I think the caricature of OAuth there should be taken with a grain of salt. The author talks about "OAuth", but seems to be referring to OAuth 2 primarily, which is very different from OAuth 1. Also, the author says that the protocol was designed for authorizing website-to-website communication, but then says it's insecure in a desktop app environment, which it is. They also point to the (very good) article about using OAuth for authentication, which again, the protocol was not designed for.
So yes, if you don't use the protocol in the way it's intended, absolutely it's insecure. The same can be said for AES encryption (like if you use it in cbc mode to protect predictable messages). Should you trust a system just because it's using OAuth? Definitely not. But is it insecure just because it's using OAuth? I would say no. If you disagree, you can even get paid if you can find a flaw in Facebook's implementation, so you should take them up on it :) On Fri, Mar 22, 2013 at 9:11 AM, Tyler Romeo <tylerro...@gmail.com> wrote: > Most of those concerns are valid. Daniel Friesnen has managed to convince > me that OAuth is absolutely horrible, and that we will probably have to > make our own authentication framework. > > *-- * > *Tyler Romeo* > Stevens Institute of Technology, Class of 2015 > Major in Computer Science > www.whizkidztech.com | tylerro...@gmail.com > > > On Fri, Mar 22, 2013 at 11:59 AM, Yuri Astrakhan > <yastrak...@wikimedia.org>wrote: > >> There was a discussion recently about OAuth, and I just saw this blog >> post< >> http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html >> > >> (posted >> on slashdot< >> http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit >> >) >> with some heavy criticisms. I am not an expert in OAuth and do not yet have >> a pro/against position, this is more of an FYI for those interested. >> >> --yurik >> _______________________________________________ >> Wikitech-l mailing list >> Wikitech-l@lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
