Players may visit non-official EVE Online web sites and be prompted to log in using their EVE Online account credentials. This can cause some concern for players as their account security is a paramount concern. However it is possible that the web site is using the EVE Online Single Sign On (SSO). The SSO allows players to submit their account information securely to the EVE Online login server and for the web site to receive confirmation that the player owns a specific character.
There are some important points to consider if a player is prompted to submit their account credentials when visiting a non-official CCP site:
- They should ensure that the site which requests the log in information is secure. Players can determine if the site is secure by reviewing the 'How to use the SSO in a secure way' section below.
- Using an authentic SSO means that the web site will not see a players account credentials (Username or Password). The SSO will only confirm if a player owns a character on an account.
- If a player is in any doubt about the security or authenticity of a web site then they should not enter any account information. Players are encouraged to report any suspicious sites to firstname.lastname@example.org
More detailed information about the SSO can be found in the article below.
What is the SSO?
The SSO, also known as single-sign-on, is a way for users to log into one web site or application using their username and password from another web site. For example, if go to https://www.goodreads.com/ and try to sign in they will ask you if you want to sign in with Facebook, Twitter, Google, or even Amazon. For Goodreads this is great because it means they don't have to worry about trying to manage your username and password information. It also has the nice advantage of making it a lot easier for you as a user to sign into their site as you don't need to register or keep track of multiple extra account names and passwords.
For EVE Online, the SSO means that you can sign into a web site that has integrated the EVE SSO and confirm you are a specific character. While signing into a site you will be asked which character you wish to authenticate with and the web site that let you sign in with the EVE SSO will get confirmation from CCP that you own that character. The original web site will only ever get your character, they never see your account name or password. The original web site will not know what account that character is on or have any way, from us at least, of linking that character to any other character on the same account.
The SSO looks something like this:
How to use the SSO in a secure way
A SSO system, by nature, is the guard at the gates. In our case it guards who is able to access your virtual identity. Sadly, the internet is full of fraudsters lingering around and waiting for a chance to make profit or gain some benefits and they are happy to do this any way you could potentially think of. They try to trick you into telling them your account credentials with the help of social and technical measures including phishing and spoofing of authorities as well as web portals.
That being said, how to do it the secure way? Luckily, nowadays tools and technologies provide us with plenty of information about trust relationships and communication security. Utilizing this information we are able to tell if we are being targeted by an attack or not. In the case of our SSO this looks like follows.
Validate that you are securely connected to the correct web resource before entering any credentials
There is only one legit domain and host name combination for our SSO which is login.eveonline.com. Also, make sure that you are connected via https: (note the “s”) and never enter any credentials over plain text and unauthenticated http: connections.
Verify that the connection is securely encrypted and authenticated
This is an example of the verification dialog you can get to by clicking the small lock icon to the left of the URL bar in a Chrome browser. Every modern browser provides this or a similar brief overview which allows you to check the trust relationship of your connection and the security level of the encryption which is applied to it.
Manual verification of the certificate
By manually verifying the certificate of the web resource you are connected to you can check if the certificate is valid for the domain it is used on and if it has actually not expired yet.
Following these recommendations you can reduce the risk of getting your credentials and therefore your virtual identity stolen. Also, we encourage you to report any misleading, bogus or questionable usage of our SSO to email@example.com.