Mobasoft, Rest assured we will make an announcement when OAuth support is restored.
Doug Williams Twitter API Support http://twitter.com/dougw On Thu, Apr 23, 2009 at 12:42 PM, Mobasoft <[email protected]> wrote: > > @mzsanford > > Thanks Matt, no matter what all these other Yahoo's are saying about > you, it's appreciated! > > (j/k to all you Yahoo's) ;^) > > -Michael > > p.s. Is OAuth back on yet? I'd hate to see it start getting the > nickname of NOAuth. > > > On Apr 23, 1:43 pm, Chad Etzel <[email protected]> wrote: > > On Thu, Apr 23, 2009 at 2:35 PM, Dossy Shiobara <[email protected]> > wrote: > > > > > On 4/23/09 11:33 AM, Chad Etzel wrote: > > > > >> On Thu, Apr 23, 2009 at 11:19 AM, Dossy Shiobara<[email protected]> > > >> wrote: > > > > >>> An attacker can't get in the middle of an > > >>> application communicating to Twitter using HTTP Basic Auth. > > > > >> WRONG. Anyone doing any sort of packet sniffing could easily get > > >> user/pass combos at will. Wireless promiscuous mode + WireShark = > > >> instant account hacking. This, of course, holds true only for http > > >> transactions (and not https transactions), but there are a good number > > >> of clients/apps that don't use the https endpoints. > > > > > Packet sniffing as an attack vector is significantly more difficult to > > > achieve than the OAuth attack is. Defend against the more likely > threats > > > before worrying about the less likely ones. > > > > I wholeheartedly disagree. Sit in a tech conference room with a > > laptop and sniff away at least a hundred accounts in under 5 minutes. > > I'm not saying I've done it, but I'm not saying I haven't, either.... > > > > > > > > >> Man in the middle attacks are certainly possible with Basic Auth as > > >> well. They just eat the original request, steal the user/pass combo, > > >> and do whatever they want with it. > > > > > This is a standard phishing attack, and standard advice for > anti-phishing > > > applies here. > > > > No, phishing != man-in-the-middle. If I hack a router to intercept > > all traffic headed toward twitter.com and then grok out the > > credentials, this is has nothing to do with social engineering or > > phishing... I've just screwed your account, and you have no idea how. > > > > Obviously there are attack vectors with both methods, but I contend > > that Basic Auth is much much much easier to attack than OAuth (even in > > its current state, and even moreso when it is upgraded/patched to deal > > with this new vector). > > > > -Chad >
