Hi Gustavo et al,
This is the problem with re-use systems like both Basic Auth and
the FriendFeed token system. Every application uses the same token so
you turn them all off at once (like a password change). Even if we
give out one key per application (like OAuth) your requests can be
intercepted and the credentials re-used (unless SSL is required). This
sort of re-use is not a problem in OAuth where requests are signed
using a secret and include a time stamp and a random value (nonce).
Since the nonce can't be re-used this even guards against replay
attacks.
I know OAuth is hard. I've implemented the server side, a Scala
test library and a sample Rails app (blog post coming soon). Having
said that, all of the times I've wondered why it has to be so
difficult I've come up with an attack scenario that means that part
can't be dropped. I want to try and keep up Basic Auth as long as it's
needed, but on the other hand I don't want to be like Microsoft who
keep around LANMAN as an attack vector for years on end. It's a tough
balance between encouraging developers and protecting our users.
Thanks;
— Matt
On Feb 5, 2009, at 10:13 AM, Gustavo Melo wrote:
So, what happen if this third party expose to others app this
generated key? They will acess your account too?
If this key can be just used for one app (maybe lock for one IP) the
user will need generated always a new key for one app? (Go to
twitter page, log in, acess New Keys, generate a new key, and give
to the app)
On Thu, Feb 5, 2009 at 10:37 AM, Ninjamonk
<[email protected]> wrote:
Have you guys considered maybe tweaking the basic auth system to
something like what friendfeed has.
Each user could be given a third party system generated key to use
instead of a password and then basic auth could still be used and not
tired to the system password.
If the user felt their account had been compromised by an app they
could just generate a new code and also this would protect the users
account from hijacking.
I know you don't want to have 2 different systems for auth but this
could be used for legacy apps and for use cases like funkatron
mentioned earlier in the thread.
Cheers
--
----------------------------------
Analista Desenvolvedor
www.espacodj.com
