1. Exquisite Tweets from @tomcoates, @weblivz, @bonaldi, @everyplace, @rsarver, @yoz, @kevinmarks

    blechCollected by blech

    Do you really want dozens of applications in the wild having access to your passwords? That's why Flickr Auth and OAuth were created.

    Reply Retweet Like

    tomcoates

    Tom Coates

  2. @tomcoates agree - not to mention an overall architectural statement on where sign on & authorization is going. Devs need to step up.

    Reply Retweet Like

    weblivz

    steven

  3. @tomcoates They already vet the xAuth applicants. They could tame the wilds with oAuth without ruining trusted 3rd party clients.

    Reply Retweet Like

    bonaldi

    Allan Donald

  4. @tomcoates @Foursquare required this for their v2 API, as did @fireeagle before it. Why is everyone upset about best practices?

    Reply Retweet Like

    everyplace

    Erin Sparling

  5. Missing tweet: 71259801929252864

  6. @rodbegbie Yeah but people shouldn't really be doing in app auth like that unless you're already logged in.

    Reply Retweet Like

    tomcoates

    Tom Coates

  7. Missing tweet: 71268839781969920

  8. @bonaldi How much can you vet them! Do you check other people's security systems?,

    Reply Retweet Like

    tomcoates

    Tom Coates

  9. @tomcoates as much as you can vet they're not fiddling with the OAuth webview. OAuth clients give me *nothing* beyond a worse experience.

    Reply Retweet Like

    bonaldi

    Allan Donald

  10. @rodbegbie That's where approval processes do come in. Easy to check these things.

    Reply Retweet Like

    tomcoates

    Tom Coates

  11. Missing tweet: 71270480904073216

  12. @bonaldi Untrue. It is significantly more secure in handling passwords, AND it gives you a worse experience.

    Reply Retweet Like

    tomcoates

    Tom Coates

    @bonaldi We have to present this in a balanced way! Just because it's massively inelegant doesn't means it's not also safer.

    Reply Retweet Like

    tomcoates

    Tom Coates

    @bonaldi There is an actual choice to be made here between two options, neither of which are optimal. Business value versus bus/pers risk.

    Reply Retweet Like

    tomcoates

    Tom Coates

    @rodbegbie Because approval processes can track a simple implementation of OAuth more easily than XAuth.

    Reply Retweet Like

    tomcoates

    Tom Coates

  13. @rodbegbie @tomcoates "approve" is a broad word. we don't check source code of apps to see what they are doing with credentials

    Reply Retweet Like

    rsarver

    Ryan Sarver

    @rodbegbie @tomcoates plus the main point is about consistent and clear notice to users about what they are being asked to grant to an app

    Reply Retweet Like

    rsarver

    Ryan Sarver

    @rodbegbie @tomcoates apprv & auditing every app that comes through wont scale. how happy will devs be when we can't apprve them fast enough

    Reply Retweet Like

    rsarver

    Ryan Sarver

  14. @tomcoates I agree on the web, but in a native client where I don't even get a location bar and it can run keylogger, it's just not safer.

    Reply Retweet Like

    bonaldi

    Allan Donald

  15. Missing tweet: 71272222593003521

  16. @rsarver @rodbegbie True, and neither did we with FireEagle, but we did have clear terms of use and could shut down bad apps.

    Reply Retweet Like

    tomcoates

    Tom Coates

    @rsarver @rodbegbie And while credentials are important and you can do a lot with them, it's not the same as having user name and password.

    Reply Retweet Like

    tomcoates

    Tom Coates

  17. @rsarver agree - i think this is bigger than just twitter. Its about starting to nail arch of auth & authz at a deeper level than before.

    Reply Retweet Like

    weblivz

    steven

  18. @bonaldi Yes it is, because if you're doing it correctly, you're being pushed out of the app into a browser.

    Reply Retweet Like

    tomcoates

    Tom Coates

    @bonaldi you may still be vulnerable to system wide key loggers, but that's true of anything that uses a password.

    Reply Retweet Like

    tomcoates

    Tom Coates

    @rodbegbie @rsarver And Facebook is like the paradigm of responsible data protection and privacy services....?

    Reply Retweet Like

    tomcoates

    Tom Coates

  19. Missing tweet: 71273718730588160

  20. Missing tweet: 71274031717957632

  21. Missing tweet: 71274146100822016

  22. @tomcoates am talking about iOS clients here. There's no way to stop them getting yr password if they want it. And they have yr DMs, too.

    Reply Retweet Like

    bonaldi

    Allan Donald

    @tomcoates most in-client OAuth uses webviews. Expecting devs to make clients two steps worse while Twitter app doesn't is even richer.

    Reply Retweet Like

    bonaldi

    Allan Donald

  23. @rodbegbie @tomcoates this was one of the most requested things from users. How is it supposed to piss them off?

    Reply Retweet Like

    rsarver

    Ryan Sarver

  24. @tomcoates ultimately, it's the disingenuousness that rankles. This offers nil for client security, but a lot for Twitter as business.

    Reply Retweet Like

    bonaldi

    Allan Donald

  25. @bonaldi No! An iOS app can push you out to a browser to do your oAuth process, and return you to the app afterwards. Much more secure.

    Reply Retweet Like

    tomcoates

    Tom Coates

    @bonaldi Twitter doesn't have to, because they own the app and can therefore trust it.

    Reply Retweet Like

    tomcoates

    Tom Coates

  26. @tomcoates yes it *can*, but a malicious app doesn't *have* to, and a formerly xauth app won't want to. So nobody will. Security gain = nil

    Reply Retweet Like

    bonaldi

    Allan Donald

  27. @bonaldi The only argument you can make here is that as a good faith gesture Twitter should use OAuth, which I can relate to.

    Reply Retweet Like

    tomcoates

    Tom Coates

    @bonaldi Otherwise you're just saying that people should use an insecure system just because it's a bit easier.

    Reply Retweet Like

    tomcoates

    Tom Coates

  28. @rodbegbie And how do they do that without spawning a fakeable web view?

    Reply Retweet Like

    yoz

    Yoz Grahame

  29. @bonaldi That's JUST NOT TRUE. It DOES help app security and I have NO DOUBT that this is why Twitter is doing it.

    Reply Retweet Like

    tomcoates

    Tom Coates

    @bonaldi We did exactly the same with @fire eagle's implementation of OAuth two years ago because it is the RIGHT THING TO DO.

    Reply Retweet Like

    tomcoates

    Tom Coates

  30. Missing tweet: 71277028745285632

  31. @bonaldi And we KNEW it would damage our developer community, which was the last thing we wanted. but it was necessary,

    Reply Retweet Like

    tomcoates

    Tom Coates

    @bonaldi Twitter can rescind privileges for apps that break their terms of service, and will no doubt do so if necessary.

    Reply Retweet Like

    tomcoates

    Tom Coates

  32. @rodbegbie ... assuming that the FB app is installed, and the version for that phone supports that flow. There is no FB iPad app.

    Reply Retweet Like

    yoz

    Yoz Grahame

  33. @tomcoates it *only* helps security on clients if devs play nice. Launching browser isn't in ToS. They should treat clients differently!

    Reply Retweet Like

    bonaldi

    Allan Donald

  34. @bonaldi At which point, I expect another bunch of people to decry them for being unfair for doing precisely what they said they'd do.

    Reply Retweet Like

    tomcoates

    Tom Coates

  35. Missing tweet: 71277681941037057

  36. @bonaldi @rsarver If launching a browser isn't in the TOS for Twitter it should be.

    Reply Retweet Like

    tomcoates

    Tom Coates

  37. @tomcoates OK, so make 3rd party clients *massively* worse for tiny gain. Clients can already be revoked. On mobile, this is all business.

    Reply Retweet Like

    bonaldi

    Allan Donald

  38. @rodbegbie ??? (Speaking as an employee of a company where our customers typing password into wrong place = $$$ defrauded)

    Reply Retweet Like

    yoz

    Yoz Grahame

  39. Missing tweet: 71284179429621760

  40. Missing tweet: 71284443872116736

  41. @rodbegbie Those are all complementary, not replacements for OAuth.

    Reply Retweet Like

    yoz

    Yoz Grahame

  42. Missing tweet: 71284949675814912

  43. Missing tweet: 71285107180314625

  44. @rodbegbie *and* to view/limit the capabilities granted when delegating authority. xAuth doesn't provide that.

    Reply Retweet Like

    yoz

    Yoz Grahame

  45. Missing tweet: 71285750515249152

  46. @rodbegbie Why? That's one of the biggest fixes they've finally made! At last, use of OAuth is fully justified.

    Reply Retweet Like

    yoz

    Yoz Grahame

  47. Missing tweet: 71286389123198976