Author |
Topic |
 CCP Fallout

 |
Posted - 2011.01.26 13:56:00 - [ 1]
HTTPS has been enabled for the API, and CCP Stillman has all the details in his newest dev blog. |
 Daneel Trevize Gallente |
Posted - 2011.01.26 14:02:00 - [ 2]
W00t for low-hanging fruit! |
 Darees |
Posted - 2011.01.26 14:09:00 - [ 3]
You should reward the security expert that helped discover this long standing flaw of the API system. |
 Gnulpie Minmatar Miner Tech |
Posted - 2011.01.26 14:18:00 - [ 4]
Very good improvement! |
 CCP Adida

 C C P C C P Alliance |
Posted - 2011.01.26 14:28:00 - [ 5]
Removed spam posts |
 Chribba Otherworld Enterprises Otherworld Empire |
Posted - 2011.01.26 14:50:00 - [ 6]
\o/ |
 Lost Hamster Hamster Holding Corp |
Posted - 2011.01.26 14:59:00 - [ 7]
Good news.  |
 Wollari Phoenix Industries Wicked Nation |
Posted - 2011.01.26 15:08:00 - [ 8]
Edited by: Wollari on 26/01/2011 15:08:26 - Good news for client-side 3rd party applications for sure (evemon, etc) no more API Sniffing in public wireless networks (example fanfest) - Bad news for 3rd party pages (who're doing a huge number of single calls 25k+ per day)
I like all API improvements :-) |
 Trebor Daehdoow Gallente Sane Industries Inc.
|
Posted - 2011.01.26 15:20:00 - [ 9]
I appreciate (and largely agree with) the reasoning behind this, but it is probably going to kill my EViE skill training browser applet. The reason for this is that javascript httpxmlrequest calls can only be made to the server that originated the enclosing page. So for EViE to work, I had to write a special proxy that bounces these requests off to the api server, and then returns the results (ie: Browser <-> Proxy <-> Api Server) Now, I can certainly use https between the proxy and the Api server, but encrypting between the browser and the proxy will require buying a certificate, and I'm not sure I can justify the expense.  |
 Wollari Phoenix Industries Wicked Nation |
Posted - 2011.01.26 15:23:00 - [ 10]
Originally by: Trebor Daehdoow Now, I can certainly use https between the proxy and the Api server, but encrypting between the browser and the proxy will require buying a certificate, and I'm not sure I can justify the expense. 
Go to startssl.com. You get a "basic" ssl certificate for free. And it's beeing accepted from many browsers including iphone, etc. |
 Louis deGuerre Gallente Malevolence.
|
Posted - 2011.01.26 15:28:00 - [ 11]
Nice |
 Noun Verber Gallente |
Posted - 2011.01.26 15:32:00 - [ 12]
Originally by: Trebor Daehdoow I appreciate (and largely agree with) the reasoning behind this, but it is probably going to kill my EViE skill training browser applet.
The reason for this is that javascript httpxmlrequest calls can only be made to the server that originated the enclosing page. So for EViE to work, I had to write a special proxy that bounces these requests off to the api server, and then returns the results (ie: Browser <-> Proxy <-> Api Server)
Now, I can certainly use https between the proxy and the Api server, but encrypting between the browser and the proxy will require buying a certificate, and I'm not sure I can justify the expense. 
The language suggests that it is optional, but that could change in the future. |
 Stella Enallan |
Posted - 2011.01.26 15:49:00 - [ 13]
Is that the reason why EVEMon is no longer updating the data on my computer ? Does a new version have to be released ? |
 CCP Stillman

 |
Posted - 2011.01.26 15:53:00 - [ 14]
Originally by: Stella Enallan Is that the reason why EVEMon is no longer updating the data on my computer ? Does a new version have to be released ?
No, EVEMon should still work correctly. We're aware of another issue which causes the charactersheet to fail, which would affect EVEMon. We're fixing that as a part of Incursion 1.1.2, which is being deployed tomorrow. |
 Trebor Daehdoow Gallente Sane Industries Inc.
|
Posted - 2011.01.26 16:10:00 - [ 15]
Originally by: Wollari Go to startssl.com. You get a "basic" ssl certificate for free. And it's beeing accepted from many browsers including iphone, etc.
Thanks, that might be the workaround I'm looking for. |
 Tather Demaleon |
Posted - 2011.01.26 16:45:00 - [ 16]
i owe you guys three beers each.
|
 Barakkus |
Posted - 2011.01.26 16:52:00 - [ 17]
Bleh, I'm going to have to figure out how to work in an SSL intercept into my POS manager program :(
If I'm not mistaken, you have to be on the same network segment to be able to sniff those packets anyways, which is highly unlikely to begin with. |
 Jim Luc Caldari Rule of Five Vera Cruz Alliance |
Posted - 2011.01.26 16:52:00 - [ 18]
Yay!!  |
 FullNelson Mandella |
Posted - 2011.01.26 18:41:00 - [ 19]
The encryption portion of SSL does not create a performance issue with most phones. The problem CCP will encounter is that they're probably going to acquire a Verisign cert signed by the G5 root CA, which is not in the Truststore of most phones over two years old. Many of these devices have no way of adding certificates to their CA trust stores and will be unable to connect to the API. |
 Wollari Phoenix Industries Wicked Nation |
Posted - 2011.01.26 19:42:00 - [ 20]
Originally by: FullNelson Mandella The encryption portion of SSL does not create a performance issue with most phones. The problem CCP will encounter is that they're probably going to acquire a Verisign cert signed by the G5 root CA, which is not in the Truststore of most phones over two years old. Many of these devices have no way of adding certificates to their CA trust stores and will be unable to connect to the API.
But maybe 3rd party apps can change your application that you can additionally check the current certificate (which is included in the app). Most of the 3rd party applications have to be update2date anyway to reflect the newest skills, expension settings etc. Turn of trust check is not the solution cause you would be vulnerable to man-in-the-middle attacks. But SSL is of course a real new world for most people and comes with new problems, like trusted certificate list, exact hostname matching, and ssl chains, etc (I know this from work). |
 Wollari Phoenix Industries Wicked Nation |
Posted - 2011.01.26 20:00:00 - [ 21]
I would suggest don't turn off the non-ssl api servers, there's no need to encrypt public api calls like sovereignty, kills, alliances, etc.
I would rather change the access level. Like: - HTTPS: all calls - HTTP: allow only public and limited api keys (later only public calls)
That way the important full api key will be forced to use the ssl version and 90% of the apps will be still able to work if they haven't switched to ssl yet.
You can add a new error level that tells the developer/user they've to use the ssl api.
Sure I still see a security problem if people are using api via proxy (which is a matter of trust). But the final solution would only be to go away from the current api key system and switch to a oauth based system where YOU as USER can revoke every application that has access to your data (like twitter oauth or facebook applications).
|
 Medarr Amarr Ghost Festival Naraka. |
Posted - 2011.01.26 20:13:00 - [ 22]
Edited by: Medarr on 26/01/2011 20:18:49I think you can generate your own certs and have to add an exception to the browser. Not sure if this is possible on an JesusPhone. also I would like to point the devs at this lil tibit of information. |
 Wollari Phoenix Industries Wicked Nation |
Posted - 2011.01.26 20:19:00 - [ 23]
Originally by: Medarr Edited by: Medarr on 26/01/2011 20:15:15 I think you can generate your own certs and have to add an exception to the browser. Not sure if this is possible on an JesusPhone.
But sometimes you've no access to the certifcate store of your mobile phone or the computer. Then you've only the chance to use a trusted certificate. |
 Medarr Amarr Ghost Festival Naraka. |
Posted - 2011.01.26 20:21:00 - [ 24]
Edited by: Medarr on 26/01/2011 20:22:29 Originally by: Wollari
Originally by: Medarr Edited by: Medarr on 26/01/2011 20:15:15 I think you can generate your own certs and have to add an exception to the browser. Not sure if this is possible on an JesusPhone.
But sometimes you've no access to the certifcate store of your mobile phone or the computer. Then you've only the chance to use a trusted certificate.
True but you can import/export them to a trusted device or computer. ps, when i first saw your name i couldnt help but think.. Londo Mollari!! |
 Aineko Macx |
Posted - 2011.01.26 20:44:00 - [ 25]
With growing API functionality the granularity of limited and full key is too low IMO. The solution would be to allow custom configured keys, where users define which data items can get accessed by which key.
As for HTTPS, I highly approve of this. |
 Chainsaw Plankton IDLE GUNS IDLE EMPIRE |
Posted - 2011.01.26 21:27:00 - [ 26]
Edited by: Chainsaw Plankton on 26/01/2011 21:27:27 Originally by: Aineko Macx With growing API functionality the granularity of limited and full key is too low IMO. The solution would be to allow custom configured keys, where users define which data items can get accessed by which key.
As for HTTPS, I highly approve of this.
I highly agree, a kill mail export key would be a nice start. |
 Zhalo Tyrik |
Posted - 2011.01.26 21:51:00 - [ 27]
Will you be adding api.eve-online.com to the SSL certificate so that it doesn't cause "bad domain" errors when using SSL? Or will you be forcing applications to use api.eveonline.com? I bring this up since all the applications I've seen use the api.eve-online.com domain. Even the My Character page links to api.eve-online.com domain which of course returns an error since the domain is not included in the certificate. |
 mazzilliu Caldari Sniggerdly Pandemic Legion |
Posted - 2011.01.26 21:56:00 - [ 28]
cool now go fix all the other api security issues |
 FullNelson Mandella |
Posted - 2011.01.26 23:37:00 - [ 29]
Originally by: Medarr Edited by: Medarr on 26/01/2011 20:22:29
Originally by: Wollari
Originally by: Medarr Edited by: Medarr on 26/01/2011 20:15:15 I think you can generate your own certs and have to add an exception to the browser. Not sure if this is possible on an JesusPhone.
But sometimes you've no access to the certifcate store of your mobile phone or the computer. Then you've only the chance to use a trusted certificate.
True but you can import/export them to a trusted device or computer.
ps, when i first saw your name i couldnt help but think.. Londo Mollari!!
Not all devices provide this functionality. A number of phones do not provide keystore management of any type. Some of these have the filesystem locked down so that export/import is impossible. Think of other locked-down devices as well (web-enabled television tuners, xbox, playstation, etc.) that may have strange keystore management issues. Building the trust into the application is a viable alternative, but a bit of a PITA. |
 Jacqueline Coeur Gallente |
Posted - 2011.01.26 23:55:00 - [ 30]
Originally by: Trebor Daehdoow Now, I can certainly use https between the proxy and the Api server, but encrypting between the browser and the proxy will require buying a certificate, and I'm not sure I can justify the expense.
Considering that: 1) the grand total cost for an https certificate (without extended validation) is $0 2) even if you do not know where to get one, you can still use https with a certificate that is signed by your own root authority, as long as your users are willing to add your authority as a trusted root. I do not see how https is a problem. |