Comments on: Twitter’s new OAuth Problem http://shkspr.mobi/blog/index.php/2010/02/twitter-oauth-problem/ Mobiles, Shakespeare, Politics, Usability. Tue, 07 Feb 2012 17:59:37 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Linkblogging For 13/02/10 « Sci-Ence! Justice Leak!http://shkspr.mobi/blog/index.php/2010/02/twitter-oauth-problem/#comment-4979 Linkblogging For 13/02/10 « Sci-Ence! Justice Leak! Sat, 13 Feb 2010 12:16:07 +0000 http://shkspr.mobi/blog/?p=1627#comment-4979 [...] Firstly, while I thought I had reason to be mildly annoyed at Google, at least it didn’t decide I automatically wanted to be bestest friends with an abusive ex and a bunch of people who want to rape me, like it did with someone else… meanwhile Twitter has handed a gift to repressive regimes. [...] [...] Firstly, while I thought I had reason to be mildly annoyed at Google, at least it didn’t decide I automatically wanted to be bestest friends with an abusive ex and a bunch of people who want to rape me, like it did with someone else… meanwhile Twitter has handed a gift to repressive regimes. [...]

]]> By: Abraham Williamshttp://shkspr.mobi/blog/index.php/2010/02/twitter-oauth-problem/#comment-4967 Abraham Williams Fri, 12 Feb 2010 23:33:05 +0000 http://shkspr.mobi/blog/?p=1627#comment-4967 Since it takes 2 minutes for anyone to register an application with Twitter there is no added protection that the application can actually be trusted.At that point you are trading the security of not having to entire your entire password for insecurity of it only taking three characters to gain access to your account. Since it takes 2 minutes for anyone to register an application with Twitter there is no added protection that the application can actually be trusted.

At that point you are trading the security of not having to entire your entire password for insecurity of it only taking three characters to gain access to your account.

]]> By: Terence Edenhttp://shkspr.mobi/blog/index.php/2010/02/twitter-oauth-problem/#comment-4964 Terence Eden Fri, 12 Feb 2010 22:36:19 +0000 http://shkspr.mobi/blog/?p=1627#comment-4964 No, it's fundamentally different - but I haven't explained myself well.... Take the following user journey.Abraham visits Example.com - which promises to be the best Twitter client ever. He types in his username and presses enter.(In the background, Example.com passes the username & a secret token to Twitter. Twitter checks that the IP of the request matches the token (much like OAuth). Twitter sends back Abraham's pre-arranged secret and asks for the 3rd, 4th and last character from his password).Example.com displays "Your secret Twitter pass phrase is 'Moscow geese fly south for winter'. Please type the 3rd, 4th & last character of your password."Abraham is satisfied that Twitter thinks this site is genuine.He types in "ssd"Example.com passes that to Twitter and - if satisfactory - gets back an OAuth token.So, Abraham doesn't have to remember anything more complicated than his username and password - like now. He doesn't have to expose his entire password to Example.com. If he's stuck in the Duchy of Grand Fenwick - a repressive regime - he doesn't need to visit Twitter.com to authenticate himself. He is also immune to phishing because his pre-arranged secret (which he can change & is independent to his password) can only be retrieved by a trustworthy site.Does that make a bit more sense? No, it’s fundamentally different – but I haven’t explained myself well…. Take the following user journey.

Abraham visits Example.com – which promises to be the best Twitter client ever.
He types in his username and presses enter.

(In the background, Example.com passes the username & a secret token to Twitter. Twitter checks that the IP of the request matches the token (much like OAuth). Twitter sends back Abraham’s pre-arranged secret and asks for the 3rd, 4th and last character from his password).

Example.com displays “Your secret Twitter pass phrase is ‘Moscow geese fly south for winter’. Please type the 3rd, 4th & last character of your password.”

Abraham is satisfied that Twitter thinks this site is genuine.

He types in “ssd”

Example.com passes that to Twitter and – if satisfactory – gets back an OAuth token.

So, Abraham doesn’t have to remember anything more complicated than his username and password – like now.
He doesn’t have to expose his entire password to Example.com.
If he’s stuck in the Duchy of Grand Fenwick – a repressive regime – he doesn’t need to visit Twitter.com to authenticate himself.
He is also immune to phishing because his pre-arranged secret (which he can change & is independent to his password) can only be retrieved by a trustworthy site.

Does that make a bit more sense?

]]> By: Abraham Williamshttp://shkspr.mobi/blog/index.php/2010/02/twitter-oauth-problem/#comment-4963 Abraham Williams Fri, 12 Feb 2010 22:11:35 +0000 http://shkspr.mobi/blog/?p=1627#comment-4963 Isn't this just renaming password to secret phrase and making it so you only have to know a few characters of it? Isn’t this just renaming password to secret phrase and making it so you only have to know a few characters of it?

]]>