About the first point, this will just keep happening. The only difference is
that instead of have their credential stolen, they will have their token
stolen. Then, spammers, for example, will use this tokens to send a lot of
spam messages, or do whatever they want. When the user notice it will be too
late.The damage will be done.
Spammers can just provide a simple site, like those test sites around, for
example, and collect a lot of request token before send the spams.
But it is ok, the user can just block this application without changing the
password. That is very nice.


there will be applications asking for username and password even if twitter
do not support basic authentication anymore. And we can try to "educate" our
users, but, as far as I know all Banks are trying to do this for some couple
of years without success.

The main problem here is that the security breach of all systems is the
user. And unfortunately we can not change them as fast as we can change our
codes. :-(

That is just my opinion and i´m a little "out of date" within oauth. I like
the idea but think that the current flow is very poor for mobile and
embedded devices.

Otávio Ribeiro

On Fri, Jul 31, 2009 at 9:18 AM, Duane Roelands <duane.roela...@gmail.com>wrote:

> "With basic auth you are aware of the fact you are giving application
> credentials, so are able to make thoughtful decision."
> This is not supported by the evidence, as thousands of people
> "thoughtfully" gave their Twitter credentials to TwitViewer and got
> their accounts stolen.
> "With OAuth you (ordinary user) are not aware of the fact that you
> give application credentials"
> This is incorrect.  WIth OAuth, you don't give your credentials to
> anyone except Twitter.
> It's a bad idea to give your account credentials to a third party.
> Basic Auth forces you to give your account credentials to a third
> party.
> Therefore, using Basic Auth is a bad idea.
> On Jul 31, 8:09 am, Nicole Simon <nee...@gmail.com> wrote:
> > I am surprised nobody is bringing up these too points:
> >
> > - people will use the more secure thing once they are educated. you know
> the
> > kind of stuff where you tell the people you support that they will not
> get
> > tech support any more if they do this.
> >
> > - the argument about 'having to agree on something' is not as bad as it
> > sound because they do it every day on facebook. The one thing I do mind
> that
> > even I always have to search aruond to find the place where my apps are
> > located.
> >
> > Nicole
> >
> > ~~~
> >
> > --
> > Jetzt im Buchhandel:
> > "Twitter - Mit 140 Zeichen zum Web 2.0"
> > Amazon:http://tinyurl.com/6at9c5
> >
> > http://mit140zeichen.de-http://twitter.com/m140z
> >
> > Kontakt:
> http://twitter.com/NicoleSimonhttps://www.xing.com/profile/Nicole_Simon
> >
> > skype: nicole.simon / mailto:nicole.si...@mit140zeichen.de
> > phone: +49 451 899 75 03 / mobile: +49 179 499 7076

Reply via email to