| Pages: [1] 2 :: one page |
| Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Jargoon
GoonFleet
GoonSwarm
   |
Posted - 2007.04.26 05:23:00 -
[1]
Edited by: Jargoon on 26/04/2007 05:33:45
My corp mates and I been developing some web applications for managing various parts of EVE (characters, ship fittings, corp/alliance stuff, etc), and the one problem that keeps cropping up is verifying that a character does in fact belong to a user.
Currently, the only 100% foolproof way to do this is to have the user input their EVE username and password, and then have my application download their character XML and verify that the character is listed (similar to how EVEMon does it). Understandably, a lot of players aren't so keen on this idea.
There's a much easier way to do this, of course, which is to have the user browse to the site with the IGB and read the headers. Only problem is it's extremely easy to spoof the headers with Firefox or a local proxy, which leads to all sorts of ways in for spies, etc.
I think the best way to fix this is to have the IGB run through a CCP-owned proxy server. That way, all a web application needs to do is see that the request is coming from the IP address of the proxy server and it knows that it's getting valid, non-spoofed headers.
There are a couple of tradeoffs: namely slightly longer website loading times in the IGB, and the need for CCP to set up a proxy server. However, it seems to me the resulting growth in EVE community sites and web applications would give CCP a large intangible benefit in the form of an expanded and healthier player community, which of course would result in happier players, more press coverage, and more subscriptions.
|
Jargoon
GoonFleet
GoonSwarm
|
Posted - 2007.04.26 06:30:00 -
[2]
I'd also appreciate some feedback from other technical types as to why this *wouldn't* work 
|
Tani Yih
Minmatar
NED Holdings
|
Posted - 2007.04.26 06:52:00 -
[3]
I actually gave ideas such as these thoughts myself.
An actually decent level of security, in my opinion, is if you did a combination. It's what I did for my web program anyway.
1) Do rigid checking on the header for small errors in the spoof .. and if invalid, ban their IP (don't give them second chances)
2) Record the IP adres for valid users/first time users. If it changes ... ban! (Or, do not and keep an eye on them for leaked information suddenly appearing).
|
Dal Rath
|
Posted - 2007.04.26 10:39:00 -
[4]
This is a well known issue and has been dicussed before. I don't think it's likely CCP will take on the bandwidth costs of proxying all the IGB web traffic. My own preferred solution is cryptographic signing of the headers. By signing the EVE header information with a private key, the EVE game server could allow any site to verify the information using the corresponding public key, which could be e.g. published on the EVE web site. If pilot location information is excluded, this signing need only be done by the game server at user login time, with the signature being provided to the game client at that time. The client could then include it as an additional header when making requests to trusted sites. The problem of man in the middle attacks could be partially addressed by including the client's IP in the data to be signed, although for players behind a web proxy this is still not totally robust. |
Tolomea
Gallente
5th Front enterprises
New Eve Order
|
Posted - 2007.04.26 12:20:00 -
[5]
Currently we require each character to register and provide a password, this works well enuf but auto complete in the IGB would be nice.
With regards to the original suggestion I don't thing CCP will swallow the bandwidth cost and even if they did it's a non trivial development effort for them as the link from the IGB to the proxy would have to be bundled into the normal client link to prevent other forms of abuse.
The encrypting suggestion however has serious potential.
But I think maybe we are over thinking this, headers are fakeable because a third party can determine sufficiently what they are going to say to fake the info. Most sites I've seen are using session cookies to remember people who have already authenticated, surely longer life cookies would be sufficient to eliminate having to provide a password all the time. Then to fake someone's headers you'd need to lift the cookie off their machine or snoop it from the pipe and if an attacker can do that then the eve account is probably compromised anyway.
|
Jargoon
GoonFleet
GoonSwarm
|
Posted - 2007.04.26 17:20:00 -
[6]
 Originally by: Tolomea
Currently we require each character to register and provide a password, this works well enuf but auto complete in the IGB would be nice.
Just to clear up what I'm talking about, it's not for signing in to sites. It's for verifying ownership of a character. The user would create an account on the site first, then sign in through the IGB to say "hey, I really own this character".
I like Dal Rath's idea of digitally signing the header, encryption might be a little overboard because not every app needs 100% assurance of header authenticity and digital signatures are nice and lightweight in comparison.
|
Sofring Eternus
|
Posted - 2007.04.26 19:32:00 -
[7]
Couldnt you have corp mates EvE-mail their IGB account name to verify who is who, initial data collection would be a pain, but after that upkeep should be fairly simple if you keep a spreadsheet or database cross-referencing pilots and IGB.
|
Jawas
Gallente
|
Posted - 2007.04.26 19:37:00 -
[8]
Originally by: Tani Yih
2) Record the IP adres for valid users/first time users. If it changes ... ban! (Or, do not and keep an eye on them for leaked information suddenly appearing).
Won't work because of dynamic IP addresses. Mine changes every 24 hours. Also, I could create the semblance of a static IP by using Dynamic Network Services like dynDNS but my real IP could change every minute.
--
Sig design in training: Remaining time 30 years 20 days, 4 hours, 10 mins, 15 seconds. |
Jargoon
GoonFleet
GoonSwarm
|
Posted - 2007.04.26 20:50:00 -
[9]
Originally by: Sofring Eternus
Couldnt you have corp mates EvE-mail their IGB account name to verify who is who, initial data collection would be a pain, but after that upkeep should be fairly simple if you keep a spreadsheet or database cross-referencing pilots and IGB.
Over 4000 people in the alliance 
|
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.04.26 21:55:00 -
[10]
Linkage
Really... ppl.. Why You try to invent wheels?
PHP have built-in sessions support and with some additional precautions it works well for any tasks You want to solve.
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.04.26 22:05:00 -
[11]
Originally by: Jargoon
Originally by: Tolomea
Currently we require each character to register and provide a password, this works well enuf but auto complete in the IGB would be nice.
Just to clear up what I'm talking about, it's not for signing in to sites. It's for verifying ownership of a character. The user would create an account on the site first, then sign in through the IGB to say "hey, I really own this character".
I like Dal Rath's idea of digitally signing the header, encryption might be a little overboard because not every app needs 100% assurance of header authenticity and digital signatures are nice and lightweight in comparison.
I was thinking about digital signatures and other stuff in IGB headers and I can't see any easy ways to do that except built-in encription into EVE server (any client-side key can be extracted and reused outside client).
So only real, fast and easy way to be sure that this registered website account and EVE chracter have same owner is to give account rights manually by ingame request.
Also You can keep unique link "1 account = one character" and ask Your mates to tell any problem occured due to website registration (i.e. if someone try to register under corp member character' and spoof IGB headers and after that Your real member try to associate himself with that character and get error "already exist")
--
. |
Shae Nae
|
Posted - 2007.04.27 04:10:00 -
[12]
Originally by: Tonto Auri
Linkage
Really... ppl.. Why You try to invent wheels?
PHP have built-in sessions support and with some additional precautions it works well for any tasks You want to solve.
Yeah, that's all well and good. But what's to prevent a random person from registering an account? You could manually approve all the accounts, but for applications that could have thousands of users that's not really a good option.
I think the encryption approach would be best. It wouldn't put in extra load on CCP's servers, and would prevent any form of header spoofing.
|
voogru
Gallente
Massive Damage
|
Posted - 2007.04.27 05:23:00 -
[13]
Originally by: Dal Rath
This is a well known issue and has been dicussed before. I don't think it's likely CCP will take on the bandwidth costs of proxying all the IGB web traffic. My own preferred solution is cryptographic signing of the headers. By signing the EVE header information with a private key, the EVE game server could allow any site to verify the information using the corresponding public key, which could be e.g. published on the EVE web site. If pilot location information is excluded, this signing need only be done by the game server at user login time, with the signature being provided to the game client at that time. The client could then include it as an additional header when making requests to trusted sites. The problem of man in the middle attacks could be partially addressed by including the client's IP in the data to be signed, although for players behind a web proxy this is still not totally robust.
This wont work, I wont say why. But it wont.
There would still be ways around this.
Basically, don't do anything that has to be secure over IGB. It'll never ever be secure.
|
Dal Rath
|
Posted - 2007.04.27 17:25:00 -
[14]
Originally by: voogru
This wont work, I wont say why. But it wont.
I can kill a titan using only a frigate. I won't say how, but I can.
Seriously, stop making unsubstantiated claims, it's worse than smacktalk. 
Dal. |
Erfnam
Time Cube Syndicate
|
Posted - 2007.04.27 18:22:00 -
[15]
Originally by: Dal Rath
Originally by: voogru
This wont work, I wont say why. But it wont.
I can kill a titan using only a frigate. I won't say how, but I can.
Seriously, stop making unsubstantiated claims, it's worse than smacktalk.
Dal.
There are long winded technical reasons why having a CCP run proxy will not work. Short answer, it's still possible to spoof information.
Capital Sales |
Jimer Lins
Gallente
Sanctuary
|
Posted - 2007.04.27 20:29:00 -
[16]
I'm working on a web app myself, and the best solution I've found so far is to use the headers for the username and force the user to enter a password, but not their EVE-O one.
My app just uses a hash of the password provided and doesn't store the actual pw. So you've got a few levels of trust- the "basic" which assumes you may or may not be who you claim to be, then the "authenticated", which relies on using the provided username, which is spoofable, and a password, which is not.
Sanctions, embargoes and blockades- discuss PVP with ISK! |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.04.28 00:00:00 -
[17]
Originally by: Shae Nae
Originally by: Tonto Auri
Linkage
Really... ppl.. Why You try to invent wheels?
PHP have built-in sessions support and with some additional precautions it works well for any tasks You want to solve.
Yeah, that's all well and good. But what's to prevent a random person from registering an account? You could manually approve all the accounts, but for applications that could have thousands of users that's not really a good option.
Not "could". "Should" and always do that manually.
And about "random" (as You said) registration - not a problem in any way.
I'll explain one possible solution. (Consider all that does in IGB)
1. Registration page checks that actual character isn't registered with webserver, shows charname to user and asks for email.
2. After that it generates confirmation code and send it to email provided.
3. User copy that confirmation link and insert into IGB aggress line.
4. Registration page checks that confirmation are valid and ask user to set up password for account.
5. Registration completed and user can log in and use all IGB based services.
Quote:
I think the encryption approach would be best. It wouldn't put in extra load on CCP's servers, and would prevent any form of header spoofing.
It would put extra load on CCP's servers. Or You not know how it can be done in non-exploitable way.
Need example of exploit? Let's EVE client have key stored in their .stuff files (or compiled in EXE file). Someone who have to sneak around IGB trace that key location, strip surrounded code and get clear encryption key for their needs. So we 're back at our starting point: our headers remains the same as unencrypted.
One possible addition to solve that problem is to use account name+password hash as private key... ghmm... I'm not that skilled in encryption algo and I need some sleep before I can investigate this way...
Once we have private key.. where we should get an authorised public key?
Possible... from EVE web... as it always knows our L+P hash...
So, complete secured construction can be looks like...
1. EVE server generates per-character public key each time we change our password... We need an option to create public key for each existing character.
2. EVE client knows our password, account and character name and can generate private key each time we log in.
3. Each time IGB request pages from approved server, client form and send "EVE_Fingerprint: HHHH" header along with other EVE headers.
4. If target website have to trust that request, it can ask EVE-o for public key and verify fingerprint against it.
--
. |
Tolomea
Gallente
5th Front enterprises
New Eve Order
|
Posted - 2007.04.28 01:34:00 -
[18]
yeah the encryption idea is flawed
if the private key is client side then it's hackable and its the sort of hack that only needs to be done once
if it's server side then either we only sign the header block which means the signed headers can be copied whenever you access some other trusted site
or we sign the whole message which requires proxying all traffic back through CCP for signing, and even if that is secure it brings in a ton of development effort and extra server load.
|
Dal Rath
|
Posted - 2007.04.28 11:12:00 -
[19]
Edited by: Dal Rath on 28/04/2007 11:09:01
Originally by: Tolomea
yeah the encryption idea is flawed
if [the private key is] server side then either we only sign the header block which means the signed headers can be copied whenever you access some other trusted site
The key is server side. The signed data includes the header block, plus client IP. Therefore, the signed data can be replayed to a 3rd party site by a malicious intermediary only if the intermediary can also use the client's IP address. The only situation in which that is feasible is a) two users sharing the same machine or b) two users behind the same proxy. I've already made clear it's not perfect in that respect, but it's a heck of a lot better then what we have now.
Dal. |
Dal Rath
|
Posted - 2007.04.28 11:37:00 -
[20]
Edited by: Dal Rath on 28/04/2007 11:39:04
Originally by: Jargoon
Currently, the only 100% foolproof way to do this is to have the user input their EVE username and password, and then have my application download their character XML and verify that the character is listed (similar to how EVEMon does it). Understandably, a lot of players aren't so keen on this idea.
Another way CCP could improve this is to give players the ability to allow certain 3rd parties to verify their character ownership without having to disclose the account password. For example, a player logs in to the CCP site and goes to a page that generates a unique one time key. They then give this to the 3rd party site as part of the signup. The third party site can send it back to CCP's servers which will validate it, perhaps returning the character name(s) of the users. For added security the player may specify to the CCP servers which site may try to validate the key.
Edit: Actually there is a variation on that which requires no effort on CCP's part. The 3rd party site generates a ony time key as part of the new user signup process. The user logs in to CCP's forums and posts that key in a message on e.g. the EVE forum experiments board. They indicate to the 3rd party site that they have done this. The site then downloads the CCP fourm page and parses it, determining which character posted the message with the key. |
Tolomea
Gallente
5th Front enterprises
New Eve Order
|
Posted - 2007.04.28 23:31:00 -
[21]
Originally by: Dal Rath
Edited by: Dal Rath on 28/04/2007 11:09:01
Originally by: Tolomea
yeah the encryption idea is flawed
if [the private key is] server side then either we only sign the header block which means the signed headers can be copied whenever you access some other trusted site
The key is server side. The signed data includes the header block, plus client IP. Therefore, the signed data can be replayed to a 3rd party site by a malicious intermediary only if the intermediary can also use the client's IP address. The only situation in which that is feasible is a) two users sharing the same machine or b) two users behind the same proxy. I've already made clear it's not perfect in that respect, but it's a heck of a lot better then what we have now.
Dal.
forgot about the IP didn't I, yeah that sounds more reasonable but it's interaction with NATing routers and proxies is going to be interesting, I guess as long as your IGB connection isn't proxied and both your IGB and client data are going through the same NAT(s) then it should all work out ok
|
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.04.29 01:52:00 -
[22]
Read again. Study encryption technology. Stop spamming. Please.
Originally by: Tonto Auri
1. EVE server generates per-character public key each time we change our password... We need an option to create public key for each existing character.
2. EVE client knows our password, account and character name and can generate private key each time we log in.
3. Each time IGB request pages from approved server, client form and send "EVE_Fingerprint: HHHH" header along with other EVE headers.
4. If target website have to trust that request, it can ask EVE-o for public key and verify fingerprint against it.
--
. |
Jargoon
GoonFleet
GoonSwarm
|
Posted - 2007.05.01 08:25:00 -
[23]
Edited by: Jargoon on 01/05/2007 08:22:47
Originally by: Dal Rath
Edited by: Dal Rath on 28/04/2007 11:39:04
Another way CCP could improve this is to give players the ability to allow certain 3rd parties to verify their character ownership without having to disclose the account password. For example, a player logs in to the CCP site and goes to a page that generates a unique one time key. They then give this to the 3rd party site as part of the signup. The third party site can send it back to CCP's servers which will validate it, perhaps returning the character name(s) of the users. For added security the player may specify to the CCP servers which site may try to validate the key.
Edit: Actually there is a variation on that which requires no effort on CCP's part. The 3rd party site generates a ony time key as part of the new user signup process. The user logs in to CCP's forums and posts that key in a message on e.g. the EVE forum experiments board. They indicate to the 3rd party site that they have done this. The site then downloads the CCP fourm page and parses it, determining which character posted the message with the key.
Another option would be for CCP to set up a simple OpenID server that's tied into the current username/password table in the database.
Basically how OpenID works is: first, the user would put in their EVE username on the 3rd party site. The site would redirect the user to the EVE OpenID server URL for that user (ex. http://openid.eve-online.com/Jargoon/). Then, the site would redirect the user to that URL, where the user would input their username and password. If successful, the EVE Online OpenID server redirects the user back to the original 3rd party site, along with a status code that indicates whether or not the sign-in was successful. At no time does the 3rd party site have access to the user's EVE Online password. The OpenID server can even put a cookie on the user's computer so the user only has to authenticate once ever on a given computer (which would save CCP a ton of bandwidth and overhead).
If you have an AOL Instant Messenger account, you can try it out now. Just go to http://jyte.com or Livejournal or any other OpenID enabled site and login with this url: http://openid.aol.com/My%20Screenname
|
Seidr
Amarr
Icarus' Wings
|
Posted - 2007.07.10 23:21:00 -
[24]
Edited by: Seidr on 10/07/2007 23:23:12
I've been hammering out a funky little script to address this issue, which should allow users to attain a one-time key that will be automatically validated in-game(no macro clients, perfectly legal using resources available, thanks CCP) which can then be used in other online applications for the IGB via an API to validate a session. The bulk of the work is complete, but I've got to look for another host, as the port forwarding on my router is totally borked, and the free host I was using throws me up on a 15m access ban after more than a couple of queries within the space of 10 seconds.
Hopefully, I'll have a demo / working product to show tomorrow, so fingers crossed the IGB should come a whole lot more useful in coming weeks. Who knows, this script may go completely unnoticed, but I'm going to finish it none the less. I script for fun, and out of game<->in game interaction is something I love to play with. Second Life got me started on that, what with their XML-RPC interface. Managed to knock up a neat little set of scripts for two-way communication from in-game objects and out-of-game HTTP servers.
Anyway...watch this space. Since I was made redundant all my time is not held up in one hell of a bulky project, and I can finally play with projects of my own. There's only limited time until I find another posting, so fingers crossed I get this done before then! :)
|
xOm3gAx
Caldari
Stain of Mind
|
Posted - 2007.07.10 23:37:00 -
[25]
set it up to use the api as a verifier. so the IGB uses the headers at first but thent he user must input their API / Char ID to verify they are who they say they are.
-----------
"Mercinaries never die, we just go to hell to regroup." -xOm3gAx '99
|
Seidr
Amarr
Icarus' Wings
|
Posted - 2007.07.10 23:41:00 -
[26]
Edited by: Seidr on 10/07/2007 23:42:25
I've worked out a solution that will allow pilots to attain a flawlessly verifiable ID, bar characters being sold, or changing hands via other means. As mentioned, I hope to having a working copy, or at least a local demo / spec up on this thread tomorrow evening at the latest, tomorrow mid day as a hopeful :)
Edit: The headers play a small part in this script. It relies on them to retrieve the characters pilot name, but not to validate their ID key. Rule #1: NEVER trust anything that is provided by the user. Verify, verify and verify!
|
Seidr
Amarr
Icarus' Wings
|
Posted - 2007.07.11 10:34:00 -
[27]
Well, the script is pretty much done. I'm just sorting out some temporary hosting now, and then you'll be able to see it in action :)
Here is a description of the service:
Quote:
EvEReg is a system to allow sites that use EvE Onlines IGB for applications and services to ensure that registrations to their services are genuine.
Once a user registers with us, they are required to verify their registration by sending a random amount of ISK to our verification character in game; think of it as an ingame turing test. When an account is validated, a unique EvEReg ID is issued (a random MD5 hash) to the player.
This ID can be used with EvERegs' API to verify that a character who registers to your application or service, is indeed who they say they are.
The reason this was made is due to the ease of falsifying headers sent from the IGB, to web sites. Implementing the EvEReg API is easy, and allows you to instantly verify a users identification using their EvEReg ID.
|
Katana Seiko
Made in Germany
|
Posted - 2007.07.11 21:09:00 -
[28]
You can request their ID and passhash - with that and the API you can get that XML file without having their username and password...
--
The future begins now - in EVE we live it, in real life we create it!
Your sig is too big. Please keep it under 400x120 and less than 24000 bytes.
-the sexiest moderator ([email protected] |
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2007.07.11 21:43:00 -
[29]
xOm3gAx and Katana Seiko, why You think that someone will trust some site enough to give it his APIkey? We here discussing only ways of authentication without information disclosure.
Originally by: Seidr
Once a user registers with us, they are required to verify their registration by sending a random amount of ISK to our verification character in game; think of it as an ingame turing test. When an account is validated, a unique EvEReg ID is issued (a random MD5 hash) to the player.
Brilliant idea...  Thanks for this trick, i'll keep it in my assets for future use.
But i need to add to this thread one suggestion I have posted in API thread.
--
. |
Seidr
Amarr
Icarus' Wings
|
Posted - 2007.07.11 23:52:00 -
[30]
Edited by: Seidr on 12/07/2007 00:00:15
I totally wish CCP would take the same approach to client information as Second Life, although I guess access to in-game objects is way too much to ask, the ability to validate information from the in-game browser should be extremely easy. Even a generated session ID would do the job, allowing IGB sites to verify their users identity!
Oh well, mark kit on the chalk board. I'm going to sleep! :)
|
| |
|
| Pages: [1] 2 :: one page |
| First page | Previous page | Next page | Last page |