OAuth isn't perfect yet. However, it is better from one stand point: If I sign up for a website or program with my twitter password, and it does bad things, I have to change my password in EVERY twitter program I use. With OAuth, I can just block your app.
On Jul 28, 9:08 am, Duane Roelands <[email protected]> wrote: > To be fair, OAuth is better for the user, security-wise, because they > never have to provide their Twitter credentials to your application. > Basic Auth also provides no way to know that the application is > actually who it says it is. OAuth is far from perfect on this front, > but it's light-years ahead of Basic. > > I'm just as agitated about this as anyone, because I think that > Twittter's behavior in this specific instance has been sub-par. > However, OAuth is still far more secure than Basic Auth > > On Jul 28, 7:27 am, chinaski007 <[email protected]> wrote: > > > Let's be honest... > > > The end-result for third-party developers using OAuth appears to be > > fewer sign-ups, less reliability, more complexity, and potentially > > less security. > > > Google Optimizer reveals that users are more likely to sign-up for > > Basic Auth than OAuth. That's just fact. Test it for yourself to > > confirm. > > > I suppose this is not so weird. Users are accustomed to giving user/ > > pass information even to "foreign" apps. It is far more disruptive > > and invasive for them to go to some bizarre Twitter screen asking them > > to "approve an app". To the average user, what does that mean? (And, > > heck, it may even require more steps if they have to login again to > > Twitter.) > > > In terms of reliability, Twitter OAuth was down for days several weeks > > ago. Tonight yet another unannounced change occurred that broke major > > code libraries. Meanwhile, Basic Auth has been plugging along just > > fine and dandy... > > > So what IS the benefit of OAuth? > > > It doesn't benefit developers as you will likely get more sign-ups > > with Basic Auth and Basic Auth is far, far easier to setup. Sure, > > OAuth might satisfy some power users hungry for security... > > > But is OAuth even more secure than Basic Auth? > > > Perhaps not. After all, tonight's fix was for an OAuth security flaw > > known for at least 10+ days (judging by tweets to @twitterapi) that > > allowed for potential impersonations of credentialed users. > > > On the heels of Twitter's (unofficial) assurance of better > > communication with developers, this sort of unannounced change is > > distressing. What's next? (Have Labor Day Weekend plans? You might > > want to cancel those... just the right time for Twitter to make an > > unannounced API change!) > > > As for us, we are in the strange position of deprecating OAuth in > > favor of Basic Auth. > > > Weird, eh?? > > > Okay, we are not totally deprecating OAuth, but we are advising users > > that Basic Auth is far more robust and reliable. > > > And so our message to new developers: avoid OAuth like the plague. If > > you must, offer it. But let Basic Auth be your backbone: more > > reliable, more sign-ups, simpler, and probably just as secure. (Just > > look at Google Code bug reports about OAuth to get a sense of > > reliablity.) > > > (Okay, okay, this post was written at 4am after a workday that started > > at 8am, and after Twitter introduced this new change at 5pm... (hey > > Twitter, can you introduce major new changes EARLIER in the day so we > > can react!?!?)... it still doesn't excuse Twitter's continued > > disregard for the small-to-medium size developer.)
