EVE Search - New ingame web browser Bug Thread (Shiva 2826)

All Channels

Test Server Feedback

New ingame web browser Bug Thread (Shiva 2826)

» Click here to find additional results for this topic using Google

Monitor this thread via RSS [?]

Author	Thread Statistics \| Show CCP posts - 26 post(s)
Apple Boy Gallente Thundercats RAZOR Alliance	Posted - 2007.01.16 20:35:00 - [1] Originally by: Malrock Hi, i would like to adress a security issue and point a possible solution. Im developing a full blown cms portal for igb, for most parts its working well, even with the limitations. It has a "security" feature where it uses "eve turst" to "login" user when he uses IGB to access the portal, when in OOG it uses a simple account/password pair, where the account is character name and password is what ever user set it to be while he "registers" using IGB. Now here's my issue. Request headers can be changed, so the IGB security can be breached, as far as i tryed i cannot use standard authentication with IGB (cookie issues ? asp.net 2.0 forms security) so it still presents security issue. Now, i know you guys at CCP are constantly busy and that but i think there is simple solution for it. Since site needs to be addedd to "trusted" list anyway, why not add a additional parameter per entry, a saved password if you will, so every request toward a site can contain the password and since its per site a user can define different passwords and thus avoid "phishing", this also would enable to buypass technology barrier and should be quite easy to do. although I do believe it would be quite easy to mimick the header information to circumvent the security checks you implement, as I'm making something similar, I'm not sure there is a real decent way to make it totaly secure except to have them also make a login/pass combo and be checked by a corp officer before full access is given to the private information. From what you said it sounds like you're talking about using a global one you give to all new members? that still leaves you open after they leave the corp, or if they're a spy. I haven't read through all 22 pages yet so I'm not sure if something else has been mentioned elsewhere in this thread though. I'm also researching it a bit further as I only started making a site two days ago, so if I find a better secure way of doing it I'll let you know. As an idea, what about having key pairs, kind of like gpg. a key is generated for each new user and is sent to the client during the bulk data download and when they access a site, the information can be checked against the eve servers for authenticity? Then have it destroyed on the eve-client shutdown. just a random thought I came up with while writing this. cheers, Apple

COPYRIGHT NOTICE
EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website.