| Pages: [1] :: one page |
|
|
| Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Chromoburst
   |
Posted - 2010.05.23 04:58:00 -
[1]
This has been posted before but the discussion bears renewing.
Issue: Website designers that plan to utilize IGB header information in thier designs often need to be able to verify the information they are receiving is accurate. The headers can be spoofed but a solution is simple.
Why Important: This would primarily allow a character to log into an IGB enable site without entering any credentials. Which would encourage users to use the websites frequently. This would be especially important in apps that, for example, showed live location data such as the location of a mining fleet or of which systems in alliance territory needed fortification. If pilots can just click the browser and open the homepage without logging in they can much more easily transmit the IGB info that these websites need to operate.
Implementation: This would basically be done by having the IGB headers send in session or time specific data that could be verified using the API. Just generate a key at downtime that can be sent using IGB headers to trusted sites. These trusted sites can make an API call using the character id and the key and the API could return true or false if it matched or not.
Pros: Very simple process that leverages existing processes. All the extra CPU time is done at downtime or client side. Provides a basic level of authentication.
Cons: Not totally secure if the character has untrust worthy sites that it visits and trusts. These sites could then use this key to access other sites that would provide data based on the key. This could also be a benefit if the sites where using the data in an appropriate way. Such as one site providing live alliance data that polled a member corporation site for member traffic data which used a tool provided by a third party site to show where its members roam day by day.
Please only post if you fully understand the concepts involved.
|
darius mclever
|
Posted - 2010.05.23 05:29:00 -
[2]
OAuth might be a solution to securely authenticate the ingame browser. though it needs server side implementations from CCP.
|
Qoi
New Eden Warriors
|
Posted - 2010.05.23 10:44:00 -
[3]
What you propose is pretty insecure, but the general idea is very cool and useful.
I would implement it with a shared secret and HMAC, but CCP has enough people capable of implementing it in a secure way. They just need to do it 
|
Haskell
Gallente
|
Posted - 2010.05.23 13:31:00 -
[4]
I believe the IGB was said to get some mechanism in Tyrannis so you can log into EVE gate without password, and which could be used by other websites as well.
Did they implement this or do you need to enter your password in the test server build? (I don't have the SiSi client installed atm, so I can't check.) |
Catari Taga
Centre Of Attention
Rough Necks
|
Posted - 2010.05.23 14:08:00 -
[5]
 Originally by: Haskell
I believe the IGB was said to get some mechanism in Tyrannis so you can log into EVE gate without password, and which could be used by other websites as well.
Did they implement this or do you need to enter your password in the test server build? (I don't have the SiSi client installed atm, so I can't check.)
This is not implemented and I don't think anything like you are hoping for has ever been announced other than a "we'd like that" style response.
--
Originally by: Zeke Mobius
I swear the catholic church was faster at admitting the earth was round than CCP at fixing stuff.
|
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2010.05.23 21:15:00 -
[6]
For those late to the party:
"IGB trust" is not for your website to trust your visitors.
It is for visitors, who trust you enough to send their personal data to your website.
--
Thanks CCP for cu |
|
|
| |
|
| Pages: [1] :: one page |
| First page | Previous page | Next page | Last page |