Hi Matt, Thx for answer... OAuth isn't hard ;) A couple of days i have learned some about it and put this on my TestApp to see how works.
I'm glad to see that You guys worrie about the final user. Let's bring it on... We had just to generate our api_key and secret, and sort all parameters of the method (including api_key and secret) to creat a signature... (basically of course) So... don't worrie with us (developers) On Thu, Feb 5, 2009 at 4:33 PM, Matt Sanford <m...@twitter.com> wrote: > Hi Gustavo et al, > > This is the problem with re-use systems like both Basic Auth and the > FriendFeed token system. Every application uses the same token so you turn > them all off at once (like a password change). Even if we give out one key > per application (like OAuth) your requests can be intercepted and the > credentials re-used (unless SSL is required). This sort of re-use is not a > problem in OAuth where requests are signed using a secret and include a time > stamp and a random value (nonce). Since the nonce can't be re-used this even > guards against replay attacks. I know OAuth is hard. I've implemented > the server side, a Scala test library and a sample Rails app (blog post > coming soon). Having said that, all of the times I've wondered why it has to > be so difficult I've come up with an attack scenario that means that part > can't be dropped. I want to try and keep up Basic Auth as long as it's > needed, but on the other hand I don't want to be like Microsoft who keep > around LANMAN as an attack vector for years on end. It's a tough balance > between encouraging developers and protecting our users. > > Thanks; > — Matt > > > On Feb 5, 2009, at 10:13 AM, Gustavo Melo wrote: > > So, what happen if this third party expose to others app this generated > key? They will acess your account too? > If this key can be just used for one app (maybe lock for one IP) the user > will need generated always a new key for one app? (Go to twitter page, log > in, acess New Keys, generate a new key, and give to the app) > > On Thu, Feb 5, 2009 at 10:37 AM, Ninjamonk <dar...@stuartmedia.co.uk>wrote: > >> >> Have you guys considered maybe tweaking the basic auth system to >> something like what friendfeed has. >> >> Each user could be given a third party system generated key to use >> instead of a password and then basic auth could still be used and not >> tired to the system password. >> >> If the user felt their account had been compromised by an app they >> could just generate a new code and also this would protect the users >> account from hijacking. >> >> I know you don't want to have 2 different systems for auth but this >> could be used for legacy apps and for use cases like funkatron >> mentioned earlier in the thread. >> >> Cheers >> >> > -- > ---------------------------------- > Analista Desenvolvedor > www.espacodj.com > > > -- ---------------------------------- Analista Desenvolvedor www.espacodj.com
