Twitter is wrong: should not drop httpS basic auth

As some of you might know, I write a µ-blogging tool called elmdentica. It is a client side application developed with Elementary, an EFL library oriented towards small touchscreen interfaces. I only recently learned that Twitter is dropping Basic Authentication support coming next June 30th. They claim it’s insecure because:

  1. with http credentials go in the clear (no problem here)
  2. with https, some people may think it’s too expensive (only complete idiots)
  3. applications have to store user credentials locally

As an alternative, they are making oauth mandatory for APIs that need authentication. While their reasoning may make sense in the context of massively concentrated web applications (think Twitpic and similars) this is absurd for client application like those running in your cell phones or computers.

Let’s take a look at the problem…

oauth gives you a consumer key and a consumer secret that authenticate your application. They don’t authenticate the user, they prove Twitter that you’re a legitimate and registered application.

If both key and secret became public, anyone could make an application pretending to be yours. While someone making a clone of your program isn’t a real problem, if someone writes a trojan horse… then there could be a problem, no?

Well, with oauth, both key and secret need to be known by the application during run time. So at any given moment, the computer running your application will have these two important assets. Either because they are embedded in your code, or because you download them live from a site. The fact remains: they are for all practical effects no longer secrets.

In web applications, no user accesses the only running copy of the software holding both key and secret, so oauth works there.

What about xauth?

I haven’t read much about xauth but after reading this page explaining what xauth is, I’m absolutely convinced the problem remains and wasn’t even tackled. The only issue that was solved, by requesting an user’s login and password only once, without need of local storage or visiting a web page, was an usability issue for client applications.

The real problem is still there, so Twitter is wrong and should not drop Basic Authentication from the https interface.

If they do, elmdentica will very likely not work on Twitter anymore. I don’t care much about that, but the users of elmdentica may care. That pisses me off.

What now?

Fortunately, there is a better alternative to Twitter if you value software freedom called identi.ca. More than just using, you can have your own “Twitter” by installing the Free Software that makes identi.ca, which is StatusNet.

At least they have no plans of dropping Basic Authentication. Hurra!

Yes, it’s you. But only you…

I posted the following as a comment at some guy’s blog who claims he’s parting with the FSF because of their “hate speech”. I find it so ridiculous that I commented, but then later on thought I should actually make it a blog post. So here it is:

«If you want people to adapt your ideals or products you gotta show them why they are better than what they have been using: Tell them about the brilliant things they get when they use your stuff, tell them about new possibilities

They do just that. When you claim such a thing, I can only guess you never ever heard or read one of Richard Stallman’s speeches.

Campaigns like DefectiveByDesign or Windows7Sins are *very*small* things compared to the rest.

That you should choose your position over them rather than the whole, and totally demonstrate you missed the point of software freedom, is really revealing that you don’t give a damn about your community‘s software freedom.

You just want, like a spoiled child, to run all the software you want at your will, regardless of whether you’re infringing the law.

Want proof? Nothing easier… I’ll just take your own words:

«The FSF should focus on outlining what positive  things a new users gets from FLOSS: Tell people about VLC that allows them to play basically every type of media without hassle

Well, this is false. Many types of media supported by VLC are encumbered by software patents. In the USA, in particular, doing what you “preach” could become a very concrete and real legal liability: they could be accused of enticing people to break the law.

Is that what you think the FSF should be doing? Really? Or you just never sat and thought things through?

Identi.ca Updates for 2010-06-10

  • ♺ @glynmoody: Cyber War: Microsoft a weak link in national security – http://bit.ly/aoiIsO stuff at the end of piece is worrying #microsoft #
  • @support I noticed I wasn’t getting any messages from @jwildeboer. Went to his identica page and noticed I have him flagged. Bug? unflag plz #
  • I would love it if someone could tell @jwildeboer I didn’t flag him in Identi.ca. @greve @karsten @zoobab? Please? #
  • @stephwho did he comment on that? #
  • @support feature request: ability to “unflag” so users don’t have to bug @support 🙂 #
  • @stephwho thank you, I didn’t ask you because I had understood you weren’t with him today 🙂 #
  • @stephwho yeah, they probably are in write-only mode, right now 🙂 #
  • @stephwho oh my… not even… oh… OMG! #
  • Increased the messages list area in !elmdentica by moving the timeline description to the title bar and the toolbar at the bottom (+handy) #
  • Type your status here… #
  • @ronnypfannschmidt Good for you! 🙂 #
  • Wow! What do you do when str2 = strndup(str1, 8) returns a string with 8 NULLs instead of str1’s first 8 characters? #
  • If I printf(str1) I see all I expected. #
  • @tonnerre do what, instead of strndup(str, limit), then? #
  • @support @jwildeboer is not blocked, only flagged. Toggling block and back again doesn’t change flag status. #
  • @tonnerre of course not, these printf(str1) is just a contraction, in code is printf(“%s”, str1) and only exists to debug what’s the prob. #
  • @tonnerre my problem is: str1=”123456789″; str2=strndup(str1, 8); and now str2==”” #
  • 20 #
  • @support yeah, it took some pages of looking backwards in timeline, but yes, I receive. I only noticed because I thought he’d report today. #
  • @stephwho It’s an attack on the PIGS, Portuguese and Spanish were robbed yesterday, as well. #
  • But it’s South Africa! How could one not expect the tourist attraction of being robbed? Wondering when rape will start showing up… #
  • @smaffulli: gwibber always sucked codewise but has the best UI #
  • ♺ @glynmoody: Memo From #Dell: #Ubuntu Linux Is Safer Than Windows – http://bit.ly/ccW8La grab a screenshot before it gets “disappeared” #
  • ♺ @glynmoody: Lawyers Warn WordPress Over File-Sharing News Blog – http://bit.ly/c9ll8R this is an unwinnable war, lawyer people… #
  • @smaffulli yeah, about that time I also visited an SCO press conference/workshop to add some fire to their party 😉 #
  • What’s coming up in the next !elmdentica release for your !freerunner: http://is.gd/cKGiA http://is.gd/cKGkp #
  • http://www.ubuntu.com/products/casestudies/Andalusia-deploys-220000-Ubuntu-desktops-in-schools-throughout-the-region !ubuntu #schools #es #
  • @bugabundo haven’t checked xauth yet, but if it needs to store the secrets in client app like oauth, then it’s just as much bullshit. #

Identi.ca Updates for 2010-06-09

  • ♺ @glynmoody: WebM has landed on Firefox 4 nightlies – http://bit.ly/aUbIN7 form an orderly queue #webm #firefox #video #
  • ♺ @joaop: More of this please. NOT! RT @BreakingNews Malaysian princes reach s/ment over who has the right to use Bentley owned by their dad #
  • @andersongouveia: dude, why do you advertise proprietary software so much? Bad form! #
  • ♺ @schestowitz: “MS Has Already Approached Canonical Pressuring Them to Sign up to a Patent Deal” http://ur1.ca/06ixf #swpats !ubuntu !fsf #

Identi.ca Updates for 2010-06-08

  • ♺ @PauloTrezentos: ASE 2010 http://39lo.sl.pt. Paper presents new approach to better Linux dependencies solving. Work was developed w/INESC #
  • ♺ @BoingBoing: Terrorists figure out how to get America to attack itself: leave harmless, "suspicious" ba… http://bit.ly/cyVDTf #
  • ♺ @glynmoody: Zaragoza’s move to complete open source desktop going to plan – http://bit.ly/cgIqIz Spain’s Munich? #opensource #migration #
  • As usual, vendor lock-in effects are the biggest challenges. Get rid of the toxic waste! 🙂 #
  • #apple #bigbrother #facetime ♺ @carlopiana: @jwildeboer Have you read this http://bit.ly/doecD8 ? Big brotherish, innit? #
  • @stephwho use Perl 😉 (@jwildeboer can explain you the pun) 🙂 #
  • @stephwho Perl is a programming language with a tendency to «Do what I mean» because sometimes what people mean is not what they want. #
  • @jwildeboer bullshit! You can make any language be a “write-only” language. That’s a matter of following good practices or not. #
  • People who make healthcheck documents in hundreds of *powerpoint* slides should be shot without mercy. #
  • ♺ @jerezim: RT @clarinette02 RT @stoppacta: Australian senator Lundy raises #ACTA concerns http://bit.ly/aPOD1R #StopACTA #
  • ♺ @FFII European Parliament “calls for greater investment in the use of open source software in the EU” http://bit.ly/c2XbEw #
  • «European charter of users’ rights (…) this should include in particular users’ rights relating to digital content» http://bit.ly/c2XbEw #
  • With relation to last status message: be afraid… be very afraid. #
  • ♺ @caostheory The Gov of Malta issued a directive giving preference to OSS in all government projects http://bit.ly/cCEabz #
  • ♺ @carlopiana: Malta #rocks: http://ur1.ca/06722 law to prefer !freesoftware in procurement. Via @maslett #
  • @evan: please don’t make the twitter mistake as oauth is bullshit security outside of web-apps. don’t drop http auth. #
  • @jmcesteves: what? what? what? 🙂 #
  • @bob_sutor: you can’t make GPL/LGPL applications for iPays as #Apple forbids it. #
  • ♺ @mind_booster: Liked "Mozilla evangelist: #Apple #HTML5 demos harm the open Web #dirtytricks" http://ff.im/lGmiC #
  • @greve I sadly envy you from afar… the only joy I can take is how close Ponto Final is to me… #
  • @greve hehe everything is still fine, I hope, here it is… predicted date still the same? 🙂 It would be so cool if they came up same day.. #
  • @zach oh, thank you, thank you, thank you, thank you, thank you, thank you, thank you, thank you, thank you, thank you, thank you! #
  • ♺ @lxoliva: Brazilian court refuses to uphold foreign copyrights (MS, AutoDesk) for lack of reciprocity in US law ur1.ca/069sa (via @ufa) #
  • ♺ @lxoliva: juiz espanhol equipara P2P a empréstimo de livros bit.ly/9THGFI como na intro de fsfla.org/blogs/lxo/pub/p2plano-b #
  • If !fedora 13’s #firefox has pt_PT localization problems (eg, Save is C-s, quit/sair is C-s as well and bad), is that upstream or not? #
  • @ender2070 if that’s so, then I probably know who to pester until fixed 🙂 #
  • @ender2070 it’s very unnerving to find out that C-q doesn’t work anymore #

Identi.ca Updates for 2010-06-07

  • @Biafra: lol semantics. Of course, but the meaning is that military style of command is not the proper way of leading knowledgeable people. #
  • @jwildeboer:no openvpn for android ? tsk tsk tsk #
  • ♺ @glynmoody: The Australian Parliament goes CC – with v3.0 – http://bit.ly/9271c2 nice move #cc #australia #
  • @glynmoody !cc but NC and ND. While I understand ND, NC I don’t. Anyways… better than nothing at all. #
  • @glynmoody and *again*, IIRC? @bkuhn grats, dude! 🙂 #
  • @bkuhn right, my memory of that detail wasn’t correct, anyways, feeling’s the same! 🙂 #
  • @fontana delayed, *again*? I suspect they’re finding it very difficult to agree on a position… #
  • ♺ @glynmoody: Human Rights Eroding in Name of Copyright Protection http://bit.ly/d9FpDj not new, but worth saying again #copyright #freedom #
  • ♺ @glynmoody: OpenSource Could Mean Open Door for Hackers http://bit.ly/bqRbpH think we’ll need to see the methodology on this one #security #
  • @schestowitz my firefox from fedora 13 isn’t playing that ogg 🙁 #
  • ♺ @mind_booster: Liked "Zangaram-se as comadres." http://ff.im/lDLZa ACAPOR e MAPiNET (good riddance, `as duas) #
  • @brunomiguel: more than enough RAM and storage! I wanna! #shogo #tablet #
  • ♺ @TMorais: Internet censorship harms schools – http://www.boingboing.net/2010/03/26/internet-censorship.html #
  • ♺ @leonivek: Venture Capitalists Lobby Against Software Patents http://bit.ly/boe4lA !oss !linux #
  • @gbraad: thought you went there with a contract in hands! problems? hope not … good luck , man ! #
  • @brunomiguel: #openPandora sucks a bit, freedomwise. not sure about #shogo but seems better equipped. #
  • @gbraad: phew 🙂 #

Identi.ca Updates for 2010-06-07

  • @Biafra: lol semantics. Of course, but the meaning is that military style of command is not the proper way of leading knowledgeable people. #
  • @jwildeboer:no openvpn for android ? tsk tsk tsk #
  • ♺ @glynmoody: The Australian Parliament goes CC – with v3.0 – http://bit.ly/9271c2 nice move #cc #australia #
  • @glynmoody !cc but NC and ND. While I understand ND, NC I don’t. Anyways… better than nothing at all. #
  • @glynmoody and *again*, IIRC? @bkuhn grats, dude! 🙂 #
  • @bkuhn right, my memory of that detail wasn’t correct, anyways, feeling’s the same! 🙂 #
  • @fontana delayed, *again*? I suspect they’re finding it very difficult to agree on a position… #
  • ♺ @glynmoody: Human Rights Eroding in Name of Copyright Protection http://bit.ly/d9FpDj not new, but worth saying again #copyright #freedom #
  • ♺ @glynmoody: OpenSource Could Mean Open Door for Hackers http://bit.ly/bqRbpH think we’ll need to see the methodology on this one #security #
  • @schestowitz my firefox from fedora 13 isn’t playing that ogg 🙁 #
  • ♺ @mind_booster: Liked "Zangaram-se as comadres." http://ff.im/lDLZa ACAPOR e MAPiNET (good riddance, `as duas) #
  • @brunomiguel: more than enough RAM and storage! I wanna! #shogo #tablet #
  • ♺ @TMorais: Internet censorship harms schools – http://www.boingboing.net/2010/03/26/internet-censorship.html #
  • ♺ @leonivek: Venture Capitalists Lobby Against Software Patents http://bit.ly/boe4lA !oss !linux #
  • @gbraad: thought you went there with a contract in hands! problems? hope not … good luck , man ! #
  • @brunomiguel: #openPandora sucks a bit, freedomwise. not sure about #shogo but seems better equipped. #
  • @gbraad: phew 🙂 #

Identi.ca Updates for 2010-06-06

  • #oauth seems like a load of bullshit crap thrown up by a drunken bull on heat. !elmdentica #
  • Leadership courses given by the military, probably explains why so many portuguese bosses are complete wankers. #
  • They may be nice people, but not leaders. #
  • Hey, #twitter don’t drop http auth, just forbid it under http and allow it only under https. Don’t be #wankers #
  • And here’s further evidence #oauth is total bullshit: http://www.jaanuskase.com/en/2010/01/understanding_the_guts_of_twit.html #wankers #
  • @gbraad well, read you from Beijing, then, I guess. Good luck and have a nice journey! #
  • I’ve got a feeling oauth is incompatible with Free Software if you don’t use web apps, otherwise, secrets have to be divulged… #
  • @rejon good journey, be sure to give @gbraad a welcome hug #
  • #oauth consumer_secret + consumer_key == I can pretend to be your app => only web-apps are secure => client apps are not. #twitter #fail #
  • #oauth is a big pile of crap, security wise. If #twitter abandons https basic auth it’s a big #fail #

Identi.ca Updates for 2010-06-05

  • Estou na #ESECSAL, assistindo a uma workshop de introducao ao #wordpress dada pelo @ricardojrsousa #
  • ♺ @DaHammerstein: EU will meet on Tue to decide probable opposition to Treaty for Blind. Send messages to EU member states! #
  • ♺ @jwildeboer: @cdibona thx for putting webm/vp8 under a better license. You guys rock! #
  • ♺ @joaop: The latest Ubuntu with Wine is made in Portugal! http://38v1.sl.pt #
  • ♺ @ddevine: @borncrusader http://openinkpot.org/ Open Inkpot is a linux based eBook reader distro. #
  • ♺ @charlesschulz: OpenOffice.org has now 154 Million downloads ever since the release of the 3.0 ! http://ur1.ca/ev0s #OpenOffice #ooo #ODF #
  • Olha olha… nao me digam que o prof. @arselio e’ o pai do @joaopsmartins que fez a musica do Pi, tocada no meu casamento… #educarhoje 🙂 #
  • ♺ @zoobab: European Parliament’s JURI committee calls for EU patent court, EU software patents via central caselaw: http://ur1.ca/059lt #
  • @lopo: You mean left… but you’re confusing habit with usability. #Apple has it for years, no problem for it’s poor addicts. #
  • @lopo: Don’t get me wrong, I don’t like it much as well, but I’m convinced it’s a matter of habit 🙂 #
  • @lopo: yes, that Mac OSX like interface is the ultimate goal of that change… #
  • @jwildeboer: yeah… fear… #
  • @jwildeboer: @stephwer: have a nice concert guys #envy #
  • @lopo: will get there (or something better), wait and see. As long as I can have what I’m used to with configuration changes, ok by me! #
  • Never noticed how #Apple Mac OS X could be so #confusing! ♺ @lopo: @ruiseabra: Do you see the diference of concept? http://is.gd/cDNnI #
  • @lopo: ha, release early, release often 🙂 but I agree, for an LTS it was bad strategy… #

Identi.ca Updates for 2010-06-04

  • ♺ @jwildeboer: Welcome to the Ministry of Truth AKA Apple. Web standards == Safari only. http://www.apple.com/html5/ #
  • Cá assobiam para o ar e fazem de conta que nada se passa. «Quebec broke law in buying Microsoft software» http://ur1.ca/05d1w #
  • O Secretário de Estado responsável por estes projectos considerados ilegais pela CE e Comissão de Inquérito já se demitiu, ou ainda assobia? #
  • Se não se demite, está na hora de ser demitido… #
  • Ou ele recebeu ordens para beneficiar a Microsoft, a Intel e a JP Sá Couto, entre outros? #
  • “A tender was made, but only to authorized Microsoft dealers.” tal e qual o concurso para o Magalhães 2 #
  • E no Canadá o concurso seria obrigatório acima de 25.000 dólares canadianos. Aqui aumentaram a despesa para cerca de 75.000 €. #
  • Várias infracções à lei envolvendo despesismo continuado do estado com software: http://transparencia-pt.org/?search_str=microsoft&sort=2 #
  • 5 MILHÕES DE € para a Microsoft, que agradece aos CTT: http://www.base.gov.pt/_layouts/ccp/AjusteDirecto/Detail.aspx?idAjusteDirecto=86879 #
  • Só este ano já foram 7.852.868,45 € (quase 8 MILHÕES) para a Microsoft via ajuste directo. Esta vergonha não para? #
  • Portuguese direct benefits to Microsoft without any kind of procurement: 2009 = 26.471.745,03 € / 2010 = 7.852.868,45 € #
  • e-escolinhas and e-escolas (under European Comission investigation) rendered Microsoft about 100 million € more. #
  • @support hey guys, when did you started adding xmlns:statusnet to the xml output? #
  • ♺ @ansol: New blog post: Parlamento Italiano migra desktops e servidores para software livre http://ur1.ca/05iwr #
  • @support ok, forget that, I found my bug. You guys stopped declaring content length! You killed !elmdentica! You bastards! 😀 #
  • Me wanna too! ♺ @jwildeboer: Yay! My #transnational identity card is here! So proud! Official citizen of the first transnational REPUBLIC! #