EVE Search - In Game Browser

All Channels

EVE Technology Lab

In Game Browser - security issues

» Click here to find additional results for this topic using Google

Monitor this thread via RSS [?]

Pages: [1] :: one page
Author	Thread Statistics \| Show CCP posts - 0 post(s)
Lumy Minmatar Templars of Space Insurgency	Posted - 2008.04.18 16:37:00 - [1] I'm working on web site that normally require login/password combination. For user convenience, I want to add autologin feature when site is accessed from IGB. (Un)fortunately I realized that this authentication is very vulnerable to HTTP request forgery. Every single data sent by IGB (except corp role and locations) can be obtained directly from game - so much for "trusted sites". Maybe I'm missing something really important, that would allow me identify true IGB. If I do, please tell me. This could really help corp security. If I don't, could CCP implement some kind of authentication for 3rd party sites? Maybe giving option to send Limited/Full Access API key in IGB HTTP request. Optional of course. Until then, I'll rely on standart login/password aproach.
Lumy Minmatar Templars of Space Insurgency	Posted - 2008.04.18 16:37:00 - [2] I'm working on web site that normally require login/password combination. For user convenience, I want to add autologin feature when site is accessed from IGB. (Un)fortunately I realized that this authentication is very vulnerable to HTTP request forgery. Every single data sent by IGB (except corp role and locations) can be obtained directly from game - so much for "trusted sites". Maybe I'm missing something really important, that would allow me identify true IGB. If I do, please tell me. This could really help corp security. If I don't, could CCP implement some kind of authentication for 3rd party sites? Maybe giving option to send Limited/Full Access API key in IGB HTTP request. Optional of course. Until then, I'll rely on standart login/password aproach.
Ki Anna Ki Tech Industries	Posted - 2008.04.18 17:33:00 - [3] Your assement sounds about right. IGB authentication has been requested before. In the mean time about all you can do, is auto-populate username if it is the same as the character name.
Mr Horizontal Gallente KIA Corp KIA Alliance	Posted - 2008.04.18 17:51:00 - [4] The only thing I do with the IGB headers is just populate the username field on a login form, to save someone typing that in. That doesn't autologin or do anything else - just fills in the text box with their charname by default. Director \| www.eve-bank.net
Nisd Amarr Imperial Defence	Posted - 2008.05.06 07:37:00 - [5] Well the only way to make it safe is stil a password.
Tonto Auri Vhero' Multipurpose Corp	Posted - 2008.05.06 16:22:00 - [6] Originally by: Lumy Maybe I'm missing something really important, that would allow me identify true IGB. If I do, please tell me. This could really help corp security. Yes, You're missing important moment. Very important one: IGB headers data is not intended to be subject of trust. What is the subject of trust, is the user's decision to trust You enough to supply Your website with that data. But there are no way back for trust from You to user, other than password-protection. You may populate the username from the headers data, but that's all. -- Thanks CCP for cu
Druadan Aristotle Enterprises	Posted - 2008.05.08 08:10:00 - [7] Originally by: Tonto Auri Originally by: Lumy Maybe I'm missing something really important, that would allow me identify true IGB. If I do, please tell me. This could really help corp security. Yes, You're missing important moment. Very important one: IGB headers data is not intended to be subject of trust. What is the subject of trust, is the user's decision to trust You enough to supply Your website with that data. But there are no way back for trust from You to user, other than password-protection. You may populate the username from the headers data, but that's all. Spot on. The HTTP headers should not be used as authentication data because none of the data are tokens that only the right person knows, the information is not transmitted securely, and, as the OP correctly says, HTTP headers are forgeable. Username-Password is the best you can hope for at the moment. Sig removed, inappropriate content. If you would like further details please mail [email protected] ~Saint

Pages: [1] :: one page
First page \| Previous page \| Next page \| Last page

COPYRIGHT NOTICE
EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website.