hi ron. i'm just seeing you respond to every message in this thread lambasting oauth, so i figured it may be time to say something. i suggest you read up on the history of oauth? there are two reasons, that i care about, that oauth is important:
1. *minimizing the exposure of user's usernames and passwords*: in the base case, no - i don't trust random applications to have access to user's passwords. this is similar to the argument i made in this blog post: http://mehack.com/xauth-and-perhaps-the-need-for-socializing-ap. there are a few applications i trust "more" than i trust other apps: mail.app on my mac, for example, safari and chrome, for example. sure, its possible to attack those applications -- but, i believe, the probability of somebody managing an attack on those applications is significantly greater than the probability of an application, malicious or not, exposing a password. the password could be exposed for malicious means, or simply a bug. mail.app, safari, chrome, etc. have massive corporations who are very much incentivized to patch/update them if there is a security problem. random-twitter-app? not so much. (a different argument on this theme, however, is whether users care about this) 2. *providing differing levels of access*: twitter implements read and read/write as access profiles on applications. it is possible to give an application only "read" access to your account, which means that it cannot post a status update -- only read your timeline and such. this is not possible in a world where you are handing out your password. if a user's password is giving to a third party application, then all the permissions of a user is exposed. sure - i also have interests regarding "visibility" into the platform (if an application has a bug, we can trivially figure out which application it is; if a user is curious "which app is reading my DMs" we will be able to tell them, etc.). but i also really do care about the security of users. Some of you talk about an "app" as if it were a person. Sure, apps > could be malicious, but that includes every app on your computer - > doesn't it? Why should you assume some of the apps handling your > credentials can be more trustworthy than others? Any app that is on > your computer while you type your username/password can potentially > obtain that information. And what about the app at the far end of the > Internet that may be "pretending" to be Twitter's authorization page? > Frankly, I think the whole argument about "malicious apps" is a little > over the top for an OAuth discussion. > > Why would you believe that "basic auth developers are required to > store passwords in plain-text..."? I'm a basic auth developer, and I > have always stored username/passwords encrypted in a access protected > keychain file. I do not know of a single developer of any platform > that would be so irresponsible as to store username/passwords in plain > text - well until now. :) > > Twitter's only interest in OAuth (like any other platform provider) is > to control access to their platform at an application level, and to > allow other platform providers access to their users' data. This > altruistic nonsense about Twitter being more interested in your > personal password protection than your bank, your online stock trading > company, or the IRS, is just that - nonsense. > > There's nothing wrong with Twitter's decision to implement OAuth. I > makes perfect sense. I'd do it, if I were in their shoes. Why are so > many of you rushing to their defense with these manufactured > alternative reasons for why they are implementing it? > > On Apr 27, 5:52 am, glenn gillen <gl...@rubypond.com> wrote: > > > Anytime you enter your credentials, regardless of where, you open > > > yourself to being snooped. I believe that is far less likely when > > > communicating with YOUR app on YOUR computer, than it is via a browser > > > over the open Internet to a 3rd party that may or may not be who you > > > think it is... > > > > Supporting this option though Twitter is dependent on the security > > procedures of every 3rd party to maintain the integrity of an account. > > WithOAuthat least should an individual 3rd party have their security > > breached then access to just that 3rd party can be terminated. > > > > Also with basic auth developers are required to store passwords in > > plain-text (or at least in some retrievable form) and as someone else > > has already pointed out with the propensity for users to use the same > > password on many services this exposes them to undue risk from a > > breach of a 3rd party or via a malicious developer. > > > > I'd sleep much easier at night if I didn't know anybody else's > > password, I'm sure the Twitter team would prefer if only a user knew > > their own password too. > > -- > > Glennhttp://glenngillen.com/ > > > > -- > > Subscription settings: > http://groups.google.com/group/twitter-development-talk/subscribe?hl=en > -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
