2009/9/17 Thaths <[email protected]> > On Wed, Sep 16, 2009 at 10:27 PM, Kiran K Karthikeyan > <[email protected]> wrote: > > Yes, but if I can't trust my anti-virus software, and not my OS, and my > job > > is designing web applications, I don't have much choice do I? > > Actually, you do. See my earlier comment in this thread about OAuth. > Never give a third party website your gmail password. Instead, > authorize gmail to share your contacts (NOT password) with the third > party website using the OAuth mechanism. >
So instead of trusting my antivirus software which says that the site is secure and will not try to steal my data, I trust OAuth. I've heard about it, but never used it. I just had a look at the site and right there on the home page is this: "An OAuth security issue has been identified<http://blog.oauth.net/2009/04/22/acknowledgement-of-the-oauth-security-issue/>and addressed in version 1.0a of the OAuth Core protocol <http://oauth.net/core/1.0a>. For a description of the problem, please refer to the advisory<http://oauth.net/advisories/2009-1>, issued on April 23, 2009." Kiran
