open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: Puttin' on the foil coach [Updated 3/23/10]
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: first : previous : ... 2 3 4 5 [6] 7 8 9 10 ... : last (11)

Author Topic

Bubbled
Posted - 2010.03.24 08:04:00 - [151]
 

Originally by: schwar2ss
"Sorry, an error has occurred while processing your request.
There are no free RPC proxies available right now"



I get this too on both my accounts I tried.

CCP Karuck

Posted - 2010.03.24 08:26:00 - [152]
 

Edited by: CCP Karuck on 24/03/2010 10:30:30
Originally by: Dr BattleSmith
https://test.evegate.com:443/Profile/CharacterName/AddContact


No RequestVerificationToken.

It is a POST request but if the code responds to GET as well (or if JS is used to make the POST) then this can be used to XSS attack AddContact.

Users could use this to add themselves to enemy addressbook so that they can retrieve private info on target.
It's probable it could be used to set blue standings for yourself on someone elses profile.



I am very aware of attacks like that, this one must have slipped through. Next time please submit a bug report :)

Edit: This wasn't an issue at all, this action was already blocked for HTTP GET.
We are also using HTTP DELETE btw.

CCP Karuck

Posted - 2010.03.24 08:28:00 - [153]
 

Originally by: DenShou
Interesting note, when loading this site in Chrome. I do not see [ Home, Profile, Mail, Calendar ] Menu that I do see in Firefox.


We do use Chrome for testing. The menu bar isn't shown when you aren't logged in, are you sure you were logged in?

ViolenTUK
Gallente
Demolition Men
Posted - 2010.03.24 08:42:00 - [154]
 

Edited by: ViolenTUK on 24/03/2010 08:46:58

I would like the option to opt out of evegate. A feature should be added to the eve client in the form of a checkbox. The option should be "Disable EVEGATE".

JeanMichel Bizarre
Firebird Squadron
Terra-Incognita
Posted - 2010.03.24 08:42:00 - [155]
 

Edited by: JeanMichel Bizarre on 24/03/2010 08:43:01
This doesn't work in Chrome anymore (it did last night) but if I open it in IE-tab, still in Chrome, it does work.

It also won't me log in now.

Quote:
Sorry, an error has occurred while processing your request. There are no free RPC proxies available right now


Paknac Queltel
Baden's Army
Posted - 2010.03.24 08:52:00 - [156]
 

Originally by: Bubbled
Originally by: schwar2ss
"Sorry, an error has occurred while processing your request.
There are no free RPC proxies available right now"



I get this too on both my accounts I tried.
I get this as well.

I guess this would be why there's a stress test. Very Happy

Femme Fatal
Roving Guns Inc.
Posted - 2010.03.24 09:03:00 - [157]
 

same

Sorry, an error has occurred while processing your request.

There are no free RPC proxies available right now

CCP Karuck

Posted - 2010.03.24 09:09:00 - [158]
 

Try again now folks, we had Singularity downtime.. sorry the error message wasn't more explicit :)

Mantees
Gallente
Posted - 2010.03.24 09:19:00 - [159]
 

It looks interesting. I can't wait that we will be able to check the market journal and transactions, and the status of the industry/research jobs. That would be great!

Miana Amannar
Posted - 2010.03.24 09:58:00 - [160]
 

Edited by: Miana Amannar on 24/03/2010 09:58:02
I'm strictly against this spacebook nonsense as long as my characters show up there by default.
For privacy AND security reasons participating should be COMPLETELY optional - meaning that if I don't give my OK my chars will not show up in EVE Gate. No matter what!

Are trial chars able to use EVE Gate?
If yes - block them!

You're opening a can of worms just to jump the social media bandwagon. Evil or Very Mad

Mantees
Gallente
Posted - 2010.03.24 10:06:00 - [161]
 

I honestly don't understand the complaints. If you don't like it don't use it, right? There is plenty of people who are really happy to see this being developed.
Leave us our new toy! :D :D

Evan Batarr
Posted - 2010.03.24 10:13:00 - [162]
 

Originally by: CCP Karuck
Originally by: Dr BattleSmith
https://test.evegate.com:443/Profile/CharacterName/AddContact


No RequestVerificationToken.

It is a POST request but if the code responds to GET as well (or if JS is used to make the POST) then this can be used to XSS attack AddContact.

Users could use this to add themselves to enemy addressbook so that they can retrieve private info on target.
It's probable it could be used to set blue standings for yourself on someone elses profile.



I am very aware of attacks like that, this one must have slipped through. Next time please submit a bug report :)


How many more of these very trivial attack possibilities have 'slipped through'? And what about the not so trivial ones?

I hope you're aware that EVE Gate is every EVE-playing hacker's wet dream? This will be the no. 1 spying tool.
I already see the $$-signs in some people's eyes. Finding 0-day exploits for EVE-Gate will be a very lucrative business.

Miana Amannar
Posted - 2010.03.24 10:25:00 - [163]
 

Originally by: Kyra Felann
Originally by: Latex Sandals
How do I completely remove my character from public view on evegate? I don't want anything to do with it.


You can make it so that the only info available is the same info also available in-game. I don't think you'll be able to do anything about people looking you up exactly like they can already do in-game, though.


Well, there's a very big difference between IN GAME and out of game. If you follow some simple security measures it's practically impossible to hack your account to gather intel. It's a lot more trivial to do this on a web-based social media portal.

Another big difference IMO:
It's nearly impossible (or at least not trivial) to automatically gather the 'public info' (like who is in which corp etc.) of a big number of individuals in game. It's pretty easy to do that on EVE Gate.
Any way to make intel gathering easier is bad IMO. So an OPT-OUT (or even better - make it OPT-IN) of EVE Gate should be a matter of course!


Sturmwolke
Posted - 2010.03.24 10:48:00 - [164]
 

Originally by: Evan Batarr
How many more of these very trivial attack possibilities have 'slipped through'? And what about the not so trivial ones?

I hope you're aware that EVE Gate is every EVE-playing hacker's wet dream? This will be the no. 1 spying tool.
I already see the $$-signs in some people's eyes. Finding 0-day exploits for EVE-Gate will be a very lucrative business.


I'd have to agree on this point. One major screw up here is they actually ported all the pertaining personal character data without wiping the contacts list/mailes/whatever else clean for this Alpha. I spent some time playing around with the mutual contacts list adding over 7-8 pages of names that made for some interesting intelligence discovery. I'm wondering how much damage has already been done and whether this is going to blow when the majority of players find out.

When your house is made of paper, don't risk the real data. I hope CCP sees this constructively when they move on to Beta, not repeating the same mistake again.

Truly, as it is, I'm wary of even logging onto EVE Gate for fear of account compromise, regardless of the secure https.
Only the paranoid survives - Andrew Grove.

CCP Karuck

Posted - 2010.03.24 10:52:00 - [165]
 

Originally by: Evan Batarr
Originally by: CCP Karuck
Originally by: Dr BattleSmith
https://test.evegate.com:443/Profile/CharacterName/AddContact


No RequestVerificationToken.

It is a POST request but if the code responds to GET as well (or if JS is used to make the POST) then this can be used to XSS attack AddContact.

Users could use this to add themselves to enemy addressbook so that they can retrieve private info on target.
It's probable it could be used to set blue standings for yourself on someone elses profile.



I am very aware of attacks like that, this one must have slipped through. Next time please submit a bug report :)


How many more of these very trivial attack possibilities have 'slipped through'? And what about the not so trivial ones?

I hope you're aware that EVE Gate is every EVE-playing hacker's wet dream? This will be the no. 1 spying tool.
I already see the $$-signs in some people's eyes. Finding 0-day exploits for EVE-Gate will be a very lucrative business.


I just edited my comment above, this was NOT a vulnerability. It was a post by a concerned user, which I have now validated not to be true.
We are very much on top of security issues on EVE Gate and do not want things like this to slip through.. which is why we need to catch them in testing before they go live to TQ.

Elrianmk2
Gallente
Posted - 2010.03.24 10:53:00 - [166]
 

Quote:
Sorry, an error has occurred while processing your request.

There are no free RPC proxies available right now


Well stress side of the test seems to be working? Are there any metrics on the number of RPC connections are being used? and how active these connections are, or is this company confidential? I would hope not as its the test server and i want to hammer it a lot.

Comment: good to see the incorrect username / PW message is easy to see and understand been on sites that dont comment on it just represent the credentials page, however could you make it bigger for um... people who may have imbibed a bit, to read?

Dr BattleSmith
PAX Interstellar Services
Posted - 2010.03.24 11:22:00 - [167]
 

Edited by: Dr BattleSmith on 24/03/2010 23:39:47
Edited by: Dr BattleSmith on 24/03/2010 11:25:56
Originally by: CCP Karuck

Edit: This wasn't an issue at all, this action was already blocked for HTTP GET.
We are also using HTTP DELETE btw.


Still needs a token as HTTP DELETE can be generated by javascript.

Originally by: CCP Karuck

I just edited my comment above, this was NOT a vulnerability. It was a post by a concerned user, which I have now validated not to be true.



I don't think hubris is a pathway to good security.

The hit needs a token, it is insecure, HTTP DELETE is no different to POST in this respect and either can be forged within the users browser.

If this hit was not important I'd agree that DELETE was enough, however this very request can be used to set blue and gain access to users information.

edit: actually it's just a POST not sure where DELETE came from that's the DelContact action.

CCP Gangleri


Minmatar
Posted - 2010.03.24 11:29:00 - [168]
 

Originally by: Elrianmk2
Quote:
Sorry, an error has occurred while processing your request.

There are no free RPC proxies available right now


Well stress side of the test seems to be working? Are there any metrics on the number of RPC connections are being used?


This is the error that is returned when Sisi is not available, the daily downtime for Sisi is 07:30-09:00 GMT but as it is a test server unscheduled downtimes happen as well. The easiest way for you to see whether Sisi is available is to use one of the available webtools, like these:
http://games.chruker.dk/eve_online/server_status.php
http://www.eve-offline.net/?server=singularity

Camios
Minmatar
Sebiestor Tribe
Posted - 2010.03.24 11:47:00 - [169]
 

It does not load the character portraits even if I wait for 10 minutes.

Elrianmk2
Gallente
Posted - 2010.03.24 11:52:00 - [170]
 

Currently i find that the [character]:[charactername]fields are overwriting each other when looking at the member list of the corporation, i assume that this is due to the field-width of the [character] not being defined accurately due to the lack of portrait propagation.

Jae Car'das
Minmatar
T.R.I.A.D
Posted - 2010.03.24 11:54:00 - [171]
 

It's great that mail is now available out of game and I am really looking forward to the calander, but I am more looking forward to the API being updated so I can integrate it into our Alliance Website.

Will full mail and calander funcitonality be available via the API and if so any idea how long after Beta?

Are contacts, mail, calendar and chat broadcasting the only functions planned at the moment? Will skill queue viewing/managment, assets, order and wallet viewing come later to?

Feedback wise - very slow (to be expected) and my mail is out of sync. Eve Gate mail is behind in game mail by 3 weeks.

CCP Karuck

Posted - 2010.03.24 12:03:00 - [172]
 

Originally by: Dr BattleSmith
Edited by: Dr BattleSmith on 24/03/2010 11:25:56
Originally by: CCP Karuck

Edit: This wasn't an issue at all, this action was already blocked for HTTP GET.
We are also using HTTP DELETE btw.


Still needs a token as HTTP DELETE can be generated by javascript.

Originally by: CCP Karuck

I just edited my comment above, this was NOT a vulnerability. It was a post by a concerned user, which I have now validated not to be true.



I don't think hubris is a pathway to good security.

The hit needs a token, it is insecure, HTTP DELETE is no different to POST in this respect and either can be forged within the users browser.

If this hit was not important I'd agree that DELETE was enough, however this very request can be used to set blue and gain access to users information.



I'm sorry I misunderstood what you were pointing out. I thought you were simply worried it was exposed as GET, I must have missed your comment about the token.
I will definitely look into this, thanks for pointing it out.

Raidan Morfarik
Minmatar
Posted - 2010.03.24 12:05:00 - [173]
 

Originally by: Jae Car'das
It's great that mail is now available out of game and I am really looking forward to the calander, but I am more looking forward to the API being updated so I can integrate it into our Alliance Website.

Will full mail and calander funcitonality be available via the API and if so any idea how long after Beta?

Are contacts, mail, calendar and chat broadcasting the only functions planned at the moment? Will skill queue viewing/managment, assets, order and wallet viewing come later to?

Feedback wise - very slow (to be expected) and my mail is out of sync. Eve Gate mail is behind in game mail by 3 weeks.



Eve gate seems to be linked to Sisi, not TQ. so no sync since release i think !

CCP Karuck

Posted - 2010.03.24 12:06:00 - [174]
 

Originally by: Jae Car'das

Are contacts, mail, calendar and chat broadcasting the only functions planned at the moment? Will skill queue viewing/managment, assets, order and wallet viewing come later to?

Feedback wise - very slow (to be expected) and my mail is out of sync. Eve Gate mail is behind in game mail by 3 weeks.



Actually, your skill list and skill queue are already there and working (look under Character Sheet on your profile page).
We have big plans for the future, but are still deciding on what takes priority... but everything you mentioned has been discussed.

Again.. this test website is running on our test environment Singularity, it's not your live data. Currently this data is 2 weeks old, and updated roughly every 3 weeks.

Alice Krige
Posted - 2010.03.24 13:12:00 - [175]
 

On my contact list I get the

[ ] Generic Corp logo Disbanded alliance [ standing ]

with a number of my contacts. So I can't see the character names only their standing and
that they were member of an Alliance which has since disbanded...

So who are they?

Narkhana
Gallente
Infinium Trading Inc.
Posted - 2010.03.24 13:28:00 - [176]
 

Originally by: CCP Karuck

Again.. this test website is running on our test environment Singularity, it's not your live data. Currently this data is 2 weeks old, and updated roughly every 3 weeks.



The data being two weeks old is besides the point, having contacts available to be viewed without the option to opt-out is unacceptable in a game such as EVE. Unfortunately it doesn't seem that CCP cares as their only response is "this data is 2 weeks old". Thankfully professional companies that hold personal information don't take the same approach with my personal data. I wonder what would happen if Facebook made all friends lists available (even if the list is 2 weeks old) and didn't give the option to opt-out?

Like I said, all of what you've done is cool so far, but leaving the contact lists available on Eve-Gate is a serious lack of concern for your players privacy.

CCP Purple Tentacle

Posted - 2010.03.24 13:46:00 - [177]
 

Originally by: Camios
It does not load the character portraits even if I wait for 10 minutes.

In order to see how the image servers copes with load, we started them with a completely empty image cache. Your initial rush on the website yielded the expected results, the render queue skyrocketed and is still trying to catch up.

It's safe to say that it will require some more time to process everything it got during the initial phase of the alpha test, probably even one more day or so. Once it managed to burn down the current epic queue and nicely filled up its portrait and corp logo caches, it will become much more responsive and hopefully render the faces of the newcomers within 10 minutes of the first request, the speed we were originally aiming for.

ULTImatio
Posted - 2010.03.24 14:04:00 - [178]
 

EVE-Online is a place of life and dead! Itís no dam social site. Now this EVE-Gate just turned into a dam Intel tool.

I donít think Pilots like to see that there current buddy list becomes a social network thing that can be use as Intel.

Now every Pilot in EVE can checkout your Mutual Contacts. If there standings are all positive they can checkout your entire address book.

Lionel Redstar
Gallente
Pure Skunkworks
Posted - 2010.03.24 14:07:00 - [179]
 

Edited by: Lionel Redstar on 24/03/2010 14:14:12
Small bug on the contact list: I have 2 "Disbanded alliance" that can't be deleted. Dunno which, have to check ingame.

Edit: I checked ingame and they are actually 2 closed corporations. After I removed them ingame they disappeared from EveGate too.

Jae Car'das
Minmatar
T.R.I.A.D
Posted - 2010.03.24 14:41:00 - [180]
 


Can a CCP anwser my previous question please -

Will full mail and calander funcitonality be available via the API and if so any idea how long after Beta?

Thanks


Pages: first : previous : ... 2 3 4 5 [6] 7 8 9 10 ... : last (11)

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only