Comments on: Twitter is wrong: should not drop httpS basic auth /2010/06/11/twitter-is-wrong-should-not-drop-https-basic-auth/ Fucked Up Beyond All Recognition Sat, 11 Dec 2010 20:24:01 +0000 hourly 1 By: Identi.ca Updates for 2010-06-12 « FU-BAR /2010/06/11/twitter-is-wrong-should-not-drop-https-basic-auth/comment-page-1/#comment-1185 Sun, 13 Jun 2010 02:25:10 +0000 /?p=867#comment-1185 […] read my analysis here: /2010/06/11/twitter-is-wrong-should-not-drop-https-basic-auth/ […]

]]> By: Tweets that mention Twitter is wrong: should not drop httpS basic auth « FU-BAR -- Topsy.com /2010/06/11/twitter-is-wrong-should-not-drop-https-basic-auth/comment-page-1/#comment-1183 Fri, 11 Jun 2010 13:33:31 +0000 /?p=867#comment-1183 […] This post was mentioned on Twitter by Rui Seabra, Dino Morelli. Dino Morelli said: RT @RuiSeabra New blog post: Twitter is wrong: should not drop httpS basic auth http://ur1.ca/06tno […]

]]> By: Rui Seabra /2010/06/11/twitter-is-wrong-should-not-drop-https-basic-auth/comment-page-1/#comment-1182 Fri, 11 Jun 2010 13:20:26 +0000 /?p=867#comment-1182 I have no problem with the need to register, I have a problem with implementing a complex and useless “fake security” method that then others can exploit in my behalf to do harm to others in my name.

I have a problem, also, that Twitter wants to make that mandatory from June 30 onwards.

]]> By: Luciano Rocha /2010/06/11/twitter-is-wrong-should-not-drop-https-basic-auth/comment-page-1/#comment-1181 Fri, 11 Jun 2010 12:14:12 +0000 /?p=867#comment-1181 Ah, I see. You don’t want to have to request a key for your application, and then have that key visible to the world. Well, if you must have an approved app key before doing the auth, then that’s useless for non-web apps.

]]> By: Rui Seabra /2010/06/11/twitter-is-wrong-should-not-drop-https-basic-auth/comment-page-1/#comment-1180 Fri, 11 Jun 2010 12:01:24 +0000 /?p=867#comment-1180 It’s not about user security, it’s about application security. oauth/xauth is bullshit security for client applications.

]]> By: Luciano Rocha /2010/06/11/twitter-is-wrong-should-not-drop-https-basic-auth/comment-page-1/#comment-1179 Fri, 11 Jun 2010 11:46:00 +0000 /?p=867#comment-1179 From the xauth page:

This one method then returns you the authorised access tokens in the same way the same method does for OAuth. You should store the tokens as they do not expire, and reuse the tokens for any subsequent API calls. The password can effectively be forgotten after the authorised access tokens are received (unless you need them for third party sites such as TwitPic etc..).

So it is more secure than plain baisc auth, in that the user credentials aren’t stored by the application, only the negotiated tokens. If they are captured by a third party, that party will be able to impersonate the user as far as posting and reading is concerned. But the fact that only token is stored allows the user to revoke those permissions without worrying about having lost his password.

Regardless, xauth should work also via HTTPS, right?

As far as the user is concerned, a dialog asking for username and password still pops up, but then the negotiation is done without his knowing.

]]>