OAuth isn't perfect yet.  However, it is better from one stand point:
If I sign up for a website or program with my twitter password, and it
does bad things, I have to change my password in EVERY twitter program
I use.  With OAuth, I can just block your app.

On Jul 28, 9:08 am, Duane Roelands <duane.roela...@gmail.com> wrote:
> To be fair, OAuth is better for the user, security-wise, because they
> never have to provide their Twitter credentials to your application.
> Basic Auth also provides no way to know that the application is
> actually who it says it is.  OAuth is far from perfect on this front,
> but it's light-years ahead of Basic.
>
> I'm just as agitated about this as anyone, because I think that
> Twittter's behavior in this specific instance has been sub-par.
> However, OAuth is still far more secure than Basic Auth
>
> On Jul 28, 7:27 am, chinaski007 <chinaski...@gmail.com> wrote:
>
> > Let's be honest...
>
> > The end-result for third-party developers using OAuth appears to be
> > fewer sign-ups, less reliability, more complexity, and potentially
> > less security.
>
> > Google Optimizer reveals that users are more likely to sign-up for
> > Basic Auth than OAuth.  That's just fact.  Test it for yourself to
> > confirm.
>
> > I suppose this is not so weird.  Users are accustomed to giving user/
> > pass information even to "foreign" apps.  It is far more disruptive
> > and invasive for them to go to some bizarre Twitter screen asking them
> > to "approve an app".  To the average user, what does that mean?  (And,
> > heck, it may even require more steps if they have to login again to
> > Twitter.)
>
> > In terms of reliability, Twitter OAuth was down for days several weeks
> > ago.  Tonight yet another unannounced change occurred that broke major
> > code libraries.  Meanwhile, Basic Auth has been plugging along just
> > fine and dandy...
>
> > So what IS the benefit of OAuth?
>
> > It doesn't benefit developers as you will likely get more sign-ups
> > with Basic Auth and Basic Auth is far, far easier to setup.  Sure,
> > OAuth might satisfy some power users hungry for security...
>
> > But is OAuth even more secure than Basic Auth?
>
> > Perhaps not.  After all, tonight's fix was for an OAuth security flaw
> > known for at least 10+ days (judging by tweets to @twitterapi) that
> > allowed for potential impersonations of credentialed users.
>
> > On the heels of Twitter's (unofficial) assurance of better
> > communication with developers, this sort of unannounced change is
> > distressing.  What's next?  (Have Labor Day Weekend plans?  You might
> > want to cancel those... just the right time for Twitter to make an
> > unannounced API change!)
>
> > As for us, we are in the strange position of deprecating OAuth in
> > favor of Basic Auth.
>
> > Weird, eh??
>
> > Okay, we are not totally deprecating OAuth, but we are advising users
> > that Basic Auth is far more robust and reliable.
>
> > And so our message to new developers: avoid OAuth like the plague.  If
> > you must, offer it.  But let Basic Auth be your backbone: more
> > reliable, more sign-ups, simpler, and probably just as secure.  (Just
> > look at Google Code bug reports about OAuth to get a sense of
> > reliablity.)
>
> > (Okay, okay, this post was written at 4am after a workday that started
> > at 8am, and after Twitter introduced this new change at 5pm... (hey
> > Twitter, can you introduce major new changes EARLIER in the day so we
> > can react!?!?)... it still doesn't excuse Twitter's continued
> > disregard for the small-to-medium size developer.)

Reply via email to