Author |
Topic |
 Nikolai Kondratiev Sphere Design Inc. |
Posted - 2011.01.27 00:22:00 - [ 31]
Originally by: Trebor Daehdoow I appreciate (and largely agree with) the reasoning behind this, but it is probably going to kill my EViE skill training browser applet.
The reason for this is that javascript httpxmlrequest calls can only be made to the server that originated the enclosing page. So for EViE to work, I had to write a special proxy that bounces these requests off to the api server, and then returns the results (ie: Browser <-> Proxy <-> Api Server)
Now, I can certainly use https between the proxy and the Api server, but encrypting between the browser and the proxy will require buying a certificate, and I'm not sure I can justify the expense. 
Well you don't HAVE to upgrade your website to SSL if it was fine without until now, whatever CCP makes the HTTPS mandatory for API calls or not. Browser <--- HTTP ---> Your webserver <-- HTTPS ---> API Server |
 Catari Taga Centre Of Attention Middle of Nowhere |
Posted - 2011.01.27 01:26:00 - [ 32]
Good change (if overdue), and working fine for TQ API, but for the SiSi API server it doesn't work (bad certificate followed by a 500 Internal Server Error response). |
 Aineko Macx |
Posted - 2011.01.27 09:12:00 - [ 33]
Originally by: FullNelson Mandella The problem CCP will encounter is that they're probably going to acquire a Verisign cert signed by the G5 root CA, which is not in the Truststore of most phones over two years old.
For what its worth, CCP is using Entrust certs on Gate... Originally by: Wollari But SSL is of course a real new world for most people and comes with new problems, like trusted certificate list, exact hostname matching, and ssl chains, etc (I know this from work).
Agreed. Working with related things for two years now. |
 Trebor Daehdoow Gallente Sane Industries Inc.
|
Posted - 2011.01.27 11:22:00 - [ 34]
Edited by: Trebor Daehdoow on 27/01/2011 11:23:39 Originally by: Nikolai Kondratiev Well you don't HAVE to upgrade your website to SSL if it was fine without until now, whatever CCP makes the HTTPS mandatory for API calls or not.
Browser <--- HTTP ---> Your webserver <-- HTTPS ---> API Server
CCP clearly wants the data to be encrypted end-to-end. While I could do this (in fact, I have implemented it as a partial fix on my test server), I would very much want to fully honor the spirit and intent of the change. I will implement this if I have absolutely no choice -- with appropriate warnings to the users of EViE -- but only as a last resort. Originally by: Catari Taga Good change (if overdue), and working fine for TQ API, but for the SiSi API server it doesn't work (bad certificate followed by a 500 Internal Server Error response).
Make sure you're connecting to api.eveonline.com and not api.eve-online.com; the latter works but will generate a certificate error (or at least, it was yesterday). |
 Wollari Phoenix Industries Wicked Nation |
Posted - 2011.01.27 13:16:00 - [ 35]
Edited by: Wollari on 28/01/2011 09:36:19Edited by: Wollari on 27/01/2011 13:24:40Edited by: Wollari on 27/01/2011 13:16:56 Quote: If you're an API developer: You should update your application to access the API using HTTPS. The overhead of HTTPS is not that big, even on mobile devices. Due to this, we will turn off normal HTTP access to the API in the future. When a specific date is decided for when this to happen we will make sure to give you appropriate advance warning
No ... SSL doesn't have an impact on your application :-) Querying 25k Corporations (loop with 25k corpIDs, one by one)with HTTP: 0:45 (h:mm) with HTTPS: 1:15 Average query time (25k Corporations) - EDIT: FIXED Calculationwith HTTP: 0.0987s with HTTPS: 0.16796s I don't wanna go multithreaded to start a DoS on your API servers. I hope that you can keep the non-ssl connection open for public APIs. Apart from that requests with multiple corporationID _s_ would be nice. |
 Catari Taga Centre Of Attention Middle of Nowhere |
Posted - 2011.01.27 13:19:00 - [ 36]
|
 CCP Stillman

 |
Posted - 2011.01.27 13:40:00 - [ 37]
Originally by: Wollari Edited by: Wollari on 27/01/2011 13:24:40 Edited by: Wollari on 27/01/2011 13:16:56
Quote: If you're an API developer: You should update your application to access the API using HTTPS. The overhead of HTTPS is not that big, even on mobile devices. Due to this, we will turn off normal HTTP access to the API in the future. When a specific date is decided for when this to happen we will make sure to give you appropriate advance warning
No ... SSL doesn't have an impact on your application :-)
Querying 25k Corporations (loop with 25k corpIDs, one by one) with HTTP: 0:45 (h:mm) with HTTPS: 1:15
Average query time (25k Corporations) with HTTP: 0.9873s with HTTPS: 1.6796s
I don't wanna go multithreaded to start a DoS on your API servers. I hope that you can keep the non-ssl connection open for public APIs. Apart from that requests with multiple corporationID_s_ would be nice.
If you're going to be doing large batches, you're obviously going to see a linear increase in time as a result of having to do a SSL handshake for each request. It's advisable to limit SSL handshakes if you are going to do large queries like that. In those scenarios, there's nothing to stop you from creating a handful of persistent connections and pooling those for requests. |
 Wollari Phoenix Industries Wicked Nation |
Posted - 2011.01.27 14:30:00 - [ 38]
Edited by: Wollari on 27/01/2011 14:31:31Edited by: Wollari on 27/01/2011 14:30:50 Originally by: CCP Stillman It's advisable to limit SSL handshakes if you are going to do large queries like that. In those scenarios, there's nothing to stop you from creating a handful of persistent connections and pooling those for requests.
I'll look into my api library if I can force php/curl to do some http keep alive. I think if I get the keep alive with php working the overall performance should be better since the connection hanshake would be obsolete ... But I still would like to perform batch queries :-) |
 Meeogi Amarr Lone Star Privateers |
Posted - 2011.01.27 16:47:00 - [ 39]
The day is coming where we play eve on the smart phones.
May god save us all |
 Ranka Mei Caldari |
Posted - 2011.01.27 19:49:00 - [ 40]
Originally by: CCP Stillman No, EVEMon should still work correctly.
We're aware of another issue which causes the charactersheet to fail, which would affect EVEMon. We're fixing that as a part of Incursion 1.1.2, which is being deployed tomorrow.
<sarcasm>EVEMON? Yeah, I remember that.</sarcasm> Seems they've given up on their end. :( Or slowed down development to 1/10th of the original. |
 Series 1Alpha Amarr |
Posted - 2011.01.28 00:01:00 - [ 41]
This is awesome. Can you please now have a look at this: EVE Docs which seems to have no documents listed or confirm if this is the full EVE API documentation. |
 Wollari Phoenix Industries Wicked Nation |
Posted - 2011.01.28 09:26:00 - [ 42]
Edited by: Wollari on 28/01/2011 09:35:38 Edited by: Wollari on 28/01/2011 09:29:59 php + curl + https + keepalive == really speedy.
23767 corporations sheets updated (including my database) in 22 minutes. (average request time 0.036s). that's even faster compared to single unencrypted api calls. |
 Vaerah Vahrokha Minmatar Vahrokh Consulting
|
Posted - 2011.01.28 12:02:00 - [ 43]
1) Please let the old API address work (maybe make it optional). There are way too many great applications that are not being updated since 1-2 patches ago and that will break, making my work impossible.
2) Don't you think the rush at securing the API with https is premature, when we have to give Full API keys to be accepted in some corps anyway? And an unknown guy can STILL read all our EvE mails?
3) Don't you think the rush at securing the API with https clashes with the utterly low privacy that by default plagues EvE Gate (everything given away by default both on Tranq (AND Sisi anyway))?
|
 Hud Bannon |
Posted - 2011.01.29 01:38:00 - [ 44]
Not a comp. sci. guru by any means, but what level encryption are we talking about? 128? I am not sure if HTTPS protocal can handle more than that but 128 is nothing to "crack" from what I understand. Again - just curious. |
 CCP Stillman

 |
Posted - 2011.01.29 19:28:00 - [ 45]
|
 pushtaki Gallente |
Posted - 2011.02.01 11:23:00 - [ 46]
so my capsuleer iphone app will stop working some day soon  |
 Aineko Macx |
Posted - 2011.02.05 20:38:00 - [ 47]
Originally by: Hud Bannon Not a comp. sci. guru by any means, but what level encryption are we talking about? 128? I am not sure if HTTPS protocal can handle more than that but 128 is nothing to "crack" from what I understand. Again - just curious.
Looking at the certificate/https info of the API you'll see - symmetric key exchange using RSA asymmetric key encryption with 2048 bit modulus, certificate with SHA1/RSA signature, - actual data transport using 128 bit AES symmetric encryption That's your bread and butter https. |
 romex987 |
Posted - 2011.02.16 23:59:00 - [ 48]
I am currently trying to learn to program just started.. :D using asp.net C#
I imported the libary list eveapi.live etc and am having trouble connecting i guess i will need to do more research now....
|