Where end-user credentials are stored is entirely up to the end-user,
as is who they choose to share the information with.  OAuth does not
and cannot address this, as it shouldn't - and neither should Twitter

When a user types their username/password on the Twitter authorization
screen, they are using someone's browser on someone's computer either
of which could harbor malicious software that could capture what was
typed, and are communicating these credentials over the open Internet
using at best nothing more than the https basic auth uses.  In
addition, "training" users to become accustomed to providing their
user credentials outside of their apps to requests made over the open
Internet makes them a lot more susceptible to phishing attacks.  How
exactly is this then "better" security than basic auth?

The only "real" advantage to using OAuth is more application access
control and protected shared user access between application
platforms.  There are no real tangible advantages for the end-user.
With basic auth, all an end-user had to do was tell the app their user
credentials.  With OAuth, they have to leave their app to tell
Twitter, wait for Twitter to tell their app, and then return to their
app to continue the process.

At least with XAuth, the user can continue to tell their app their
user credentials and have all this OAuth stuff handled behind the
curtain for them.

I understand the very compelling reasons why Twitter wants to convert
to universal OAuth access.  But let's quit spinning OAuth as this
"great new security enhancement technology" that will benefit end-
users  It's not.  It wasn't even meant to be.  It was just meant to
help the Twitters of the world communicate end-user information among
each other without having to share their end-users' credentials.


On Apr 26, 7:08 pm, Raffi Krikorian <ra...@twitter.com> wrote:
> > What's the latest schedule for increasing the allowed API call rate for
> > oAuth users? That seems to have been lost in the shuffle.
>
> unclear - we're actively working with our infrastructure and operations
> teams on capacity planning specifically so we can increase the rate limits.
>
> > Also, is there any advantage to xAuth over the desktop PIN oAuth scheme
> > (for a desktop application)? I'm putting together a proposal and can't see
> > any real advantage to it on the desktop, especially since I have the oAuth
> > code done, thanks to Marc Mims' Net::Twitter. ;-)
>
> personally, i would -love it-, if everybody just used the oauth web workflow
> so that none of you even see a user's username/password.  that would make
> the web more secure.  i'm even soliciting suggestions on what we could do to
> make the web workflow better.  i understand, however, that the PIN workflow
> can be off putting for some users.
>
> so, implementing oAuth instead of xAuth would make me happy - but i doubt
> that's a motivation for most developers.
>
> --
> Raffi Krikorian
> Twitter Platform Teamhttp://twitter.com/raffi
>
> --
> Subscription 
> settings:http://groups.google.com/group/twitter-development-talk/subscribe?hl=en

Reply via email to