I do understand that it is usefull for some. Is there however a way to disable sso for all sites except the eve sites from ccp?
I have a very nasty habbit not to trust any other site. Maybe that has something to with my day job. I test software for a rather big organisation. About 30k employees

Btw I have 15 different passwords for 15 different sites. And I don't use a program to manage that.

You'll always have to click through (for character selection), and until you do, nothing gets sent to the site. (when you do, all the site gets is your character id and name, along with a hash to uniquely identify the combination of character and account. Sell the character, and it changes. No way to identify the account, just that it's changed.)

For Luddites like myself, will we still be able to log onto the Eve site as we do today, or are we being forced to use this SSO nonsense?

You're picturing a naughty site using the real CCP SSO page. The anughty site won't get any useful information until you pick the character, and even then the information isn't that useful. It would be much more effective to have a naughty site using a fake CCP SSO page.

How many people are going to check the domain and validate the certificate and all that?

Pssst. You've been using the SSO for a fairly long time now.

We have this total rubbish, but we still can't change characters without relogging? What a load of poppycock.

What about Amazon??

I **THOUGHT** I was using SSO to sign on there for like a year now???

You need to explain to me how these two things are linked. One is the login mechanism used by our web sites and services and the launcher, the other is a large repository of legacy code that assumes the character ID won't change while the session is active.

how can anyone say facebook is involved with enhanced security... unless it's because they're a breech?

I don't care who else authenticates the information. If facebook's involved, it's a leaky sieve. There is NO security.

He is referring to the fact that Eve players have been pissed off for quite a while now, because CCP seems to have time and resources for this project that literally zero people wanted or asked for and will cause phishing to go though the damn roof because no matter how secure you make it people are still stupid, but on the other hand finding time to, literally widdle away close to 2 million dollars on failed game projects, but at the same time lack time and resources to providing BASIC functionality and UI customisability that other games have had for decades.

I know that (probably) has nothing to do with you personally, but it still annoys people.

We already have API keys for logging into external sites, we don't need the risk of exposing passwords either through user error, webmaster error or plain simply tech error. We know that SSL is probably compromised if not already but soon.

I do understand that it is usefull for some. Is there however a way to disable sso for all sites except the eve sites from ccp?
I have a very nasty habbit not to trust any other site. Maybe that has something to with my day job. I test software for a rather big organisation. About 30k employees

Btw I have 15 different passwords for 15 different sites. And I don't use a program to manage that.

How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.

Well, there is only speculation that it is insecure. Though Microsoft indicated to disable RC4 stream ciphers completely.

http://en.wikipedia.org/wiki/RC4

But yes, it's not so good for this to be preferred over higher ciphers. If I disable RC4 stuff in Firefox, it connects with something a little better,

TLS_RSA_WITH_AES_256_CBC_SHA

Still no perfect forward secrecy, but better. I don't know why servers seem to prefer crappier crypto over better crypto out of the box.

You have to explicitly authenticate against those sites, picking the character that you want them to see.

Nothing automatic.

(And it has been stated, you're already using it. It's how you sign into any CCP site. Third party sites have an additional step, not seeing the account level, just a character you select as part of the auth process)

Facebook aren't involved. They were mentioned as an example of an SSO service. Nothing else.

How about anonymity and privacy?

What happens when i have signed into EVE and then browse one of those sites?

Will i first have to go there so that they can catch my name and IP and then have to log out there to change to anonymity or another non-SSO account? Which of course is useless since they already have my IP from SSO...

Also, what happens to my EVE session when i chose to logout from SSO to browse one of those sites while trying to preserve my dignity?

I would expect at least a clear privacy statement regarding everything involved with SSO before being forced using any of it.
Also am i forced to use it?

It is because of all those "goodness" happening to us lately that i knowingly refuse and avoid having a facebook account or anything similar that connects different data sources voiding your privacy.

How is it going to work for someone who wants to be one character when logging into this alliances infrastructure and another character when logging into another alliances infrastrcuture? I guess he will just have login with username and password each time he goes to either forum. No more cookies for him.

I can answer that, judging from what I have seen regarding CCP's policies 'behind the scene'.

The third parties won't get your IP address if you go to them after logging in with EvE online. Instead, they will get CCP's IP as your proxy.

Nope. No proxy.

They'll get your IP address. Just like they would if you went to their site anyway.


The process is:

• Go to the 3rd party site.
• Click the login link.
• This sends you to the login.eveonline.com site (for the live version. sisilogin.testeveonline.com for the dev), with an identifier saying which site you're coming from.
• You log onto that site.
• You pick a character.
• You get sent back to the original site, onto a particular url that the site owner specified. A code is passed as part of the redirect.
• That code is checked by the original site (talking to login.eveonline.com) with a secret that's not shared. If everything matches, the character id etc is sent back.

You need to explain to me how these two things are linked. One is the login mechanism used by our web sites and services and the launcher, the other is a large repository of legacy code that assumes the character ID won't change while the session is active.

Maintaining and updating the older encryption takes less time (costs less) than develping a new encryption. New encryption by default must be radically different from the encryptions they replace, otherwise, their 'shelf-life' is severely curtailed.
Digital Security is a very dynamic field. Malware developers are being paid big money for their product and security firms are as well. There is only one way to 'complete and perfect security'... don't get online and don't provide services to anyone.