|Twitter's Change to OAuth Authentication Generates Security Debate|
| 7:48 pm on Sep 5, 2010 (gmt 0)|
Twitter recently stopped supporting its Basic authentication for third party applications (there are over 70,000 of them at this point) and now supports only the OAuth authentication method. This has kicked up a storm of controversy.
Ryan Paul at Ars Technica said in a recent article both that OAuth is flawed [arstechnica.com] and that Twitter's implementation is also poor, compounding the security concern. Paul's main focus is the set of security keys - a consumer key and consumer secret.
|If the key is embedded in the application itself, it's possible for an unauthorized third party to extract it through disassembly or other similar means. It will then be possible for the unauthorized third party to build software that masquerades as the compromised application when it accesses the service. |
Ben Adida, a Harvard University fellow and noted security consultant, countered Ryan Paul's criticism as an unwarranted bashing of Twitter's oAuth [benlog.com]. After debunking some of the major points, Adida writes:
|The article makes some very good smaller points that Twitter (and other oAuth providers) should heed: |
...having more explicit error messages is a good idea
logging out is confusing...
giving users more cues for trusting certain apps is probably a good idea...
These are all useful points. But they're small, and they do not warrant a big scary title.
I've been following Ben Adida's contributions to web technology for a long time - I'm not as familiar with Ryan Paul. That's just a disclaimer about me, and not intended as any negative aimed at Mr. Paul. That said, from my layman's point of view it does like Ryan Paul is being overly sensationalist for the sake of publicity rather than any real concern about user security.
It will be interesting to see how this pans out.
| 10:18 pm on Sep 5, 2010 (gmt 0)|
Either way, rewrite some of your apps and it'll be fine...
| 11:08 pm on Sep 5, 2010 (gmt 0)|
It does raise the watch level for OAuth as a potential attack vector, however. And there are an increasing number of places that use OAuth - it's not just Twitter.
| 9:12 am on Sep 6, 2010 (gmt 0)|
The other issue I have with people complaining about OAuth is that the most used alternative is actually giving your username and password to apps, a practice that never should have existed!
Yes there may be issues with OAuth but compare it to other options and i know what I prefer
| 6:13 am on Sep 7, 2010 (gmt 0)|
An interesting step, looking at the announcement one year ago [webmasterworld.com...] that Twitter would stop using OAuth until security issues were addressed. It seems they are more confident in OAuth authentication now.
| 7:18 am on Sep 24, 2010 (gmt 0)|
Oauth gives far more security than the older traditional way.
Being afraid that consumer keys and secrets would be embedded (as in hardcoded) into applications is plain old bulx. Applications would not be too versatile when embedding keys.
Embedding keys will allow the application to post Twitter updates to the application writer's own Twitter account, and not in the account of the enduser. Why on earth he would want to do that anyway.
I digged into Oauth a couple weeks ago, as the Twitter integration in my website was - of course - not working anymore.
After 2 weeks of testing, my application easily integrates into Twitter, Foursquare and LinkedIN. Oauth initially gave me headaches, after you write a decent frontend for it, it works fine and opens a lot more doors!
I now use 1 single script to add applications, generate/get/store consumer/access/token keys/secrets and post to Twitter/Foursquare.
Great cool extra functionality to show your own Application Name as well as the possibility to add geolocation to your tweets. I love it!
I added LinkedIN functionality just this morning in less than 5 minutes. I'm not going to use it probably, but it was worth the effort.
Seems that Facebook integration will take another approach for me as they use Oauth V2 instead of V1.
Once you go Oauth, you stay there!
A good tip for people starting with Oauth, watch out for your variable names. I cannot count how many times I wrongly typed 'oath' in my scripts rather than 'oauth'