Your tone is rude and your argument stupid. I'm using the same tone so that you'll feel right at home.
I am once again pleading with people to use EDMC
- Thread starter Kailoren
- Start date
Although your security concerns are valid, in this case they don't apply. Oauth2 verification doesn't provide any of that info to those tools, only to Frontier, which, if you successfully authenticate, give the OK to those 3rd party tools to communicate using your account data (journal, codex, progress), but, NO username and/or password.
That change you refer to was actually an increase of security, not a decrease. Please, don't take my word for it, look it up.
Might I draw your attention to the word "unauthorized", within the text you quoted?
It's kind of important.
The APIs which allows ED's journal to communicate with sites like EDDB, INARA, and EDSM is not only authorized by FDev but is actively supported as well.
I take it we all recall the "strike" by those sites, enacted to draw attention to FDev's percieved shortcomings related to the journal API, which led to FDev doing some stuff slightly differently in order to assist those sites better?
That's not the action of a company who seeks to prevent websites creating companion-tools.
That's the action of a company who endorses such tools and resolves to assist in their use.
And good on FDev for doing so.
Exactly. What happens is you get directed to the Frontier site, and you log in with them securely (check the URL). They then redirect the browser to lookup a URL, buts its a URL which is local to the PC and all that URL contains is an random authentication string.
EDMC/EDD etc then use that authentication string to request data from the frontier servers. Frontier passed back the info since you verified with Frontier you were happy to allow this service to question them on this information.
No password/username is stored in the 3rd party program.
This is a common method. If some site says login via Google/Facebook etc, they are using the same mechanism.
Noone's suggesting that Inara or EDMC stores your name and password, noone's afraid of that either.
It's simple; as an end user you get asked to confirm or deny a whole slew of authorizations that some third party wants to have.
And EDMC suddenly wanted access to personal name, personal email, and various other pieces of information. Which I don't want to grant, so I stopped using EDMC.
You want more people to use EDMC? -Don't ask for access to so much personal information. It's easy as that.
And I still stand by my statement that Frontier Developments should restrict information they hand out to third parties to just a customer's FrontierID and nothing else.
Perhaps the third party folk can bring that up with FDev, and help hammer their security down so that less people get turned off by this issue.
This is my final post on this issue -- I don't care what you say it does or does not do, because that's irrelevant to me.
I do care what Frontier's own web interface tells me it's granting you or other third party developers.
And I don't like to grant access to the personal information that's being asked for.
Now if there's a mismatch between reality and what Frontier states, then that's something you'll need to discuss with them, not us.
The actual problem is that if we "scope=capi" we still get access to the /me endpoint. Complain to Frontier, it's their problem that they're leaking the information even if we only request access to the CAPI endpoints.
i run edmc, EDDisc i have both and only data i see is the planets i have visted, i dont see your problem with program,many people have run the programs and have not had there data leaked or leeched.
For EDDiscovery, yes. EDDiscovery has a clearly proportionate OAuth2 grant to its needs, which makes it even more obvious that the others don't.
For Inara, if I login for CAPI auth, Frontier says
That doesn't mean that Inara stores any of that data or even extracts it from the OAuth response ... but there's no need for Frontier to be putting that information in the OAuth response to them either.auth.frontierstore.net said:
Now, obviously, if you trust the developers (or for the open source apps have enough programming knowledge to read the code to prove it, compile from source every time, and recheck the auth code every time) it's not a problem as such that they're being sent more data than they actually use. Frontier should fix it anyway.
That change was not at the EDMC end. Marginal changed the code to actually specify
scope=capi way back in January 2019 ( https://github.com/EDCD/EDMarketConnector/commit/f00e44065c9d9bce73714a5ecd0f608185dfec61 ). We have not changed this since. The one thing we did add to the code in April 2021 was a call to the /decode endpoint in order to compare the customer ID for CAPI to that from the Journals as a cross-check that the user had authorised us on the correct account.Any changes to the information that an EDMC oAuth request appears to make would have been down to changes Frontier made to the oAuth mechanism.
I'm a little disappointed that, as best as I can determine, you (or anyone else) made zero effort to report this apparent change to the EDMC developers.
None of that has anything to do with the apps in question for one simple reason: they did not create a "hack" to obtain any data.
They are all using the data owned and operated by Frontier with Frontier's permission.
Legal & Privacy
Introduction
EDCodex is an unofficial website for the game Elite: Dangerous (property of Frontier Developments).
EDCodex is a non-commercial site.
EDCodex is a non-commercial site.
Intellectual property
EDCodex was created using assets and imagery from Elite: Dangerous, with the permission of Frontier Developments plc, for non-commercial purposes. It is not endorsed by nor reflects the views or opinions of Frontier Developments and no employee of Frontier Developments was involved in the making of it.
That is why it's all free. Frontier keeps an eye on things to make sure nothing gets out of hand. If it ever did, they'd simply shut it all down.
There we go. That's exactly what I was worried about. You do indeed have access to the data.
Props for confirming it though.
Here's the deal; every time someone avoids mentioning that and just dances around the issue when it's brought up, alarm bells start ringing because it seems you're trying to hide something.
The OP's pleading the community to use EDDN related tools more often so we all benefit from updated stuff.
And I gave my two cents why I stopped using EDMC. Turns out it was a valid reason.
Now, please understand that folks like me are just end users...
We sort of get the impression that there's a "thing" that causes Inara and EDDB to update market data, and that's useful to us in some specific cases.
We make a judgement call on wether or not it does what it says on the tin, and then pray it doesn't do bitcoin mining or worse.
We don't know, or care, who works on it and don't understand any of the jargon you're using - we learn "EDDN" at best, and that's it.
We certainly don't know how to give feedback to this - once eyebrow raising stuff happens, we uninstall.
If they use their own tools, they'd get the exact same authorization form that we all get.
And apparently they were cool about it, otherwise they'd have reverted it.
Besides, as mentioned above, a layman doesn't know how to give feedback.
Other then by accident, as per this convo today.
There's a whole 'Help' menu, pointing to things like Documentation, in EDMarketConnector's UI.
In the original game it was quite easy to work out the pairs of economy types that would have good trades. Although, IIRC, the prices would slowly adjust as you used up supply and satisfied demand, so you had to move on. It was a lot simpler than Elite Dangerous's economy (which is saying something, as even ED's is mostly simple, modulo secondary effects like faction states and nearby CGs causing spikes in demand).
Although if, for whatever reason, they then manually open the Market after buying from it that will cause another update to get sent over EDDN. This only doesn't happen for "dock, open market" because EDMC compares the set of data and doesn't send if it matches what it already saw during docked period.
Maybe i am rude, i not a native Englisch speaker. But it is also rude to expect from ppl to use third party tools. crying that you can not play the game as you would like to, just cause others do not use the tools you want them to use. The OP stated it is simple to use those tools, but its not there are a whole bunch of questions one needs to ask themselfs if they wanne register for such a third party website. Just watch how fast the Cannon DS went down the hill cause some lazzy Admin did not asked the right questions.
Just let the Player decide on they own. Do not make it mandatory or cry if it does not do what you expect.
Oh and BTW what do you think people do if they install EDDiscovery and the antivirussoftware goes hellwire?