>
>
> I've implemented OAuth some time ago, with no real issues. For the
> environment Twitter is in, I think it makes perfect sense. My BS
> sensors went off at some of the comments I saw circulating as to what
> OAuth's principal benefits are. But if you'd rather not see any
> dissenting opini
Hi Raffi,
Didn't mean to sound like lambasting. I have read the history on
OAuth, which is why I commented as I did. I agree with both of your
points. Both are very good reasons to implement OAuth. I just don't
believe protecting users against their own app is a fundamental reason
to implement
hi ron.
i'm just seeing you respond to every message in this thread lambasting
oauth, so i figured it may be time to say something. i suggest you read up
on the history of oauth? there are two reasons, that i care about, that
oauth is important:
1. *minimizing the exposure of user's username
Some of you talk about an "app" as if it were a person. Sure, apps
could be malicious, but that includes every app on your computer -
doesn't it? Why should you assume some of the apps handling your
credentials can be more trustworthy than others? Any app that is on
your computer while you type
> Anytime you enter your credentials, regardless of where, you open
> yourself to being snooped. I believe that is far less likely when
> communicating with YOUR app on YOUR computer, than it is via a browser
> over the open Internet to a 3rd party that may or may not be who you
> think it is...
There is no way to prevent basic auth apps (web or desktop) from taking over
your account or performing username/password changes. They have your
username and password and can just log into the web interface.
--
Little androids dreaming of Nexus Ones compiled this text.
On Apr 26, 2010 10:56 PM,
Unless I'm wrong (it happens), I believe you can do everything the API
offers with OAuth that you can currently do with basic auth. But even
if that isn't true, preventing basic auth from allowing username/
password changes is a much more direct solution (and easier) than
forcing an OAuth implemen
> I understand the very compelling reasons why Twitter wants to convert
> to universal OAuth access. But let's quit spinning OAuth as this
> "great new security enhancement technology" that will benefit end-
> users It's not. It wasn't even meant to be. It was just meant to
> help the Twitters
So the more correct response would be that neither OAuth or Basic Auth
can take over a user's account, since it is the API functionality that
is the gating factor.
So then you have to ask yourself, do you believe your user credentials
are more secure when only you, your app, and Twitter will ever
You used to be able to change an accounts email address through the API but
it looks like Twitter removed that "feature" so no. An OAuth application can
not take over a users account.
Abraham
On Mon, Apr 26, 2010 at 17:49, philip crawford wrote:
> With a users twitter password, I can take over t
With a users twitter password, I can take over their account by
changing email & password. Can I do that with OAuth credentials?
On Mon, Apr 26, 2010 at 7:43 PM, Ron B wrote:
> Where end-user credentials are stored is entirely up to the end-user,
> as is who they choose to share the information
Where end-user credentials are stored is entirely up to the end-user,
as is who they choose to share the information with. OAuth does not
and cannot address this, as it shouldn't - and neither should Twitter
When a user types their username/password on the Twitter authorization
screen, they are u
12 matches
Mail list logo