About the first point, this will just keep happening. The only difference is that instead of have their credential stolen, they will have their token stolen. Then, spammers, for example, will use this tokens to send a lot of spam messages, or do whatever they want. When the user notice it will be too late.The damage will be done. Spammers can just provide a simple site, like those test sites around, for example, and collect a lot of request token before send the spams. But it is ok, the user can just block this application without changing the password. That is very nice.
Second, there will be applications asking for username and password even if twitter do not support basic authentication anymore. And we can try to "educate" our users, but, as far as I know all Banks are trying to do this for some couple of years without success. The main problem here is that the security breach of all systems is the user. And unfortunately we can not change them as fast as we can change our codes. :-( That is just my opinion and i´m a little "out of date" within oauth. I like the idea but think that the current flow is very poor for mobile and embedded devices. regards, Otávio Ribeiro On Fri, Jul 31, 2009 at 9:18 AM, Duane Roelands <[email protected]>wrote: > > "With basic auth you are aware of the fact you are giving application > credentials, so are able to make thoughtful decision." > This is not supported by the evidence, as thousands of people > "thoughtfully" gave their Twitter credentials to TwitViewer and got > their accounts stolen. > > "With OAuth you (ordinary user) are not aware of the fact that you > give application credentials" > This is incorrect. WIth OAuth, you don't give your credentials to > anyone except Twitter. > > It's a bad idea to give your account credentials to a third party. > Basic Auth forces you to give your account credentials to a third > party. > Therefore, using Basic Auth is a bad idea. > > On Jul 31, 8:09 am, Nicole Simon <[email protected]> wrote: > > I am surprised nobody is bringing up these too points: > > > > - people will use the more secure thing once they are educated. you know > the > > kind of stuff where you tell the people you support that they will not > get > > tech support any more if they do this. > > > > - the argument about 'having to agree on something' is not as bad as it > > sound because they do it every day on facebook. The one thing I do mind > that > > even I always have to search aruond to find the place where my apps are > > located. > > > > Nicole > > > > ~~~ > > > > -- > > Jetzt im Buchhandel: > > "Twitter - Mit 140 Zeichen zum Web 2.0" > > Amazon:http://tinyurl.com/6at9c5 > > > > http://mit140zeichen.de-http://twitter.com/m140z > > > > Kontakt: > http://twitter.com/NicoleSimonhttps://www.xing.com/profile/Nicole_Simon > > > > skype: nicole.simon / mailto:[email protected] > > phone: +49 451 899 75 03 / mobile: +49 179 499 7076 >
