On Jul 31, 4:37 am, Duane Roelands <duane.roela...@gmail.com> wrote:

> OAuth lets you access the Twitter service without giving your Twitter
> credentials to anyone but Twitter.
> Basic Auth requires you to give your Twitter credentials to someone
> other than Twitter.
> Therefore, OAuth is more secure than Basic Auth.
> This is not rocket science.


I agree with Bradley. It's how you (user) see the situation, but the
situation is not that way. You do give password to application (or
application can take it if it wants). You are just fooling yourself,
and this makes security even worser. With basic auth you are aware of
the fact you are giving application credentials, so are able to make
thoughtful decision. With OAuth you (ordinary user) are not aware of
the fact that you give application credentials, so you are under wrong
illusion that you may use any application and you on the safe side. In
reality you give application everything when installed it to your
computer. In this situation basic auth becomes more secure because it
shows situation to a user as it is ("stupid! you must trust any
application you are installing!"), OAuth panders security threats
("relax, you may think as if you may not trust the application,
because you are as if not giving it credentials").


--
Dmitriy V'jukov

Reply via email to