> [the same post three different times]
WE GET IT. YOU DON'T LIKE OAUTH.
Your (probably statistically insignificant) tests with Google
Optimizer reveal that your users are more likely to sign-up for Basic
Auth than OAuth.
WE GET IT.
Did you need to start three different threads to say exactly the same
thing on the same day?
I gather you are choosing to receive emails individually.
I think that is the statistical significance to which TjL was referring. At least, I hope so.
I haven't done any comprehensive profiling of them. (As well, my
particular presentation of the OAuth or Basic login options also may
confound the data.)
That said, the fact that any sub-population of Twitter users shows a
preference for Basic Auth is surprising. I suggest that linking
another app to one's Twitter account is foreign and difficult for the
average person to understand.
The OAuth scare page presented by Twitter doesn't help. It clearly
hasn't been split-tested and is poorly executed. It is likely
responsible for a significant number of desertions. Compare it, for
example, to the Facebook app auth page. Twitter's DENY button is just
as big as the ALLOW button; Facebook offers "approve" and then a much
smaller "cancel" link.
Add in the current complexity and unreliability of Twitter OAuth, and,
at the very least, offering Basic Auth as an adjunct option seems to
make sense.
I really loved OAuth because:
(1) Ease of coding. I could get OAuth working within a couple of days.
Saves me any password maintenance, encryption etc.
(2) Integration with Twitter Branding. With the OAuth scheme, I
believe my website is more integrated with Twitter. It would also be
nicer if Twitter would maintain their own list of websites they trust
with Oauth, just to give users the added confidence that Twitter
trusts me.
(3) Saves me worrying about SSL. A lot of people are finicky about
HTTPS/SSL. This was I can just ytell them that if Twitter wants Oauth
that way in future, we will simple provide it.
The part I hate about OAuth is that the OAUth page is extremely slow
to load and sometimes does not load at all. I see this issue with the
Twitter website in general as well, sometime postst from the web just
don't go through. I would much appreciate if people at Twitter can
address scalability problems to OAUTH, because that I believe is the
biggest user turnoff.
I used Abraham examples to implement OAuth into Elgg v0.9.2 (last
version of an open source social network platform).
It`s working as it should be, but I also made further thinking (if by
any chance OAuth gets down) and the first time users join our website
they must complete a "one time" signup process, allowing us to have
the missing parts from theyr account (email - any email they might
choose) and also let them set theyr username/password .
Now, even if theyr password is the same as for twitter it`s md5
encripted and no-one, neither the admins can use it in a "non-right
way".
Just a question along the same lines as Dmitriy's, and forwarding no
opinion one way or the other -- but I'm curious, as security
discussions often end up being debates about one particular facet of a
security scheme while not considering the big picture. What is the
breach that OAuth is primarily concerned with here? Granted that in
principle one doesn't want to be throwing passwords around, but I see
two concerns:
1. Passwords being intercepted as sent across the wire.
Comment: If credentials have to be passed over the wire to
authenticate a session, doesn't HTTPS really alleviate this concern?
In order to breach HTTPS you'd have to either crack the encryption, or
spoof the Twitter endpoint and support it by somehow spoofing the
certificate authority chain. And if someone could do this, then OAuth
is no safeguard, because they could do the same with whatever app or
session token is the key to the city.
2. Passwords being stored locally.
Comment: The application integrating with Twitter is already
effectively "trusted", so the concern should not be with the app
itself. The concern here would be other apps or people being able to
grab passwords off of disk where stored. Again, I think this goes back
to encryption. If all credentials are encrypted locally, then again,
the concern becomes the breaking of encryption, and if that is done,
then again whatever app or session token represents the key to the
city can be acquired to use in OAuth too, if I'm not mistaken.
Now admittedly, I haven't gone through OAuth with a fine-toothed comb,
but I have read the docs and examined the process. If I'm not
mistaken, OAuth doesn't alleviate authentication, it just puts the
actual username and password out of the regular communication and need
to be stored locally, but replaces it with an alternative token, which
does need to be stored locally, and passed across the wire. That token
now becomes the key to the city, no?
In conclusion, as I've been reading this thread, the thing I keep
coming back to is that OAuth vs. Basic Auth seems somewhat a secondary
argument -- the real issue is encrypting over the wire (HTTPS) and
encryption on disk, and whether those can be cracked (or are being
used as they should). From a developer standpoint, given that the
cracking of encryption seems outside the scope of concerns with the
Twitter API, what is analog is which one serves the user better -- and
I think it is clear that the Basic Auth case has fewer steps and
quicker to the result.
Please correct my misperceptions if I'm wrong, as I'd love to hear
what details I've overlooked.
Regards,
Brad
*snip*
I understand the concern. But I think the conversation is moving
closer to the actual issue. Your example of turning Twitter
credentials to a stranger basically makes the application (or
computer) that the user has already willfully chosen to use "a
complete stranger". I would debate that is necessarily the case, but
let's for the moment assume it is the case, and see the problem with
that assumption.
In that case, OAuth *still* requires production of credentials to a
complete stranger. Because it supposedly redirects to the Twitter web
site for authentication doesn't save you from the either originating
web site, the browser, or the machine itself spoofing the redirect --
I mean you've already labeled them "a complete stranger", so you have
to allow now for that possibility. Additionally, that login directly
into Twitter also doesn't save you from keyboard logging or phishing
on the machine -- or, and I'm not 100% sure on this one but I think it
is possible, malicious browser plugins. So here we get into the issue
of not just a single trusted / non-trusted app, but whether it is a
trusted box or not.
Perhaps I'm still ignorant, but unless I've completely missed the
boat, credentials are still being produced -- i mean, at some point
they have to be, otherwise they wouldn't be credentials, something
else would be. I think what I'm really responding to here is the lack
of context given to discussions surrounding OAuth's security -- there
are blanket statements being made about not giving a stranger
passwords, and OAuth somehow solving that. Well, that "stranger"
happens to be the machine you've chosen to trust. Just because OAuth
exists, it doesn't make Twittering or accessing Twitter data from
Facebook on an Internet Cafe computer any safer necessarily. There is
a degree of trust somewhere that is being trusted as a beginning
prerequisite. I do not believe there is a no-trust scenario here. What
I really want to hear stated, or read on a FAQ, is the pre-requisite
security trust, that in that scenario, it necessarily makes OAuth
superior to basic authentication.
Brad
The problem here is that you're paying attention, instead
of just accepting "oauth is better because it is!" statements :-)
For desktop apps (and in any case where the application has
has control of the UI and/or your computer) OAuth has no
security advantage (since the app can snoop the interaction)
I'm sure bad people are working on a way to make this true
in browser apps as well, but I don't know of any examples.
For web applications, many commentators acknowledge an
increased risk of phishing as a potential problem with OAuth,
although I haven't personally read any studies that indicate
whether it's a theoretical or practical problem at this point.
In any case, the primary benefit in OAuth is not protecting
the user immediately from an evil application (since the
authorization tokens an OAuth server hand out are just as
powerful as passwords and must be protected like passwords)
it's that:
- the owners of the service can (in theory) administratively
ban an application without forcing all the users to change
their passwords (a potentially very big benefit, maybe the
single benefit that justifies the general inconvenience)
- an individual user can ban an application by revoking its
authz token without having to change their password (a
moderate-at-best benefit, since you could always just
change your password)
- an individual who is using exactly the same password
at many sites doesn't have to expose out their mono-password
to an app (people mention this a lot, but come on, should
security system try to make people feel better about hitting
themselves on the head with a hammer? but this gets
mentioned a lot, so there you go)
So, the security picture is actually a little fuzzy. There are
some big wins for service administrators, some real (but
medium-sized?) wins for users, some fundamental limits
of applicability (web-apps only) and some open questions
about phishing and snooping. And lots and lots of hype :-)
-cks
--
Christopher St. John
http://praxisbridge.com
http://artofsystems.blogspot.com
It is good to see that someone understands the bigger picture here.
This conversation suffers from a presumption of a specific use-case
(web application communicating with Twitter), and a particular
presumption of trust, or lack thereof. The particular comments such as:
> You can lead a horse to water ...
and
> This is not rocket science.
pretty much demonstrate a very narrow contextual view, in which their
view might make sense, but outside of which it does not. Restated,
this is optimistic thinking from the perspective of their particular
use case, and ignores the perspective of either other use cases, and
overlooks someone trying to exploit a security vulnerability. To my
knowledge, and certainly in this conversation, OAuth is being touted
as an across-the-board superior security approach for ALL use cases.
Having spent the better part of the last two and half years doing
secure data storage development far more complex than that of just
authorization, but also securing the payloads across an entire cloud
and desktops, and the network as a whole, my comments here are simply
to see the claim of OAuth being undisputably superior supported with
fact against legitimate breach points. I'll give an example.
My personal development use case for security is communicating with
Twitter from an iPhone app. Applying the same broad brush "you
wouldn't give your data to a complete stranger" comments to the
iPhone, your "complete stranger" here is the iPhone app you are using.
So effectively, your "complete stranger" assertion maps to the
following:
1) You've downloaded an app from the App Store with the intention of
using it for communicating with Twitter, yet it is considered a
"complete stranger", and untrusted.
2) You use the app, and explicitly initiate communication to Twitter
within this very "complete stranger".
This "complete stranger" assertion is absurd. First, you haven't
treated the iPhone app like a "complete stranger". You explicitly
downloaded (and likely paid money) to explicitly put this application
on your phone. Furthermore, it doesn't really matter if you pull up
the OAuth login page within your iPhone app. That "complete stranger"
iPhone app could capture keyboard events and/or filter EVERYTHING you
send across the wire prior to any encryption being applied.
Furthermore, even if OAuth itself isn't breached, as soon as your
token is acquired, what's to prevent the app from then going
absolutely haywire with your account, posting malicious status,
following / blocking who it chooses, etc.?
Furthermore, all of the "other apps" comments don't directly apply --
every app on the iPhone is sandboxed, which protects it from any other
app tampering or accessing data. The only breach of this, of course,
is jailbreaking, but then again this is analogous to someone hacking
and "owning" the desktop you are browsing on, in which case OAuth is
no protection again.
The variance for desktop apps is that they aren't sandboxed away from
other apps on the machine, but other than that, most of this all
applies to that environment too.
Unless other information surfaces, Christopher, best I can tell, you
are spot on. OAuth seems particularly relevant to web applications,
and relevant to desktop and iPhone apps primarily if your desktop /
iPhone are NOT password protected, and the application in question has
stored credentials, and you either lose or have stolen your desktop /
iPhone.
In conclusion, addressing one last example of ATM cards and pins --
you picked the safe example. A credit card is far less safe than all
of this, because lose one of those, and the finder is on a shopping
spree, no ID or pin required. And I'd bet 99% of this mailing list,
including the OAuth devotees, carry a credit card, and don't think
twice about the fact that they are one hole in their pocket away from
receiving a truckload of Shamwow's delivered to their house.
Regards,
Brad
In conclusion, addressing one last example of ATM cards and pins -- you picked the safe example. A credit card is far less safe than all of this, because lose one of those, and the finder is on a shopping spree, no ID or pin required. And I'd bet 99% of this mailing list, including the OAuth devotees, carry a credit card, and don't think twice about the fact that they are one hole in their pocket away from receiving a truckload of Shamwow's delivered to their house.