Some clarification on these events would help to let us know where and
how people are getting in, so we can tighten things up on our end. If
the hacks are just email accounts being gotten into, there is nothing
twitter apps need to do. If it is something else, there may be other
things we can do to keep the accounts safe.
Thanks.
On Jun 29, 2009, at 3:34 PM, Alex Payne wrote:
> I wanted to point out a blog post (http://apiblog.twitter.com/security-best-practices-for-twitter-apps
> ) that addresses the coming "Month of Twitter Bugs". Long story
> short: Twitter is in the loop, we've got security at the forefront
> of our daily work right now, and we're available to help if your
> application is identified as vulnerable or compromised.
>
> Please check out the new wiki page (http://apiwiki.twitter.com/Security-Best-Practices
> ) and let us know what's missing. Thanks!
--
Scott * If you contact me off list replace talklists@ with scott@ *
I heard the other day that in the wake of the MJ stuff, a few high profile celebs accounts where hacked. Is this media "hacking" and there were just weak passwords, or their email accounts were compromised, or were these real live hacks where someone brute forced, or did otherwise nefarious acts to get in.
Some clarification on these events would help to let us know where and how people are getting in, so we can tighten things up on our end. If the hacks are just email accounts being gotten into, there is nothing twitter apps need to do. If it is something else, there may be other things we can do to keep the accounts safe.
Thanks.
On Jun 29, 2009, at 3:34 PM, Alex Payne wrote:
I wanted to point out a blog post (http://apiblog.twitter.com/security-best-practices-for-twitter-apps) that addresses the coming "Month of Twitter Bugs". Long story short: Twitter is in the loop, we've got security at the forefront of our daily work right now, and we're available to help if your application is identified as vulnerable or compromised.
Please check out the new wiki page (http://apiwiki.twitter.com/Security-Best-Practices) and let us know what's missing. Thanks!
--
Scott * If you contact me off list replace talklists@ with scott@ *
They clearly point the finger at twitter in the headline, but reading
on, and it is clearly a twit pic issue.
I see these all over the place. Have you considered some sort of
vetting system for sites that are asking for twitter credentials on a
3rd party site?
I can see that twitpic may not be able to use o-auth, as they want to
be able to stand alone and a image host. If there was some sort of
communication where you worked with the large sites like twit pic, it
may help. As it is now, I fell for it, I read the headline, and
thought ti was a twitter issue.
Just some food for thought.
--
Twitter asks for my email address when I signed up. I put some pretty
stupid junk in my twitter account, and I thought I was anonymous.
Somehow, many people I associate with are finding me, putting me in a
bit of a bind.
I learned later on, by importing my personal address book into gmail,
I can login to gmail via twitter, and find all sorts of people.
This is not explained anywhere that I can tell, that my email address
can be used as a vector to locate me within twitter. With this, as
long as I use my real email address, I have no anonymity on twitter.
What are you comments on this? I know I can change my email address,
and I will shortly. Though I overlooked this, and it took me some
time to figure out how people were finding me so easily.
1. Under this heading the sub-section of the document titled "Lack of Rate Limiting" states that we should use a "CAPTCHA" to slow down hackers. This didn't make much sense to me as when I think of Desktop Application I think of the few that I've used: Twitteriffic, Tweetie, and Destroy Twitter. All of those have direct control of their UI. Although a CAPTCHA could be used to limit scripted behaviors, it would probably be more effective just to directly limit the resource.It's not that a CAPTCHA *couldn't* be used, it's just not something I see very often in a desktop application.It seems to me that CAPTCHA would be more appropriate for a multi-user service than a single user desktop app -- so I was wondering if this section of the document was in the wrong area.2. Under the sub-section Lack of Information about Threats, it begins, "If you think there's an issue with your web application, how do you find out for sure?" This is clearly at least a typo in the *desktop* app section, but it goes on to describe creating a "dashboard" of critical stats. Again, this would make more sense in the context of service administrator, but I'm having trouble understanding what this would mean to a desktop application developer.Am I misunderstanding what is meant by "Desktop Application?" Does that mean something other than the examples I mentioned?Thanks,
On Jun 29, 2009, at 3:34 PM, Alex Payne wrote:
We could use suggestions from desktop developers about the security issues they've run into. Developers working in sufficiently high-level languages shouldn't be dealing with buffer overflows and the usual security issues. What have you defended against?
Thanks-
- Andy Badera
- and...@badera.us
- Google me: http://www.google.com/search?q=andrew+badera
- This email is: [ ] bloggable [x] ask first [ ] private
They can not act upon user accounts without the users going through
the authorize flow. Using basic auth it is already possible to use any
source and "impersonate" another application so not much is changing
here except better security for web applications.
Abraham
--
Abraham Williams | Community Evangelist | http://web608.org
Hacker | http://abrah.am | http://twitter.com/abraham
Project | http://fireeagle.labs.poseurtech.com
This email is: [ ] blogable [x] ask first [ ] private.
Abraham
--
That's not workable. It has to be publicly accessible somehow.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- He hadn't a single redeeming vice. -- Oscar Wilde --------------------------
People using open source libraries will have to get their own keys.
So, either you really are contributing in the spirit of open source,
and you don't care about getting credit, or you're doing it for self
promotional purposes, and the conversation is moot anyhow.
"You" being any person worried about keys and open sourcing their libraries.
That's an asinine statement. So everybody who doesn't make their open
source software anonymous is a publicity whore?
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- In memory of John Banner ---------------------------------------------------
But the situation you state above is a bigger price to pay than if an
app is impersonated via basic auth. In basic auth, it's simply cosmetic.
In OAuth, you can certainly cause no small amount of turmoil by forcing
open source apps to push out new versions by no fault of their own. That's
not exactly an even playing field.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- Man who live in glass house dress in basement. -----------------------------
Re-read what I said.
If someone is open sourcing something, in the true spirit of open
source, they shouldn't care about getting credit in the source
parameter.
Thanks you and good night, I'm here all week, try the veal, don't
forget to tip your waitresses and angry developers.
Tell that to Richard Stallman.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- Another visitor. Stay awhile. Stay forever! -- Professor Elvin Atombender --
>
> I do not feel you've made a mountain out of a mole hill here. This
> topic has been on my mind since I first encountered oAuth. I haven't
> seen any open source apps use oAuth yet.
>
> We have an open source application called Application X. The
> potential risk is that Application X becomes widely adopted, thus
> having a higher risk of being impersonated. For instance, malware
> could then use the tokens from Application X to obtain authorization
> from Twitter. This would require the user to authorize the
> impersonator via Twitter since it is likely a new session token would
> be generated. Potentially the user would likely trust this
> impersonator and not think twice about authorizing it because they
> will see "Application X" on Twitter.com. Once they click allow the
> impersonator has control of their account. Even if the malware
> doesn't spread quickly it would possibly be harder to track since it
> would appear to be communications from Application X.
One thing the above description leaves out is that not only would
the user have to approve the application, but that since it is a
desktop application they would have to type the PIN number back into
the MalewareApp. Perhaps the PIN-flow for desktop applications was not
taken into account, or maybe the wording on the PIN pages should be
stronger, but that's pretty much why we added the PIN flow.
In my mind server-side applications should not publish a consumer
key/secret. There is an assumption here that anyone savvy enough to
install your wildly successful open source server-side application can
register a key/secret … and that they probably want callbacks going to
the correct site. This is not unlike the current Twitter/OAuth
libraries, which all require you to get your own key.
Open source all you want, each person deploying an instance will have
to get their own keys. What's so tough about that?
— Matt
Abraham
--
Sent from my iPhone
-- Bruce
Sent from my iPhone
I do not recommend having individual end users register for
consumer keys/secrets [1] under any circumstances. So, with that out
of the way, let us focus the discussion a bit more. What can we change
about OAuth that would make this better? A complete technical [2][3]
discussion on what we could add that would make this better is
welcomed. More than welcome, it's pretty much required before we can
help.
The PIN flow was the first addition to address the inherent
insecurity of the consumer key/secret all desktop applications [3].
This stopped applications from being able to collect tokens by using
the consumer key/secret and a confidence scam (phishing like "GoodApp
needs you to re-approve us"). It sounds like there is a fervent need
for something more … what do people suggest? We're working hard on the
problem but many of you are working from the consumer standpoint and
probably have great feedback.
Please, take your time and write a well thought out reply. One-
line snarky comments, while fun to write and sometimes to read, steal
time from everyone reading the list, including all of the Twitter API
engineers. They also make the list look less inviting to new comers.
Thanks;
– Matt Sanford / @mzsanford
Twitter Dev
[1] - People installing an instance of your server-side app are not
'end users', but other developers
[2] - Not open-source hand waving.
[3] - Closed source desktop apps have the same problem. Reverse
engineering is not stopped when you don't include the source.
On Wed, Jul 1, 2009 at 10:15, Abraham Williams<4br...@gmail.com> wrote:
> A technical solution I see working is a modified PIN flow where
> instead of a 6 digit PIN the user gets a 20 character token that acts
> as consumer token. No harder then using PIN flow but each desktop
> install would have a unique consumer sub token that could still be
> tied into the global consumer token.
>
> Abraham
--
What can we change about OAuth that would make this better?
Hello again,
I do not recommend having individual end users register for consumer keys/secrets [1] under any circumstances. So, with that out of the way, let us focus the discussion a bit more. What can we change about OAuth that would make this better? A complete technical [2][3] discussion on what we could add that would make this better is welcomed. More than welcome, it's pretty much required before we can help.
The PIN flow was the first addition to address the inherent insecurity of the consumer key/secret all desktop applications [3]. This stopped applications from being able to collect tokens by using the consumer key/secret and a confidence scam (phishing like "GoodApp needs you to re-approve us"). It sounds like there is a fervent need for something more … what do people suggest? We're working hard on the problem but many of you are working from the consumer standpoint and probably have great feedback.
Please, take your time and write a well thought out reply. One-line snarky comments, while fun to write and sometimes to read, steal time from everyone reading the list, including all of the Twitter API engineers. They also make the list look less inviting to new comers.
>
> Mark,
>
> Thanks for weighing in. Much appreciated. Here are my thoughts.
>
> I see two separate issues here: User Authentication vs. Application
> Authentication.
>
> User Authentication: Ensuring that the Twitter user is who they say
> they are.
> Application Authentication: Ensuring that the Application is who it
> says it is (i.e. the tweet is really coming from "TweetDeck" and not
> some other application pretending to be TweetDeck).
>
> User Authentication:
> I understand that Basic Auth, as is, is not a secure solution.
> Transmitting unencrypted credentials in the clear is never a great
> idea. What about combining Basic Auth with a form of public/private
> key encryption? Using PGP as an example, Twitter could publish it's
> public PGP key. Applications using Basic Auth would have to encrypt
> the username and password with that key and submit the encrypted
> username and password as the Basic Auth credentials. Twitter decrypts
> them server side and processes authentication normally. Developers
> wouldn't have to include any sensitive information in their source
> code, and the credentials would always be transmitted in an encrypted
> fashion. PGP is a fairly robust standard, with lots of free resources
> available to the development community across many languages.
Rather than breaking with the HTTP specification for Basic
authentication we offer HTTP over SSL for encrypted access. That adds
the benefits you enumerate above plus:
* Requires very little coding from developers (most libraries
support it)
* Built on an open standard
* Prevents re-using an Authentication header (even one encrypted) to
essentially act like a user.
* Bonus: Encrypts the contents so nobody else is reading your DMs on
the wire
>
> Application Authentication:
> This is a thornier issue that I'm not sure how to solve without having
> to bundle some sort of sensitive information in the source code of an
> application. However, I think the issue becomes more manageable if
> User Authentication is separated from Application Authentication.
This seems to be the crux of the issue from what I can tell. Isaiah
from youhead enumerated some of the difficulties with that, especially
for open source.
It should take all of, what, a day, to create a list of the top 10
desktop Twitter apps and their corresponding consumer key and secret.
It's all fun and games until someone discloses a secret. Then, it's
just fun ...
On 7/1/09 9:32 AM, Andrew Badera wrote:
> The secret should not reside in code. The secret should reside in a
> config file, or maybe even a machine datastore. Abstract it out, no
> one ever needs to see anything secret in your code.
>
> Thanks-
> - Andy Badera
> - and...@badera.us
> - Google me: http://www.google.com/search?q=andrew+badera
> - This email is: [ ] bloggable [x] ask first [ ] private
>
>
>
> On Wed, Jul 1, 2009 at 9:25 AM, DWRoelands<duane.r...@gmail.com> wrote:
>> If you check out the OAuth Core Abstract, Section 4 (http://oauth.net/
>> core/1.0#anchor4) states it pretty plainly:
>>
>> "Service Providers SHOULD NOT rely on the Consumer Secret as a method
>> to verify the Consumer identity, unless the Consumer Secret is known
>> to be inaccessible to anyone other than the Consumer and the Service
>> Provider."
>>
>> This is exactly what Twitter has done with the Consumer Secret; they
>> rely on it to verify the Consumer identity.
>>
>> This is a thorny dilemma for open source developers. There's no way
>> to share the source code without compromising your application's
>> security, because you've got to include the Consumer Key Secret in the
>> source. You can obfuscate and encrypt, but a malicious actor with
>> access to the source code can simply "step through" the code until the
>> Consumer Secret is exposed in plain text.
>>
>> In any event, what's done is done, and Twitter certainly isn't going
>> to abandon OAuth at this point. But opening the source of my Twitter
>> client seems to be out of the question if I want to use OAuth.
>>
>>
>> On Jul 1, 8:10 am, Philip Plante<pplante....@gmail.com> wrote:
>>> I do not feel you've made a mountain out of a mole hill here. This
>>> topic has been on my mind since I first encountered oAuth. I haven't
>>> seen any open source apps use oAuth yet.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
"He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on." (p. 70)
Thanks-
- Andy Badera
- and...@badera.us
- Google me: http://www.google.com/search?q=andrew+badera
- This email is: [ ] bloggable [x] ask first [ ] private
Yes, yes you can - then you get to enjoy the Twitter rate limit issue
and having to scale to accomodate concurrent sessions.
The "beauty" of desktop applications is the decentralized nature, using
resources "close" to the user (as opposed to "further away" on a
server). This means scaling per user is "built in" as the user brings
their own resources.
OAuth's implicit requirement of funneling everything through a server in
order to protect a secret is a defect in the design of OAuth, one that
I've raised on the OAuth mailing lists to which I received the response
of "well, that's not a problem OAuth is trying to solve." In other
words: EPIC FAIL.