Comments on: OAuth and Twitter: Realistic expectations http://stut.net/2009/01/24/oauth-and-twitter-realistic-expectations/ Ramblings of a random software engineer Fri, 12 Mar 2010 17:55:38 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Stut http://stut.net/2009/01/24/oauth-and-twitter-realistic-expectations/comment-page-1/#comment-8300 Stut Sat, 24 Jan 2009 20:12:39 +0000 http://stut.net/blog/?p=326#comment-8300 Thanks for your comment Till. Hopefully OAuth will only bring good things for Twitter. Thanks for your comment Till. Hopefully OAuth will only bring good things for Twitter.

]]> By: till http://stut.net/2009/01/24/oauth-and-twitter-realistic-expectations/comment-page-1/#comment-8299 till Sat, 24 Jan 2009 19:49:32 +0000 http://stut.net/blog/?p=326#comment-8299 Hey there! Thanks for letting me know when you posted and I must say that I share or see your concerns. You are right that people mistake OAuth for the ultimate solution to all the security problems. On the other hand, I think we need to cut them some slack too. For example -- we both understand that OAuth is meant for authorization and not a fine grained control panel for data and account properties. I'm not sure how much time you spent on OpenSocial in general and all the authorization, login and other data portability stuff but I can't really keep up with what is provided and more important, who's really implementing it all. In my opinion, providing OAuth is most def. a step into the right direction. Because you should not be handing out your account credentials to third party applications, whatever their motives might be. And of course OAuth still doesn't protect you if you select a weak password, or if you are using the same password on different websites and one of them saves them unprotected and the data is comprimised. Most of those recent events could not have been avoided with OAuth. In terms of data access control, a perfect example of how things should be is Yahoo!'s Fire Eagle. You select which of the apps can read and/or write to your account, and you have to re-confirm the sharing of your location every six months (or so, depending on your settings). On the bright side, even though Twitter is not mainstream I hope that due to the press that OAuth receives and due to it being rolled out on many other websites lately, people actually think about handing out their credentials first. In Web2 it's all about users and a user account. So for me that sounds like it is all about power to the people -- they could demand a solution, such as OAuth. If you look at the reality though -- a bunch of very-early adopters and developers demanded OAuth for so long. Not the average Twitter user. In the end, with the access you grant to an application to your account via OAuth I find it maybe not secure'r but issues can be handled -- e.g. I imagine Twitter can track which applications send spam through the API and shut it down and remove the spam on people's patches. Granting access is trust and if you can't trust an application, maybe you should create a dummy Twitter account to play with it or not use it all together. There's obviously not so much anyone can do to prevent abuse, but there are lots of measures that can be taken as an action when it happened. Cheers, Till Hey there!

Thanks for letting me know when you posted and I must say that I share or see your concerns. You are right that people mistake OAuth for the ultimate solution to all the security problems.

On the other hand, I think we need to cut them some slack too.

For example — we both understand that OAuth is meant for authorization and not a fine grained control panel for data and account properties. I’m not sure how much time you spent on OpenSocial in general and all the authorization, login and other data portability stuff but I can’t really keep up with what is provided and more important, who’s really implementing it all.

In my opinion, providing OAuth is most def. a step into the right direction. Because you should not be handing out your account credentials to third party applications, whatever their motives might be.

And of course OAuth still doesn’t protect you if you select a weak password, or if you are using the same password on different websites and one of them saves them unprotected and the data is comprimised.

Most of those recent events could not have been avoided with OAuth.

In terms of data access control, a perfect example of how things should be is Yahoo!’s Fire Eagle. You select which of the apps can read and/or write to your account, and you have to re-confirm the sharing of your location every six months (or so, depending on your settings).

On the bright side, even though Twitter is not mainstream I hope that due to the press that OAuth receives and due to it being rolled out on many other websites lately, people actually think about handing out their credentials first. In Web2 it’s all about users and a user account. So for me that sounds like it is all about power to the people — they could demand a solution, such as OAuth.

If you look at the reality though — a bunch of very-early adopters and developers demanded OAuth for so long. Not the average Twitter user.

In the end, with the access you grant to an application to your account via OAuth I find it maybe not secure’r but issues can be handled — e.g. I imagine Twitter can track which applications send spam through the API and shut it down and remove the spam on people’s patches.

Granting access is trust and if you can’t trust an application, maybe you should create a dummy Twitter account to play with it or not use it all together. There’s obviously not so much anyone can do to prevent abuse, but there are lots of measures that can be taken as an action when it happened.

Cheers,
Till

]]>