. My hate of FB has a long backstory, too long to cover here lol. |
Jen Moriarty
Snuff Box Snuffed Out
45
|
Posted - 2014.11.27 17:09:53 -
[8] - Quote
... meanwhile, on topic:
The SSO is miles better than previous authentication methods. While previously you needed to provide an API (which was entirely in the hands of the service provider), with the SSO you give away nothing. I don't even... |
Def Monk
404 File Not Found
11
|
Posted - 2014.11.27 17:32:43 -
[9] - Quote
Zan Shiro wrote:Rivr Luzade wrote:That's what I would call properly educated player base: paranoid and distrustful, both because of EVE's society as well as real-life events. this... their is a lot of implicit trust in that sso. I tbh am leary of even more accepted ones at times. Only because I cannot know what was done on the websites end to secure the servers touched in the chain. As a prep for recent auditing/inspection between 1 admin and mysellf working in conjunction with the security manager we put in some hours to make sure our scans to meet compliancy came up clean. In our case we had the option to write some off as a business need exception as a get out of jail free card as it where. We opted to work our asses off to just slay those dragons instead. Some of these dragons resided in our SSO to get network resource access externally (webmail for example). I cannot and will not assume every website/server admin out there does the same. Or the host they run on if not a local web server. Take away is a good computer user should be paranoid. Just because you re paranoid does not mean something is not out to get you. Well that I am in the minoriy of the antifacebook crowd so don't even use that. About to switch phone service provider and get new phones. I am so anti Facebook I will pay for iexplorer (or apps like it) to copy games saves to migrate them when all I have to do is make a cheesy FB account to do the same thing. I still prefer the former. My hate of FB has a long backstory, too long to cover here lol. You seem to be mixing up your dragons a little here. There is a difference between an internal SSO in the sense of, for example, an LDAP setup commonly used in businesses, and an external OAuth SSO used for Eve/Google/FB/Twitter/Git/etc. The workflows and access granted by the setups have some differences.
If the service using the OAuth setup is properly running SSL with a valid cert (OAuth requires the requests and redirects to come from specific URIs you pre-define as from https addresses and forces you to follow a specific workflow), all the traffic is secure. Any information you can gain from the Eve SSO will have the user warned from the Eve website and allow you to decline if you don't trust the service.
The only issue from there is how the end-service handles storage of any information you choose to give them, which still falls on them and your trust of them, but that's the same for any web service.
====
For everyone else worried about it: THE SSO WILL REDIRECT YOU TO THE EVE WEBSITE. If you see your URL as https://login.eveonline.com/ when inputting your credentials, no end service using the SSO will be able to steal your accounts or information. Being CAREFUL and INFORMED is good - being paranoid can be excessive. |
|
|
|
Pages: [1] :: one page |
First page | Previous page | Next page | Last page |