open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: The API is Going HTTPS
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: [1] 2

Author Topic

CCP Fallout

Posted - 2011.01.26 13:56:00 - [1]
 

HTTPS has been enabled for the API, and CCP Stillman has all the details in his newest dev blog.

Daneel Trevize
Gallente
Posted - 2011.01.26 14:02:00 - [2]
 

W00t for low-hanging fruit!

Darees
Posted - 2011.01.26 14:09:00 - [3]
 

You should reward the security expert that helped discover this long standing flaw of the API system.

Gnulpie
Minmatar
Miner Tech
Posted - 2011.01.26 14:18:00 - [4]
 

Very good improvement!

CCP Adida


C C P
C C P Alliance
Posted - 2011.01.26 14:28:00 - [5]
 

Removed spam posts

Chribba
Otherworld Enterprises
Otherworld Empire
Posted - 2011.01.26 14:50:00 - [6]
 

\o/

Lost Hamster
Hamster Holding Corp
Posted - 2011.01.26 14:59:00 - [7]
 

Good news. Razz

Wollari
Phoenix Industries
Wicked Nation
Posted - 2011.01.26 15:08:00 - [8]
 

Edited by: Wollari on 26/01/2011 15:08:26
- Good news for client-side 3rd party applications for sure (evemon, etc) no more API Sniffing in public wireless networks (example fanfest)
- Bad news for 3rd party pages (who're doing a huge number of single calls 25k+ per day)

I like all API improvements :-)

Trebor Daehdoow
Gallente
Sane Industries Inc.
Posted - 2011.01.26 15:20:00 - [9]
 

I appreciate (and largely agree with) the reasoning behind this, but it is probably going to kill my EViE skill training browser applet.

The reason for this is that javascript httpxmlrequest calls can only be made to the server that originated the enclosing page. So for EViE to work, I had to write a special proxy that bounces these requests off to the api server, and then returns the results (ie: Browser <-> Proxy <-> Api Server)

Now, I can certainly use https between the proxy and the Api server, but encrypting between the browser and the proxy will require buying a certificate, and I'm not sure I can justify the expense. Confused


Wollari
Phoenix Industries
Wicked Nation
Posted - 2011.01.26 15:23:00 - [10]
 

Originally by: Trebor Daehdoow
Now, I can certainly use https between the proxy and the Api server, but encrypting between the browser and the proxy will require buying a certificate, and I'm not sure I can justify the expense. Confused

Go to startssl.com. You get a "basic" ssl certificate for free. And it's beeing accepted from many browsers including iphone, etc.

Louis deGuerre
Gallente
Malevolence.
Posted - 2011.01.26 15:28:00 - [11]
 

Nice

Noun Verber
Gallente
Posted - 2011.01.26 15:32:00 - [12]
 

Originally by: Trebor Daehdoow
I appreciate (and largely agree with) the reasoning behind this, but it is probably going to kill my EViE skill training browser applet.

The reason for this is that javascript httpxmlrequest calls can only be made to the server that originated the enclosing page. So for EViE to work, I had to write a special proxy that bounces these requests off to the api server, and then returns the results (ie: Browser <-> Proxy <-> Api Server)

Now, I can certainly use https between the proxy and the Api server, but encrypting between the browser and the proxy will require buying a certificate, and I'm not sure I can justify the expense. Confused


The language suggests that it is optional, but that could change in the future.

Stella Enallan
Posted - 2011.01.26 15:49:00 - [13]
 

Is that the reason why EVEMon is no longer updating the data on my computer ?
Does a new version have to be released ?

CCP Stillman

Posted - 2011.01.26 15:53:00 - [14]
 

Originally by: Stella Enallan
Is that the reason why EVEMon is no longer updating the data on my computer ?
Does a new version have to be released ?

No, EVEMon should still work correctly.

We're aware of another issue which causes the charactersheet to fail, which would affect EVEMon. We're fixing that as a part of Incursion 1.1.2, which is being deployed tomorrow.

Trebor Daehdoow
Gallente
Sane Industries Inc.
Posted - 2011.01.26 16:10:00 - [15]
 

Originally by: Wollari
Go to startssl.com. You get a "basic" ssl certificate for free. And it's beeing accepted from many browsers including iphone, etc.


Thanks, that might be the workaround I'm looking for.

Tather Demaleon
Posted - 2011.01.26 16:45:00 - [16]
 

i owe you guys three beers each.


Barakkus
Posted - 2011.01.26 16:52:00 - [17]
 

Bleh, I'm going to have to figure out how to work in an SSL intercept into my POS manager program :(

If I'm not mistaken, you have to be on the same network segment to be able to sniff those packets anyways, which is highly unlikely to begin with.

Jim Luc
Caldari
Rule of Five
Vera Cruz Alliance
Posted - 2011.01.26 16:52:00 - [18]
 

Yay!!Very Happy

FullNelson Mandella
Posted - 2011.01.26 18:41:00 - [19]
 

The encryption portion of SSL does not create a performance issue with most phones. The problem CCP will encounter is that they're probably going to acquire a Verisign cert signed by the G5 root CA, which is not in the Truststore of most phones over two years old. Many of these devices have no way of adding certificates to their CA trust stores and will be unable to connect to the API.

Wollari
Phoenix Industries
Wicked Nation
Posted - 2011.01.26 19:42:00 - [20]
 

Originally by: FullNelson Mandella
The encryption portion of SSL does not create a performance issue with most phones. The problem CCP will encounter is that they're probably going to acquire a Verisign cert signed by the G5 root CA, which is not in the Truststore of most phones over two years old. Many of these devices have no way of adding certificates to their CA trust stores and will be unable to connect to the API.
But maybe 3rd party apps can change your application that you can additionally check the current certificate (which is included in the app). Most of the 3rd party applications have to be update2date anyway to reflect the newest skills, expension settings etc. Turn of trust check is not the solution cause you would be vulnerable to man-in-the-middle attacks.

But SSL is of course a real new world for most people and comes with new problems, like trusted certificate list, exact hostname matching, and ssl chains, etc (I know this from work).

Wollari
Phoenix Industries
Wicked Nation
Posted - 2011.01.26 20:00:00 - [21]
 

I would suggest don't turn off the non-ssl api servers, there's no need to encrypt public api calls like sovereignty, kills, alliances, etc.

I would rather change the access level. Like:
- HTTPS: all calls
- HTTP: allow only public and limited api keys (later only public calls)

That way the important full api key will be forced to use the ssl version and 90% of the apps will be still able to work if they haven't switched to ssl yet.

You can add a new error level that tells the developer/user they've to use the ssl api.

Sure I still see a security problem if people are using api via proxy (which is a matter of trust). But the final solution would only be to go away from the current api key system and switch to a oauth based system where YOU as USER can revoke every application that has access to your data (like twitter oauth or facebook applications).

Medarr
Amarr
Ghost Festival
Naraka.
Posted - 2011.01.26 20:13:00 - [22]
 

Edited by: Medarr on 26/01/2011 20:18:49
I think you can generate your own certs and have to add an exception to the browser. Not sure if this is possible on an JesusPhone.

also I would like to point the devs at this lil tibit of information.

Wollari
Phoenix Industries
Wicked Nation
Posted - 2011.01.26 20:19:00 - [23]
 

Originally by: Medarr
Edited by: Medarr on 26/01/2011 20:15:15
I think you can generate your own certs and have to add an exception to the browser. Not sure if this is possible on an JesusPhone.
But sometimes you've no access to the certifcate store of your mobile phone or the computer. Then you've only the chance to use a trusted certificate.

Medarr
Amarr
Ghost Festival
Naraka.
Posted - 2011.01.26 20:21:00 - [24]
 

Edited by: Medarr on 26/01/2011 20:22:29
Originally by: Wollari
Originally by: Medarr
Edited by: Medarr on 26/01/2011 20:15:15
I think you can generate your own certs and have to add an exception to the browser. Not sure if this is possible on an JesusPhone.
But sometimes you've no access to the certifcate store of your mobile phone or the computer. Then you've only the chance to use a trusted certificate.


True but you can import/export them to a trusted device or computer.

ps, when i first saw your name i couldnt help but think.. Londo Mollari!!

Aineko Macx
Posted - 2011.01.26 20:44:00 - [25]
 

With growing API functionality the granularity of limited and full key is too low IMO. The solution would be to allow custom configured keys, where users define which data items can get accessed by which key.

As for HTTPS, I highly approve of this.

Chainsaw Plankton
IDLE GUNS
IDLE EMPIRE
Posted - 2011.01.26 21:27:00 - [26]
 

Edited by: Chainsaw Plankton on 26/01/2011 21:27:27
Originally by: Aineko Macx
With growing API functionality the granularity of limited and full key is too low IMO. The solution would be to allow custom configured keys, where users define which data items can get accessed by which key.

As for HTTPS, I highly approve of this.


I highly agree, a kill mail export key would be a nice start.

Zhalo Tyrik
Posted - 2011.01.26 21:51:00 - [27]
 

Will you be adding api.eve-online.com to the SSL certificate so that it doesn't cause "bad domain" errors when using SSL?
Or will you be forcing applications to use api.eveonline.com?

I bring this up since all the applications I've seen use the api.eve-online.com domain. Even the My Character page links to api.eve-online.com domain which of course returns an error since the domain is not included in the certificate.

mazzilliu
Caldari
Sniggerdly
Pandemic Legion
Posted - 2011.01.26 21:56:00 - [28]
 

cool now go fix all the other api security issues

FullNelson Mandella
Posted - 2011.01.26 23:37:00 - [29]
 

Originally by: Medarr
Edited by: Medarr on 26/01/2011 20:22:29
Originally by: Wollari
Originally by: Medarr
Edited by: Medarr on 26/01/2011 20:15:15
I think you can generate your own certs and have to add an exception to the browser. Not sure if this is possible on an JesusPhone.
But sometimes you've no access to the certifcate store of your mobile phone or the computer. Then you've only the chance to use a trusted certificate.


True but you can import/export them to a trusted device or computer.

ps, when i first saw your name i couldnt help but think.. Londo Mollari!!


Not all devices provide this functionality. A number of phones do not provide keystore management of any type. Some of these have the filesystem locked down so that export/import is impossible.

Think of other locked-down devices as well (web-enabled television tuners, xbox, playstation, etc.) that may have strange keystore management issues.

Building the trust into the application is a viable alternative, but a bit of a PITA.

Jacqueline Coeur
Gallente
Posted - 2011.01.26 23:55:00 - [30]
 

Originally by: Trebor Daehdoow
Now, I can certainly use https between the proxy and the Api server, but encrypting between the browser and the proxy will require buying a certificate, and I'm not sure I can justify the expense.
Considering that:
1) the grand total cost for an https certificate (without extended validation) is $0
2) even if you do not know where to get one, you can still use https with a certificate that is signed by your own root authority, as long as your users are willing to add your authority as a trusted root.

I do not see how https is a problem.


Pages: [1] 2

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only