To be fair, OAuth is better for the user, security-wise, because they
never have to provide their Twitter credentials to your application.
Basic Auth also provides no way to know that the application is
actually who it says it is. OAuth is far from perfect on this front,
but it's light-years ahead of Basic.
I'm just as agitated about this as anyone, because I think that
Twittter's behavior in this specific instance has been sub-par.
However, OAuth is still far more secure than Basic Auth
On Jul 28, 7:27 am, chinaski007 <chinaski...@gmail.com> wrote:
> Let's be honest...
> The end-result for third-party developers using OAuth appears to be
> fewer sign-ups, less reliability, more complexity, and potentially
> less security.
> Google Optimizer reveals that users are more likely to sign-up for
> Basic Auth than OAuth. That's just fact. Test it for yourself to
> I suppose this is not so weird. Users are accustomed to giving user/
> pass information even to "foreign" apps. It is far more disruptive
> and invasive for them to go to some bizarre Twitter screen asking them
> to "approve an app". To the average user, what does that mean? (And,
> heck, it may even require more steps if they have to login again to
> In terms of reliability, Twitter OAuth was down for days several weeks
> ago. Tonight yet another unannounced change occurred that broke major
> code libraries. Meanwhile, Basic Auth has been plugging along just
> fine and dandy...
> So what IS the benefit of OAuth?
> It doesn't benefit developers as you will likely get more sign-ups
> with Basic Auth and Basic Auth is far, far easier to setup. Sure,
> OAuth might satisfy some power users hungry for security...
> But is OAuth even more secure than Basic Auth?
> Perhaps not. After all, tonight's fix was for an OAuth security flaw
> known for at least 10+ days (judging by tweets to @twitterapi) that
> allowed for potential impersonations of credentialed users.
> On the heels of Twitter's (unofficial) assurance of better
> communication with developers, this sort of unannounced change is
> distressing. What's next? (Have Labor Day Weekend plans? You might
> want to cancel those... just the right time for Twitter to make an
> unannounced API change!)
> As for us, we are in the strange position of deprecating OAuth in
> favor of Basic Auth.
> Weird, eh??
> Okay, we are not totally deprecating OAuth, but we are advising users
> that Basic Auth is far more robust and reliable.
> And so our message to new developers: avoid OAuth like the plague. If
> you must, offer it. But let Basic Auth be your backbone: more
> reliable, more sign-ups, simpler, and probably just as secure. (Just
> look at Google Code bug reports about OAuth to get a sense of
> (Okay, okay, this post was written at 4am after a workday that started
> at 8am, and after Twitter introduced this new change at 5pm... (hey
> Twitter, can you introduce major new changes EARLIER in the day so we
> can react!?!?)... it still doesn't excuse Twitter's continued
> disregard for the small-to-medium size developer.)