Pages: [1] 2 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 4 post(s) |
|
CCP Fallout
|
Posted - 2010.10.22 11:40:00 -
[1]
CCP Stillman's newest dev blog details the importance of API security and protecting your API key.
Fallout Associate Community Manager CCP Hf, EVE Online Contact us |
|
Elsa Nietzsche
|
Posted - 2010.10.22 11:47:00 -
[2]
Edited by: Elsa Nietzsche on 22/10/2010 11:54:48 first!
pretty interesting blog. i've often wondered why people are so anal about api access. while there seems to really be limited risk with sharing the limited api, you make many good points about the risk of sharing your full api. also, thanks for linking the api access log. that was something new to me and i'm glad i know about it now.
on the topic of security/privacy, have you guys changed your mind about the last blog with evegate and making user profiles public by default yet?
|
|
Chribba
Otherworld Enterprises Otherworld Empire
|
Posted - 2010.10.22 11:56:00 -
[3]
Edited by: Chribba on 22/10/2010 12:00:37 Another good read. Thanks.
And also, I think there could be several improvements of the API keys in general, like ability to create more than just one limited/full, to avoid having to use the same keys everywhere, and thus not having to reset all "services" if a key is abused.
Expiration on some keys perhaps? Eg a 12 hour key you can give to a reqruitment officer... But also and probably a major feature would be to be able to create keys and chose what info they could access. Eg a full key that would allow for example only industrial jobs to be viewed, but not the wallet etc.
/c
Secure 3rd party service | my in-game channel 'Holy Veldspar' |
|
Valeria Crossroads
Caldari Terra Incognita Black Star Alliance
|
Posted - 2010.10.22 11:58:00 -
[4]
KB use full api keys of the ceo or director to get all corp kills and losses. That means that all my mail and thus privacy must be sacrificed to keep that going. No way that is going to happen. Please come with a solution for this. My bpc shop: click here for stock and prices. |
|
CCP Prism X
Gallente C C P C C P Alliance
|
Posted - 2010.10.22 12:06:00 -
[5]
Originally by: Chribba Edited by: Chribba on 22/10/2010 12:00:37 And also, I think there could be several improvements of the API keys in general, like ability to create more than just one limited/full, to avoid having to use the same keys everywhere, and thus not having to reset all "services" if a key is abused.
Expiration on some keys perhaps? Eg a 12 hour key you can give to a reqruitment officer... But also and probably a major feature would be to be able to create keys and chose what info they could access. Eg a full key that would allow for example only industrial jobs to be viewed, but not the wallet etc.
/c
For reference.
And we understand that this isn't exactly ideal for killboards who require the full API key. We'll look into the security concerns of lovering the kill mail API to the limited key. That will of course just be a temporary solution. See the reference above.
~ CCP Prism X EVE Database Developer and Acting API Dude |
|
Noun Verber
Gallente
|
Posted - 2010.10.22 12:08:00 -
[6]
Will anything new be added to the APIs in tyrannis 1.2?
I don't know what was there in the first place to compare it to.
|
Jack Dant
Minmatar The Gentlemen of Low Moral Fibre
|
Posted - 2010.10.22 12:10:00 -
[7]
Originally by: CCP Prism X And we understand that this isn't exactly ideal for killboards who require the full API key. We'll look into the security concerns of lovering the kill mail API to the limited key. That will of course just be a temporary solution. See the reference above.
Please do this. Kills and losses are almost public information (not least because both sides get them, so you can never completely control who sees them).
|
0oO0oOoOo0o
|
Posted - 2010.10.22 12:39:00 -
[8]
Why do you make the mail accessible in the full api ? It's private communication between 2 persons, sometimes not even about the game itself, that is not meant to be read by 3rd parties. Please take that off from the list.
|
|
CCP Prism X
Gallente C C P C C P Alliance
|
Posted - 2010.10.22 12:50:00 -
[9]
Originally by: Noun Verber Will anything new be added to the APIs in tyrannis 1.2?
I don't know what was there in the first place to compare it to.
Yes there will! \o/ There's an entire dev blog dedicated to upcoming Tyrannis 1.2 features!
~ CCP Prism X EVE Database Developer and Acting API Dude |
|
Yuda Mann
|
Posted - 2010.10.22 13:45:00 -
[10]
Originally by: 0oO0oOoOo0o Why do you make the mail accessible in the full api ? It's private communication between 2 persons, sometimes not even about the game itself, that is not meant to be read by 3rd parties. Please take that off from the list.
It's so you can use a 3rd party piece of software or website to read your own mail. I think what CCP needs to do is make a 3rd security level for API's. There's too much information to fit into 2 levels. HI! |
|
DmitryEKT
Tyrell Corp
|
Posted - 2010.10.22 15:13:00 -
[11]
is there plans to add a way to "uncreate" an api key - creating a new one wipes the old one, but if i didn't want to have one active at all, there doesn't seem to be a way to do that? yes, i know it's not something you can guess because of how long it is, but still, would be nice for those of us who are overly paranoid... --- EVE Online: underwater spaceships simulator |
Nikolai Kondratiev
Sphere Design Inc.
|
Posted - 2010.10.22 16:56:00 -
[12]
Edited by: Nikolai Kondratiev on 22/10/2010 17:00:06
Originally by: DmitryEKT is there plans to add a way to "uncreate" an api key - creating a new one wipes the old one, but if i didn't want to have one active at all, there doesn't seem to be a way to do that? yes, i know it's not something you can guess because of how long it is, but still, would be nice for those of us who are overly paranoid...
If you think someone is going to "guess" your new API key (and if they hack your account to get it, you probably have more to worry about) or brute-force it, you might as well stop living because of all the terrible thing that are more likely to happen IRL (meteors destroying your house, aliens kidnapping your wife/kids, robots taking over the world and turning you into a battery cell, the "2012" crap-movie happening for real, ...)
And +1 for killmails using Limited API Keys, it would also make the killboard system much more reliable, since people share this one much more easily than the full one.
Edit : and for temporary key and/or limited access to API calls, wouldn't a modified "API proxy" do the job, by storing real keys and letting you generate temporary/limited ones ? (ofc, the recruitment officer/application/... would have to use that proxy and it would have to be trusted enough by both parties, so you're the man we need Chribba !) _ Mining Crystal BPOs Angel Ships |
|
CCP Stillman
|
Posted - 2010.10.22 17:42:00 -
[13]
Originally by: Nikolai Kondratiev And +1 for killmails using Limited API Keys, it would also make the killboard system much more reliable, since people share this one much more easily than the full one.
If we were to do this(I'm not saying we will, but it could be considered), would there be anybody who would NOT like that?
|
|
Commander TGK
Gallente The Deep Space Armada Rising Phoenix Alliance
|
Posted - 2010.10.22 18:17:00 -
[14]
Stillman please do this, we would very much appreciate a better method for the KBs.
|
0oO0oOoOo0o
|
Posted - 2010.10.22 19:38:00 -
[15]
Edited by: 0oO0oOoOo0o on 22/10/2010 19:39:43
Originally by: Yuda Mann
It's so you can use a 3rd party piece of software or website to read your own mail. I think what CCP needs to do is make a 3rd security level for API's.
If someone likes to read his mails while not in game, he already has a tool for that, called EveGate. Creating mechanics, where someone can poke his nose into private communications of others, is simply indecent.
|
TheLostPenguin
|
Posted - 2010.10.22 20:46:00 -
[16]
Originally by: CCP Stillman
Originally by: Nikolai Kondratiev And +1 for killmails using Limited API Keys, it would also make the killboard system much more reliable, since people share this one much more easily than the full one.
If we were to do this(I'm not saying we will, but it could be considered), would there be anybody who would NOT like that?
Seems like a fairly sensible approach to take, as was already mentioned this data is essentially in public domain anyway as the other party receives it also, I for one would be more likely to consider sharing a limited key for this purpose than the full one.
Originally by: 0oO0oOoOo0o Edited by: 0oO0oOoOo0o on 22/10/2010 19:39:43
Originally by: Yuda Mann
It's so you can use a 3rd party piece of software or website to read your own mail. I think what CCP needs to do is make a 3rd security level for API's.
If someone likes to read his mails while not in game, he already has a tool for that, called EveGate. Creating mechanics, where someone can poke his nose into private communications of others, is simply indecent.
Maybe some people also like to check their mails oog using something with a nice ui? A nice highly customisable setup for multiple api keys with varying levels of access would be awesome, but I'm really not going to hold breath for that to happen because SoonÖ surely doesn't apply to something that may be considered for adding to the to-do list sometime in 2015
|
Azmodeus Valar
Eve University Ivy League
|
Posted - 2010.10.22 20:53:00 -
[17]
Another great option would be for a separate API for corporations only, so that corporate applications can use that API instead of the full api of a director.
|
Ixtelle
|
Posted - 2010.10.22 23:37:00 -
[18]
Does the log differentiate whether a request was made with full or limited keys? I don't see anything that would show that, but OTOH I haven't given my full key out anywhere so maybe that's why. Still, would be nice to know.
|
Nikolai Kondratiev
Sphere Design Inc.
|
Posted - 2010.10.23 00:04:00 -
[19]
Edited by: Nikolai Kondratiev on 23/10/2010 00:05:21
Originally by: Ixtelle Does the log differentiate whether a request was made with full or limited keys? I don't see anything that would show that, but OTOH I haven't given my full key out anywhere so maybe that's why. Still, would be nice to know.
Pretty sure the only way to know is to check for the calls made and see if they require a limited or full api key (I assume failed calls don't get logged) _ Mining Crystal BPOs Angel Ships |
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2010.10.23 00:18:00 -
[20]
Edited by: Tonto Auri on 23/10/2010 00:19:26
Originally by: DmitryEKT is there plans to add a way to "uncreate" an api key - creating a new one wipes the old one, but if i didn't want to have one active at all, there doesn't seem to be a way to do that? yes, i know it's not something you can guess because of how long it is, but still, would be nice for those of us who are overly paranoid...
All keys always created. There's no state when you don't have API key generated for your account. (Provided you have an account)
Originally by: Nikolai Kondratiev Pretty sure the only way to know is to check for the calls made and see if they require a limited or full api key (I assume failed calls don't get logged)
All calls made to API with your UserID are logged per your userID. They differ with response code, however. -- Thanks CCP for cu |
|
SirHarryPierce
|
Posted - 2010.10.23 00:28:00 -
[21]
Is there a list somewhere that has known (save) IP' adresses on it?
I found these in my log:
"94.229.74.*" > EVE metrics "82.99.35.20" > EVEboard
And my home and phone providers...
|
LegendaryFrog
Caldari GoonWaffe Goonswarm Federation
|
Posted - 2010.10.23 01:47:00 -
[22]
Originally by: CCP Stillman
Originally by: Nikolai Kondratiev And +1 for killmails using Limited API Keys, it would also make the killboard system much more reliable, since people share this one much more easily than the full one.
If we were to do this(I'm not saying we will, but it could be considered), would there be anybody who would NOT like that?
I can't think of anything negative that would come from it, and it would certainly be a big improvement with these full api key changes.
|
mazzilliu
|
Posted - 2010.10.23 02:47:00 -
[23]
im in ur apis, stealin ur keys
reminding people about security wont make them more secure, forcing them kicking and screaming to change their credentials every once in a while will
|
Gnulpie
Minmatar Miner Tech
|
Posted - 2010.10.23 07:15:00 -
[24]
Good blog, good reading! Thanks!
Can we have a longer history for the API-access maybe? I think 7 days are not long enough. |
Ismil
|
Posted - 2010.10.23 11:20:00 -
[25]
I see incoming panics and revoked API Keys: http://up.frubar.net/322/ad.png
|
Kerdrak
D00M. Northern Coalition.
|
Posted - 2010.10.23 11:47:00 -
[26]
Originally by: CCP Stillman
Originally by: Nikolai Kondratiev And +1 for killmails using Limited API Keys, it would also make the killboard system much more reliable, since people share this one much more easily than the full one.
If we were to do this(I'm not saying we will, but it could be considered), would there be anybody who would NOT like that?
Killmails are not private info since 4 entities have access to the same killmail:
- Final blow dealer - Final blow dealer's corp - Victim - Victim's corp
Can't see anything wrong with putting the killmails in the limited API. ________________________________________ |
woddel
Gallente Canis Industries Ltd Avaricious Cartel
|
Posted - 2010.10.23 13:30:00 -
[27]
Edited by: woddel on 23/10/2010 13:34:21 "193.108.137.*" > EVE Commander & EC Shops
oh, and one more thing: i think the title of the devblog is a bit misleading: "api security - to whom do you give the keys to your spaceship?" -> it reads somehow like giving away a car key, meaning the recipient could fly, eh drive, away with your car and steal it. this is, obviously, not true concerning the api keys... :) --- creator and maintainer of eve commander - complete web based character information tool and ec agent finder |
ceaon
|
Posted - 2010.10.23 16:04:00 -
[28]
Originally by: CCP Prism X
We'll look into the security concerns of lovering the kill mail API to the limited key.
just make a ****ing api key for KM/KB
Originally by: CCP Adida The male thread was locked because the discussion turned into transsexuals and man boobs.
|
Lynn Deniera
Caldari The Foreign Legion Wildly Inappropriate.
|
Posted - 2010.10.24 18:33:00 -
[29]
You should really mention that with the limited api key you can see how much isk they have.
|
Catari Taga
Centre Of Attention Middle of Nowhere
|
Posted - 2010.10.24 21:42:00 -
[30]
Originally by: CCP Stillman
Originally by: Nikolai Kondratiev And +1 for killmails using Limited API Keys, it would also make the killboard system much more reliable, since people share this one much more easily than the full one.
If we were to do this(I'm not saying we will, but it could be considered), would there be anybody who would NOT like that?
Make it a separate key. --
|
|
|
|
|
Pages: [1] 2 :: one page |
First page | Previous page | Next page | Last page |