Pages: [1] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
AleRiperKilt
|
Posted - 2008.12.16 20:57:00 -
[1]
IGB headers can be easily forged and I wonder if there are any plans to improve authentication, here are some ideas:
1. API auth: Add a header to pass something only the eve client may know such as char's skillpoint number and have an api call where you pass charid, char_sp and get true or false. This also could be a unique "session key" lasting a few minutes. External site can validate this key with API call.
2. PGP: Add a way to config a public key file to IGB that is passed to trusted sites.
Any others?
--- "I live in Los Angeles, where driving is non-consensual pvp" - Arric Rohr |
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2008.12.19 00:22:00 -
[2]
You missed the point. It is not YOU trust to the header, it is USER grant you with trust to send his/her information to your site. -- Thanks CCP for cu |
Vincent La
Merch Industrial GoonSwarm
|
Posted - 2008.12.19 00:47:00 -
[3]
Originally by: Tonto Auri You missed the point. It is not YOU trust to the header, it is USER grant you with trust to send his/her information to your site.
If the user's browser reports their character name, how do you know it's accurate?
|
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2008.12.19 00:54:00 -
[4]
Originally by: Vincent La
Originally by: Tonto Auri You missed the point. It is not YOU trust to the header, it is USER grant you with trust to send his/her information to your site.
If the user's browser reports their character name, how do you know it's accurate?
No way. -- Thanks CCP for cu |
Dragonaire
Caldari Corax.
|
Posted - 2008.12.19 00:59:00 -
[5]
Like they pointed out above you're asking the player through the IGB to trust you with their information not for you to trust them.
Basic idea with anything coming from someone over the Internet you can't trust it because it's way to easy to fake it or for someone else to change it in route. -- Finds camping stations from the inside much easier. Designer of Yapeal for Eve API. |
Vincent La
Merch Industrial GoonSwarm
|
Posted - 2008.12.20 07:06:00 -
[6]
Originally by: Dragonaire Like they pointed out above you're asking the player through the IGB to trust you with their information not for you to trust them.
Basic idea with anything coming from someone over the Internet you can't trust it because it's way to easy to fake it or for someone else to change it in route.
It is, however, possible for CCP to provide a guarantee that the data provided by the IGB is accurate.
|
Johnathan Roark
Caldari Quantum Industries RAZOR Alliance
|
Posted - 2008.12.20 08:17:00 -
[7]
Originally by: Vincent La
Originally by: Dragonaire Like they pointed out above you're asking the player through the IGB to trust you with their information not for you to trust them.
Basic idea with anything coming from someone over the Internet you can't trust it because it's way to easy to fake it or for someone else to change it in route.
It is, however, possible for CCP to provide a guarantee that the data provided by the IGB is accurate.
But they do not guarantee that it is the IGB providing the data. I can spoof any of the IGB headers in 5 mins to make it look like anyone. I use this to test IGB header code without using the IGB, Firefox Modify Headers Addon. Perhaps tomorrow I will write a step by step guide on using it for testing eve IGB headers. Bottom line is, do not count on header information sent by any browser to be accurate. The best method of verifying a user is using the API.
POS-Tracker 2.1.0 Hosting |
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2008.12.22 02:23:00 -
[8]
There has been a solution posted that verifies the user=id through API. It's limited in speed to the API cache times, but works quite good. Idea is to cross-check user through wallet journal. Any amount of ISK sent would do the job, however, you could set it to ask for certain random amount to ensure slightly higher security level. -- Thanks CCP for cu |
AleRiperKilt
|
Posted - 2008.12.22 20:05:00 -
[9]
The ideas I propose would involve CCP doing some tweaking to the IGB:
Trusted session key: 1. User selects to trust external site 2. IGB generates a random trusted session key and passes it in header, also sends it to CCP API server. 3. External site can verify trusted key through API
To avoid packet sniffing attacks, session keys expire and new ones are generated every few minutes.
--- "I live in Los Angeles, where driving is non-consensual pvp" - Arric Rohr |
Dragonaire
Caldari Corax.
|
Posted - 2008.12.22 20:48:00 -
[10]
Then someone starts emulates IGB connection to CCP (which people have been doing all along to get information like number of players online) and makes fake trusted session key and your right back where you started What you're wanting is for CCP to become an Internet security service which they aren't nor should they be.
The IGB is no different than any other browser when it comes to an Internet connection except it's even less standards compliant then IE 4 was Just like with any web based application you can never be 100% sure who or what is on the other end of the connection and you just have to program stuff with that in mind. The best you can do ever on an Internet connection is to use https with some kind of public key infrastructure for both your user and your application that you verify and it's still only as good as the care both parties take making sure their private keys don't get exposed. -- Finds camping stations from the inside much easier. Designer of Yapeal for Eve API. |
|
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2008.12.23 17:42:00 -
[11]
Originally by: AleRiperKilt The ideas I propose would involve CCP doing some tweaking to the IGB:
Trusted session key: 1. User selects to trust external site 2. IGB generates a random trusted session key and passes it in header, also sends it to CCP API server. 3. External site can verify trusted key through API
To avoid packet sniffing attacks, session keys expire and new ones are generated every few minutes.
Only trusted scheme will involve CCP anyway. Easiest one proposed to now was to generate session key every time character entering the game, and send it along with charID to the trusted sites. Then modify API servers to be able use charID:SessionKey on server side to retrieve required information. -- Thanks CCP for cu |
DeTox MinRohim
Madhatters Inc. The Initiative.
|
Posted - 2008.12.23 21:10:00 -
[12]
Edited by: DeTox MinRohim on 23/12/2008 21:12:11
Originally by: Tonto Auri
Only trusted scheme will involve CCP anyway. Easiest one proposed to now was to generate session key every time character entering the game, and send it along with charID to the trusted sites. Then modify API servers to be able use charID:SessionKey on server side to retrieve required information.
Would be my preference but wouldn't that still be... spoofable anyway? (Even if it's harder to generate/guess/etc.) Not really my area but logically, some site using trust can save the session key and use it while the real character is logged in the game.
That of course is bound to the people trusting the wrong sites. ------ This sig space is Read-only ! omgalink - Online Skillsheet |
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2008.12.24 15:30:00 -
[13]
Originally by: DeTox MinRohim Would be my preference but wouldn't that still be... spoofable anyway? (Even if it's harder to generate/guess/etc.) Not really my area but logically, some site using trust can save the session key and use it while the real character is logged in the game.
That of course is bound to the people trusting the wrong sites.
If you can name usage of real data "spoofing"... :) Session key is that - SESSION key. It's valid only to the next character logon or to downtime. You can't use it forever (and once character logged off, it's of low interest anyway) -- Thanks CCP for cu |
Dragonaire
Caldari Corax.
|
Posted - 2008.12.24 16:29:00 -
[14]
The minute you start blindly trusting anybody (or really a thing since people don't manual send the ones and zero to you by hand) it's just a matter of time before it will bite you.
PHP session keys are hi-jacked fairly often on the Internet and cause all kinds of problems for badly written web applications every day and even if you do everything right there no way of saying someone wouldn't figure out a new way to get past any security or come across a new bug in some software that they can use. All the systems you're talking about will have the same problems and every system that anyone has every come up with has only lasted a little while before someone or several someones have found ways to break it. The better approach is to minimize the impact when it happens. Notice I didn't say 'IF' but when. If you design with the idea that it is going to happen and design things so when it does it can only impact one or a small group of users at any time you've done a better job then probably 80-90% of the stuff on the Internet and most people will move on to easier pickings when they don't get a big pay off.
Talking about this reminds me of the same problems they always have designing prisons. A couple people spends at most a couple years designing them and the prisoners have decades to do nothing but try to figure out how to get out and there's always a few that figure it out.
A web application is much the same way because as a designer you're lucky if you get to spend a couple hundred hours working on security and the hackers have ten of thousands of hours to try breaking it using as good or better tools then you might have. -- Finds camping stations from the inside much easier. Designer of Yapeal for Eve API. |
Freeholder Joe
|
Posted - 2008.12.24 18:07:00 -
[15]
As of now, the most security your going to get is with your own login/password scheme. Or steal the one from your forums. Dragonaire is right tho, it's never going to be bulletproof. Even if CCP jumps through every hoop you ask someone will still find away around if they are determined enough and have the time for it.
So lets get ccp to fix the other problems! Asking for and getting trust to enable correctly would be the top of my list... You can get it for a day or you can deny forever... it'd be nice to get it forever so I dont have to talk everyone new corp member through it :)
|
Malif Rising
Rising Industries
|
Posted - 2008.12.25 01:43:00 -
[16]
Hi AleRiperKilt,
Forgetting for a moment the debate about how best to implement an authentication scheme, I'm curious about why you need to authenticate a particular browser as belonging to a particular user in the first place. Do you mind sharing what you are planning to do? Everything I've done so far relies on a user creating an account with my own site, and while I use the character name in the header out of convenience, I really don't care what username a user registers with. It's the password they create that will control access. But then again, what I am doing is very straightforward. I'm wondering if you are doing something more interesting?
-- Malif
|
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2008.12.25 23:22:00 -
[17]
Originally by: Dragonaire <unrelated mindstream>
Mmmda... have you tried to proof-read your post? And compare it to the post you've tried to reply to? I do know about security risks involved in handling PHP sessions. They do not apply here. -- Thanks CCP for cu |
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2008.12.25 23:25:00 -
[18]
Originally by: Freeholder Joe As of now, the most security your going to get is with your own login/password scheme. Or steal the one from your forums. Dragonaire is right tho, it's never going to be bulletproof. Even if CCP jumps through every hoop you ask someone will still find away around if they are determined enough and have the time for it.
So lets get ccp to fix the other problems! Asking for and getting trust to enable correctly would be the top of my list... You can get it for a day or you can deny forever... it'd be nice to get it forever so I dont have to talk everyone new corp member through it :)
We are not talking about securing our resources (at least, I hope we aren't). Instead, we're speaking about the information users sending to us (our servers) and can we trust it or validate it. -- Thanks CCP for cu |
Dragonaire
Caldari Corax.
|
Posted - 2008.12.29 21:08:00 -
[19]
Seems that making analogs to other RL problems are considered not relative by some people but as to why I mentioned PHP sessions the reason is that many people try to use/think of them like a shared key which they really aren't or at least not a very good one. As to the original post about wanting some kind of way to trust what the IGB is sending a web application what I was saying still applies. You can never know for sure what or whom is on the other end of the wire/fiber/whatever nor can they know for sure whom/what you are or that you'll only do what you may have said you'd do. You have to decided what the risk vs usefulness of the information you get is all I've been trying to point out is there isn't a prefect system in existence where you can trust anything 100%.
I just have to use another analog but maybe some people will find this one more relevant or not All of us to be making these posts on the forum are trusting that when we put in our account names and passwords that no one at CCP or anyone that has access to any of the systems that the information had to pass through to get there are keeping it to use later. This is true for everything we sent over the Internet every day and the reality is most the time we don't even think about it nor is there anyone that really care to get the information to start with either.
Okay to sum it all up you can ask someone to trust you or what they think is you anyway with their information through the IGB or at least what you think is a IGB and if they decide to send that information you have to decide if you should trust what they apparently have sent you. All that any kind of encryption or key, share or not, or verification system can do for either end is make you feel better about trusting what you have received. -- Finds camping stations from the inside much easier. Designer of Yapeal for Eve API. |
AleRiperKilt
|
Posted - 2008.12.30 20:23:00 -
[20]
Originally by: Malif Rising Hi AleRiperKilt,
Forgetting for a moment the debate about how best to implement an authentication scheme, I'm curious about why you need to authenticate a particular browser as belonging to a particular user in the first place. Do you mind sharing what you are planning to do? Everything I've done so far relies on a user creating an account with my own site, and while I use the character name in the header out of convenience, I really don't care what username a user registers with. It's the password they create that will control access. But then again, what I am doing is very straightforward. I'm wondering if you are doing something more interesting?
-- Malif
I have several ideas, one is to allow creation of accounts in a Mumble Server from IGB restricting access by standings. For this I need a way to validate the player against a list of allowed to connect players/corps/alliances
--- "I live in Los Angeles, where driving is non-consensual pvp" - Arric Rohr |
|
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2008.12.31 05:22:00 -
[21]
Originally by: Dragonaire <Another mindstream>
Please stop this. What i've spoke about is *session* **API** keys *generated by CCP*. If you want realworld comparison, the PGP signature fingerprint would be closest analogue. You using that fingerprint to pull information directly from CCP, not from user. It is short-living (it will be destroyed even by logging another character on the same account), but for the purposes we need it is pretty much enough. But it will induce another level of DB load to the cluster and will never happen.
To now, I haven't found any way to 1. Make information trustworthy 2. Without significant load increasing to the cluster.
One interesting idea was to generate signature that would be supplied to the client and used in interaction with IGB-ready sites. Say... a signature for string consisted of charID, charname, location, rights, current date (including hours). Then we could verify this using public certificate... -- Thanks CCP for cu |
|
|
|
Pages: [1] :: one page |
First page | Previous page | Next page | Last page |