> I understand the very compelling reasons why Twitter wants to convert > to universal OAuth access. But let's quit spinning OAuth as this > "great new security enhancement technology" that will benefit end- > users It's not. It wasn't even meant to be. It was just meant to > help the Twitters of the world communicate end-user information among > each other without having to share their end-users' credentials.
You're working on a webapp to deal with twitter timelines. You store twitter usernames and passwords. For some reason or another your site gets hacked and all usernames and passwords are compromised. In a majority of cases, users have the same password setup for other accounts. The hackers do a username search to find the user in other places and try to retrieve their data there. To combat this and be totally sure, the user now has to remember all sites where they could have used that password and get it changed. Crap. Now let's see the oAuth version. Your site gets hacked. You reset the consumer key and secret. Tada, Hackers now have useless tokens. You get to the bottom of the hacking and explain to everyone what occured and whatever data was compromised. However, you don't have to tell them that their login information was compromised, which is a really nice thing. Will people be distrustful of your app? Yes, but the fallout is a lot less painful. -- Subscription settings: http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
