My first post. Not even sure it is the right place for this topic. I is basically a suggestion to CCP.
Here it goes: most often when a player joins a corporation he is asked to use a separate website, log in using Eve Online credentials (if I got this right, I am a newish player) to give access to the responsible person in the corp to some specific details about that character (contacts and so on).
I understand why this info may be requested - basically to avoid recruiting a spy and later give access to that spy to corporation assets etc.
My problem is accessing a foreign website I know nothing about AND logging in with Eve account details can be a tricky proposal if you care about the security of your account (I am not an expert but I suppose you could lose even more than just eve online account details if you get to the right type of website).
The solution seems simple: CCP can provide all this process in game as an option for the joining player/recruiter. Can be part of joining a corp: the recruiter can just tick a box that would ask the joining player if he is happy to provide those details (and the process would explain exactly what is provided). If the player is happy to proceed he ticks a box, if not ticks another box and all is securely done with no external websites.
What do you think? ( and please let me know if I got anything wrong, including the place to post this). Thanks guys.
Clicking the âlog in with EVE onlineâ button then sends you out of the allianceâs website to the official EVE website to fill in your details and select a character:
After that, it sends you back to the third party website where you were filling in your details.
Of course a malicious third party could send you to a different website that almost looks the same, but is in fact eweomlinedotcom to steal your password, so pay attention to the website youâre filling in your login details.
If youâre worried that it may not be the real EVE website youâre logging in to you could also go to www.eveonline.com/account directly, log in there and then click the log-in page of the third party website in another tab. Youâll notice youâre already logged in!
EVE allows external EVE-related websites to authenticate using your EVE account, similar to how Facebook and Google allow you to log in to some websites using your existing accounts. That way you donât need to make a new account.
Youâre not logging in to their website with your account info, youâre logging into your Account Management and give that website a token that allows them character info. They never see your actual account details.
Note that while the whole âto avoid spyingâ is technically true it would never actually reveal any well prepared (thus the most dangerous) spies. What is REALLY happening is that they are spying on YOU, thereâs lots of information that is very useful to them (or their overlords) especially if you came from, or go to, a group that opposes them.
If you go to EVE website, then click support and from the support pull down select 3rd party applications you can see all your current access rights and can remove them if you feel like it. And that includes old ones from earlier corps or alliances who still gather data on you and any access/info you might have in your current corp or alliance.
Youâre not logging in to those sites with your login details, youâre logging in to the EO site with those details which then passes an oauth token to the website so they can access the API scopes they requested
Its as Gerard Amatin mentions above, with the addition that most corp websites then obtain your details from the server using an ESI request. This can give access to a lot of EVE dataâŚbut does not provide a means of amending any of that data.
Killboard uses a similar method to get your data for the list of kills/losses.
Gosh, well just looking at the info for a corp I am inâŚa heck of a lot !
My current ISK worth, all my emails, all my ISK transactions, my skills training including my entire training schedule, my current location, all my ships and inventoryâŚyada yada.
And ( says I with very sardonic tone )âŚthis is all done to prevent spying !
After the eve login it actually asks you what info the 3rd party is asking you to give up. The list that pops up is max 2k nerd stuff and I suspect most of players dont know what the scopes mean.
For example giving your character asset info and your computer ip to random website is just asking for a targeted hacking operation.
The spy prevention scheme is just a sham. The information retrieved is used in lots of ways to meta eve game play but unfortunately it can be used in malicious ways.
Whatever you are willing to give both through ESI and beyond (personally providing). Recruiters and corps / alliances in general tend to get all the info they can get.
Not true ( ESI can delete ship fits and manipulate messages, specificaly it could spoof a message to be from you like hey director guy, give X all the T2 BPOâs, heâs moving them for us, k thx, lol. ), so you as wellâŚ
CCP could probably do a better job of communicating this in a meaninful way. The 3rd party apps and their developers are getting a bit of the shaft for awhile and with the number of outstanding issues with the ESI a certain amount of distrust is inevitable. I would go so far as allowing the âaccount holderâ to âsoft blockâ certain scopes, in that calls return an empty result, rather than just going 404 and the app âknowingâ you said no by rejecting the full scope set requested.
This is exactly the kind of thing need in the mobile space. App wants your GPS? Instead of Yes/No, there needs to be a thrid option, like âFakeâ eg, âGPS set to big house on Pensylvania Ave etc 24/7â
âŚbecause ^ this kind of situation is %100 possible, despite ânefariousâ use of the 3rd party API for such purposes ( the TOS specificaly forbids ESI for scams ) not occuring on a widespread basis. Or put another way, if someone leaks the IP of your main FC via a 3rd Party App, what is CCP going to do about a botnet DDOS just happening to occur during big timers?
âSoft blockingâ scopes means you are not sharing those scopes, which means the third party asking you for those scopes wonât get what they want, which likely means they donât want you to have access.
Why build in a mechanic that gets you outed as spy immediately or breaks a zkillboard sign-up upon sign-up?
Itâs kind of useless to allow zkillboard to read a fake scope of your kills. And if youâre not willing to show your new guild that youâre not a spy, they wonât be able to tell that youâre not a spy and will reject your application. So why bother signing up at all?
You would be surprised how often ânew playersâ who happen to have cynosural field theory level 5 as one of their first skills and are in the location right nextdoor to where big capital ships got caught by happen to be blue scouts.
Nobody wants to grind on their spy account to buy all these skills and ships, so a lazy spy might even send them ISK to their wallet from their main.
ESI Scopes on wallet, location and skills can tell a new corporation about such spies, and thatâs only one quick example I can think of as someone who never even went through ESI scopes of others myself.
Heaven forbid people have to actually look at the data the sysytem is returning and think for themselves.
Real spies would be smarter than that. Rumor has it certain players have âdonatedâ to zkill in order that certain results be supressed, so breaking zkillboard isnât anything new except for the poors.
It wouldnât be first, CPU Management to 5 is a prerequisite, though without at least covert ops ( 25 days ) or expedtiion frigate ( 29 days ) cyno 5 by itself is limited in its usefullness.
Sure this catches the low hanging infiltration fruit, but seriously, soft blocking should be an option for 3rd party apps that are overly greedy with scopes. Eg, why would a site like zkill need to see my assets? Why does it even care what my skills are like?
If squizz wakes up one day and asks for those scopes, the sheeple wonât even bother to blink before hitting agreeâŚ
You are being selective. The full section of text highlighted there are scopes that have delete rights, which is nothing to do with account logins.
If third party apps are overly greedy with scopes, just donât give them your ESI. Simple as that.
Iâm pretty sure Zkillboard only wants scopes related to fits and killmails. If it also wanted unrelated scopes like my mails or my wallet that I see no reason for a killboard to have, I wouldnât give access.
The example was extreme to highlight how a very important 3rd party application might one day change to be unpleasant, without a competitor ( and squizz stated during blackout an opinion when the PvP crow complained about the 2 hour delay ) to go to that service is lost.
Even if a third party application goes âunpleasantâ they wonât get extra ESI scopes. Theyâll have the scopes you have given originally and nothing more.
So I donât see what that example has to do with your idea of giving fake scopes.
Also you can revoke your scopes at any time, in case you donât want them to have your scopes anymore.
Useful in case of an âunpleasant third party serviceâ like you mentioned, or more likely when you leave an old corporation for another one. Just revoke your scopes.
Never give anyoneany ESI access despite an âidentity confirmationâ, so you can prove that you are actually the player you claim to be. No access to mails, wallet, contracts, contacts, assets - EVER. Location is debatable, in case of a mapping-tool (which is incredibly powerful) Iâd consider it, because knowing the locations/current ships of their own members is potentially very useful for the group play. And they can see it in the corporation/members tab anyway.
If they insist to have more access to your data, screw them. The big paranoid groups with egomaniac leaderships are the worst places to be anyway.
Will the application contine to operate with access unimpeded?
Of course not, the scenario in which a 3rd party app changes already requested scopes and one in which it initially askes for overly broad scopes are entirely different use cases.
Revocation of a an entire application is very differnt to the revocation of particular scopes, this statement appears to conflate the two.
Such things are a requirement for null, which is the entire point of being able to give empty data rather than the more overt ânoâ answer.
What do you think happens when you give fake empty data to a corporation who is looking if you may be a spy?
They deny you and tell you to give the full data. Only an incompetent group would accidentally miss it, but do you really want to be part of an incompetent group?
I really donât see the point of fake ESI scopes.
If you donât agree with the ESI scopes someone asks, just give them the overt ânoâ answer.
For an applicant, submitting a fake scope to a corp is the only way to know, everything else is an assumption that the people being spoken to bother to look.
The scope isnât fake, the data it returns is. The idea isnât to make all scopes have a fake return state, just certain subset.
Its odd that no 3rd party developers have asked for this after the singularity server ESI was removed, looks like people just got used to developing/testing on production data.
