open All Channels
seplocked EVE Technology Lab
blankseplocked API and https?
 
This thread is older than 90 days and has been locked due to inactivity.


 
Author Topic

DAFree
Flaming Fly on Fire
Posted - 2009.12.02 21:03:00 - [1]
 

Maybe i'm paranoid but i'd like to access API over secure connection.
Trying from browser yealds internal server error (500) as compared to http where i get the xml (by the way, why 500?? unless there's something wrong it should at least give 404)
Why isn't this possible?
Setting up server(s) for ssl is a matter of hours (one day tops) for a prepared person/team and performance shouldn't be an issue with current hardware

Last question about this i found was from 2007, that's long ago

Ki Tarra
Ki Tech Industries
Posted - 2009.12.02 23:37:00 - [2]
 

Originally by: DAFree
performance shouldn't be an issue with current hardware
What makes you think that adding encryption would not affect performance on an already stressed server farm?

Jercy Fravowitz
School of Applied Knowledge
Posted - 2009.12.05 15:11:00 - [3]
 

Originally by: Ki Tarra
Originally by: DAFree
performance shouldn't be an issue with current hardware
What makes you think that adding encryption would not affect performance on an already stressed server farm?

the part where you do the ssl on the loadbalancer in front of the serverfarm, so it has exactly zero performance impact on the actual api servers.
and ssl for the api is a _good_ idea.

anyone who was at fanfest, had a notebook with api-apps open there and has not changed all the keys yet?
you really should.

Celebrain
1st Steps Academy
Fidelas Constans
Posted - 2009.12.05 18:30:00 - [4]
 

so..

fanfest without api ssl = api key fest?

that's so ******ed. if ccp was in the usa they'd get their pants sued off for that one!

Dragonaire
Caldari
Corax.
PURgE Alliance
Posted - 2009.12.05 19:48:00 - [5]
 

I'd say someone hasn't heard of 'The wall of shame' they always have at Linux conventions with list of computers that have been hacked on a big screen there. Rolling Eyes Several of the other big computer shows have done the same thing and it's not CCP's responsibly to protect your computer any more than its Concord's to do so in 0.0. It's your information and computer and if you're not protecting it then you'll end up paying the price. Just be glad the API only show them stuff but doesn't let them change it. I'm sure several (many) of you also signed into Eve while there or back in your hotel rooms and that's where you'll truly come to regret it.

Celebrain
1st Steps Academy
Fidelas Constans
Posted - 2009.12.05 20:08:00 - [6]
 

Spoken like a true non-american... in the usa there is no such thing as personal responsibility anymore, it's always lawyers suing cause everything is always someone else's fault nowadays. I realize probably over 50% of the people here on this forum aren't american citizens, so I'm not saying it's right, just that's the way it is there. So if ccp was a usa-based company, they'd be sued to the dark ages over it. They should be glad they're not.

In seriousness though, it's excruciatingly frustrating that ccp doesn't give us the tools like SSL and proper authentication and data access controls to protect our own data... all we can do is simply not use the api in a lot of situations. and if you forget to turn off evemon when you visit some public area, you're screwed. sure you can change your key, but that only helps prevent future unauthorized access, it doesn't undo past unauthorized access.

Dragonaire
Caldari
Corax.
PURgE Alliance
Posted - 2009.12.05 21:06:00 - [7]
 

Some people posts really show why Americans become hated around the world Sad Just for your info I'm a American I just don't hate everyone else like you seem to. I was born here, have lived here for over 40 years and even fought for my country for that matter.

Next time you need to really should keep your uninformed opinions to yourself.

The show I was referring to was this http://www.defcon.org/html/links/dc_press/archives/12/yahoo_airdefense.htm You'll notice its held in Las Vegas, NV, and just in case you don't know that's in the US, and no one have been sued. There's others I could point out that are held in the States and have done the same thing too.
Quote:
So if ccp was a usa-based company, they'd be sued to the dark ages over it. They should be glad they're not.
Though they might get sued more in the States CCP would have a better chance of losing in many other countries around the world then in the US where a corporation rarely loses a court case especially with our appeal system.

Commander Azrael
Red Federation
Posted - 2009.12.05 22:17:00 - [8]
 

Originally by: Jercy Fravowitz

the part where you do the ssl on the loadbalancer in front of the serverfarm, so it has exactly zero performance impact on the actual api servers.
and ssl for the api is a _good_ idea.



And what about the load balancers? Whatver terminates the SSL, be it the servers, load balancers or SSL/VPN accelerator cards in your routers, something has to take that overhead and considering how many hits the API gets that's a LOT of encryption going on.

Originally by: Celebrain
so..

fanfest without api ssl = api key fest?

that's so ******ed. if ccp was in the usa they'd get their pants sued off for that one!



I think you need to take a step back and smell the coffee. This is GAME data with no personally identifiable information contained within, your also responsible for your own API use and it clearly states that on the API page, if you don't like it, then don't use the API but for the majority of us it's a useful tool that doesn't push us into crazy paranoid mode because the information is not encrypted.

Still dont like it? Setup your own HTTPS proxy cahce and et voila, problem solved.

Celebrain
1st Steps Academy
Fidelas Constans
Posted - 2009.12.05 23:26:00 - [9]
 

My original point in bringing up how litigious Americans are (suing any store that has ice in front of it in the winter, suing mcdonald's for being obese, etc), wasn't to make everyone hate them (I'm one too). My main point was to possibly impress upon people in charge of CCP that this isn't just a "it's a game, who cares" issue. It's more serious than that.

CCP, please give us the tools to properly protect our online game identities and our data. The current situation does negatively affect our ability to write apps and get people to use them. The fact that it could be a liability issue too if you were in a different country than Iceland is only meant to show that this is important.

Wyehr
Rage of Inferno
Posted - 2009.12.06 05:10:00 - [10]
 

Originally by: Commander Azrael
Still dont like it? Setup your own HTTPS proxy cahce and et voila, problem solved.


What?

Pankas Carter
Amarr
Chaos Theory Alliance
Posted - 2009.12.06 05:32:00 - [11]
 

Adding a box or two focused on CPU throughput (or gasp... hardware SSL accelerators! You know they make those right? Some servers even come with one on the board!) would likely handle SSL connections fine.


But to know really, we need to have some statistics on API load. How many hits/second?

I bet you even my crappy little colo server could handle a good hunk of the load, if all it does is wrap SSL.



I also like how some of you tried to derail a legitimate technical question/request in favor of a political argument. Go argue in your own thread.

Ki Tarra
Ki Tech Industries
Posted - 2009.12.06 14:21:00 - [12]
 

Originally by: Commander Azrael
And what about the load balancers? Whatver terminates the SSL, be it the servers, load balancers or SSL/VPN accelerator cards in your routers, something has to take that overhead and considering how many hits the API gets that's a LOT of encryption going on.
This!
Originally by: Commander Azrael
I think you need to take a step back and smell the coffee. This is GAME data with no personally identifiable information contained within, your also responsible for your own API use and it clearly states that on the API page, if you don't like it, then don't use the API but for the majority of us it's a useful tool that doesn't push us into crazy paranoid mode because the information is not encrypted.
...and this!

The API provides a log to allow you to check for unauthorized usage. If someone is using your API key that shouldn't be, then change your API key.

In the mean while, remember that it is only game data.

Bosence
Anuran Origin
Posted - 2009.12.06 14:36:00 - [13]
 

The UK goverment handles information less securely than CCP.

The information of which CCP is given is authorized by you, via the API key, once you give that key out, it's your responsibility. They do everything they possibly can to keep that API key safe, which they do so well. It's only to your bad usage of the key that people can look at how much is in your wallet (the terror of some one knowing how much virtual money you have).

It would be a different matter if the details given was actually of some value, like private information about the customer not a made up character. If your characters information means so much to you, either don't give out the API key or seriously consider stop playing because if some virtual property means so much to you, you have some serious problems.

Haguu
Caldari
TLA Ltd
Posted - 2009.12.06 21:25:00 - [14]
 

I am confused at some of the responses.

I thought the OP's point about HTTPS vs HTTP was that if you had a "perfectly" secure machine ( e.g. no IE or Windows Smile ) - patched and properly encrypted - and if you gave out your API to only a single site, who you trusted both their honesty and security competence, then your data would be safe if you used HTTPS but not HTTP. For example, you data passes unencrypted through the air (wifi). For performance reasons, your hotel or an ISP upstream from the hotel might use a HTTP cacheing server. The quality of your local security or who you give out your API key to is important, but irrelevant to a HTTP vs HTTPS discussion.

I realize that this is just a game and even if all your secrets were compromised you could worst case just find another game. I never expect CCP to address this. And it is unlikely to happen. Although the fact that there is no financial data is being compromised, nor anything that costs CCP money, means that it is much less likely to be prosecuted which means that if someone in the IT staff at a hotel or ISP might be slightly more likely to do it. Can you ever be sure that some young IT person in the hotel/ISP does not play EVE? ( How many rubles would someone give a IT employee to run a program that copies any data block that has EVE XML from the cache server to a thumb drive? ) Or that someone does not run a WiFi sniffer at FanFest? I am out of tin foil, so I agree that is unlikely. Still.

My understanding of the OP was that if it were HTTPS then this is not an issue, while HTTP data is broadcast/stored unencrypted, regardless of your local security.

I would say that when CCP wants subscription revenue from me, they use HTTPS.

Wyehr
Rage of Inferno
Posted - 2009.12.07 01:53:00 - [15]
 

Hint, the IT staff at the colo hosting the "secure" server aren't necessarily any more trustworthy than the staff running the random WiFi that you (rightly) fear.

For the record, I think that CCP should provide the API data over SSL, only. This would require a phased transition with https: coming online and then much later http: going offline.

Celebrain
1st Steps Academy
Fidelas Constans
Posted - 2009.12.07 09:34:00 - [16]
 

I am quite annoyed at the large percentage of people saying things that essentially mean "it's a game, get a life, who cares if it's insecure, if you don't like it don't play"....

Guys.. take some pride in what you do, if you do something do it right, don't be sloppy. :(

Dragonaire
Caldari
Corax.
PURgE Alliance
Posted - 2009.12.07 17:28:00 - [17]
 

This thread just reminds me of several others I've seen where what people are really saying is "I'm the most important person in Eve and my corp is too and everyone is out to get everything I have" while the reality is that other than half a dozen 'friends' and maybe also a few 'enemies' no one even knows you exists or cares.

Anyway that's my 0.02 ISK on it.

Leebe
Posted - 2009.12.07 17:55:00 - [18]
 

Edited by: Leebe on 07/12/2009 18:10:36
Edited by: Leebe on 07/12/2009 18:08:20
you guys don't have a clue what that change would do to the servers.

in the last api dev blog they stated that they get about 2000 req/s on the api servers.

The encryption is not the thing that would kill the servers but the ssl handshaking for every request will do.

The handshake requires several round trips which would make the requests will take longer, so there will be more concurrent requests.

http needs 2 roundtrips.. the request from the client and the anser from the server. https need 5 roundtrips, so it's at least 2.5 times slower.

The size of every request will also grow by about 5kb.
This would be 10.000 kb/s additional traffic just for migrating to ssl. Thats 824 GB additional traffic every day, or 24 TB per month.


Gehnster
Gallente
RED SUN RISING
Posted - 2009.12.07 21:05:00 - [19]
 

Not worth the time or money in my opinion, but i'm not CCP.

Also note CCP does have an office in Atlanta.

Don't people steal information because they can make money off it usually? What exactly do you guys need to hide that you need SSL for a video game? Are you a spy? I definately don't support SSL for the API then :P

How can people currently steal your information? Buy finding your api key and using it? well ssl doesn't prevent that scenario.

what are the other ways? i would guess packet sniffing? what are the chances that someone on your network plays eve AND cares about your information?

oh, and i also have a feeling there is some clause that says something like "all data from the api and on the eve servers is property of CCP". so it isn't even your information to begin with. lol.

someone also said something about if the api was secured people might be more willing to use api services. i highly doubt that, they would then just start *****ing to the service providers saying they want to make sure their (read CCPs) data is secure in the services database or website.

Jercy Fravowitz
School of Applied Knowledge
Posted - 2009.12.08 22:42:00 - [20]
 

Originally by: Leebe

you guys don't have a clue what that change would do to the servers.


you guy don't have a clue how to run a server?
we are not talking about some lone pc-server here running some corp forum and killboard.

2000 tps ssl is trivial for any reasonable loadbalancer you have in front of your server pool to begin with.
you might have to buy the next bigger ssl license though. shocking really.

and the traffic would probably go _down_ quite a bit, because you get offloaded compression when you have the LB do more than throw around tcp connections too. blind guess there though, it depends on how many of those 2000 tps api are bigger than the gained overhead of the ssl.

ssl for the eve api is not a technical problem. you can do that by spending some isk and deploying it on the side, without any change to the api servers themselves, or any change of load on those servers.
the important part there is the problem can be solved without much any manpower.

and i definetly dont see "the data is not that important" as a reason to not wrap ssl around some plaintext password protocol ...


 

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only