Ryzom API

Hello kregora.

Thanks for your post and your interest in the security.

It's your opinion but it cannot be good since you don't know what security we provide.

There's absolutely no security problem with our key system, don't worry.

Regards.

Currently it is a fact that I have to give the plain api keys to 3rd parties, so that those are able to query the api, or am I wrong here?

Okay, lets look at the two keys of APIHomin and APINoob, and take for given that the capital R is delimiter, so we have four fields to consider:
APIHomin

api key: PR521366R0R343D6080
         P 521366 0 343D6080
P        type: partial character key
521366   uid
0        slot number 
343D6080 32bit password

APINoob

api key: FR521366R1R05EF0010
         F 521366 1 05EF0010
F        type: full character key
521366   uid
1        slot number 
05EF0010 32bit password

When you regenerate the key only the 32bit password is set to a new value.

Issue 1: in my opinion a 32bit password is too weak (but you commented that already)

Issue 2: breach of privacy, someone who knows about both keys sees that they belong to the same account (same uids)
Anyone who was able to access the data can safe it as uid=521366 (APINoob, APIHomin) if in the future a new character is generated on the account with
the name APIRyzomTest the new API Key will be something like FR521366R3R11223344.

To make my privacy protection suggestion work, there need other changes to be made, too, like the removal of the uid from the returned character data.

This is to prevent that Player A may find out that SuperFried and YourMeanestEnemy are played by the same person.

And I am not sure if the login and logout times if given to other player may be a violation of the Code of Conduct 9: You may not communicate any player's real world personal information on the Winch Gate Property Limited forum, ingame, on the live chat support nor any Ryzom Services.

I would like to see this addressed as well. I mean, it's enough of an issue that you offer a key encryption method so the general populace doesn't get character API keys, but you do expect trust in offering the keys to the app hoster.

For example, let's say Joe Ganker creates an app, or (more likely) snags one from someone else, and finds a way to host it. Let's say the app is a wonderfully cute thing that shows an animation of your character wearing equipment and juggling inventory items from the character profile API, everyone loves it and goes out and signs up all of their characters, cause the app allows for multiple characters to juggle items to each other... Now, the app itself isn't at question here, it's a great little toy. The problem arises with Joe Ganker.

See, Joe Ganker is a member of a griefing group that likes to mess with other players and ruin their experience. Now, with the help of the app, Mr. Ganker has the character api keys of many users. He houses them in a database and sorts them out so he knows what characters are linked together. He finds one player that his group has been tormenting and now has all of their alts that are happily juggling away on the user's screen.

Next time user logs in with one of his characters, they are immediately harassed by one of the GankerCrew. Fed up, they log out and decide to play another character.. same problem. Eventually the once happy player is now miserable.

It's a bit far fetched, sure, but hopefully illustrates the potential of abuse of the current system.

Peace,
- Sui

I think it is better if you continue this thread Suibom.

I totally lost my trust in the Ryzom project.

Bye.

Actually I see the problem with the 32 bit token but it seems arrangements were made to secure this.

I cannot agree with your second part. There always have been limitations for multi-chars on one account, like the one account at the official forum.

PS: The uid is not only in the key but also in the xml data.