The first is a malicious actor with access to a single system (in this
case, twitter) spamming. OAuth doesn't solve the problem of someone
using an account to spam using messages from that user (unless that
app doesn't need to message, and twitters OAuth implementation has
granular permissions).

The second is a malicious actor with access to a single system gaining
control of other systems that user has access to because they've used
the same username and/or password. Whilst this is bad practice on the
part of the user, we'd be silly to pretend that this isn't a large
problem.  OAuth *does* solve that problem, which is one of the
problems in this scenario.

The third is a malicious actor with access to a single system locking
the user out of their own account (by changing their password) and
claiming the account for themselves (which has been known to happen
with gmail accounts, for example).  Twitter, so far as I'm aware,
doesn't allow changes of passwords via the API, and I would assume
that an OAuth implementation would only allow access to the API, and
not the web interface.  Even were these things not the case, it
wouldn't make sense to allow an OAuth client to change the user
password.  So OAuth does solve this problem, also.

With OAuth you can turn off a particular token, blocking a *specific*
application (i.e. Twply).

It doesn't prevent bad actors from behaving badly, but it does given
provide a pathway to give users more control over third-party access
to their account.

I'm not really sure why Twply needed a user's Twitter credentials in
the first place (but boy, they sure are easy to ask for!), but I
imagine it helps with getting private @replies (which search alone
won't give you).

In that case, Twitter could make it possible, like Flickr does, to
enable a third-party app to request certain permissions -- in this
case, a user's reply stream -- and nothing more.

So I disagree that OAuth doesn't solve this problem. At the bare
minimum it minimizes the scope of the inconvenience of needing to
change your Twitter password (and then changing it in all the other
Twitter apps that you use).

If you don't like what your application does, or find it hard to do
what you want, I might also suggest that you developed your
application at the wrong time. Making financial commitments that rely
on a service which you have no agreement to level or service seems
like a bad idea.

--
Ed Finkler
http://funkatron.com
AIM: funka7ron
ICQ: 3922133
Skype: funka7ron

It's very easy to do what I want to do. I like what my application does. I
don't like how Twitter is making me do it though. I'm up for a boycott if
you can convince my competitors to do so as well - good luck with that.

"The plan is to support Basic Auth and OAuth concurrently, for at
least 6 months, if not more.

"We can’t completely turn off the Basic Auth API without having a
large impact to many APIs and clients."

http://factoryjoe.com/blog/2009/01/02/twitter-and-the-password-anti-p...

So, you will be given an option (no telling when) to use OAuth instead
of the plaintext username/password combo.

Of course it means many folks will still use the lowest common
denominator (and the most insecure method available) for some time,
but at least there will be a good transitional time period where
developers who want to use OAuth can do so, paving a path for those
who will need to migrate later.

Heck if Flickr could get its user base to move over to Yahoo accounts,
I imagine Twitter will be able to get app developers and users to move
over to OAuth in six months.

Of course, once we offer OAuth, it would be nice to see the same
community pressure that's been applied to us put towards companies
like Amazon. The Amazon.com iPhone app collects my username and
password, and that account is actually tied to my credit card
information. Where are the blog posts about their anti-patterns?

But let's say that there is (a) good reason for a desktop application to use
OAuth as its primary method; now I have a technical question. The way I'm
reading

        http://oauth.net/core/1.0/

is that I go and get a request token (A.2), but I need to redirect a user to
a service provider's login page (ouch) for her to authorize that token (A.3),
then provide a callback URL (double ouch) (A.3). At best this is turning my
application into not only a Twitter client, but also a web server (to accept
the callback). At worst this isn't possible because the Service provider
*can't* call me back due to network restrictions on the desktop machine.
Also, since TTYtter is text based, I *really* don't want to be opening up a
browser to get logins (or if I do, I want it to be Lynx, and fat chance I bet).

Clearly OAuth is the way to go for standalone web sites talking to Twitter,
but I get nervous about hearing OAuth will be the only method of access while
trying to work through the issues unique to a desktop client. I would
appreciate hearing from someone knowledgeable about the best way to overcome
these issues, or if there is a special way that I missed where an application
can authenticate itself by just asking the user for their OAuth credentials
and proxy everything to the service provider, which would also suck, but less,
from a developer standpoint. (But that would also probably defeat the purpose
of OAuth.)

        http://sites.google.com/site/oauthgoog/UXFedLogin/desktopapps

Were I king of Twitter, I would have banned any 3rd-party web sites
that request usernames and passwords. Lucky for you, I'm not in charge
8D.

The security expectations are different for desktop apps, I think.
Users understand the potential for malicious applications on the
desktop better, and that's why I never had a problem asking for a
username and password in Spaz, as long as I always communicated over
SSL, and stored the password locally in an encrypted format. Desktop
apps are typically not open to as many easy-to-execute attacks that
would allow for stealing of credentials as web apps. So, I feel
comfortable with desktop apps requesting usernames and passwords. I
also think that throwing the OAuth authorization squaredance would
indeed be a hassle that will confuse most users – maybe not as much as
OpenID does, but something that definitely will require a lot more
hand-holding and explanation on the part of app devs.

However, I don't know if it's reasonable or even possible to make a
distinction between web apps and desktop apps for the purposes of
authentication type. I suspect it is not.

OAuth does offer some wins over username/password exchange. As I
understand it (mostly from my experience with Flickr), these include:
- more granularity over authorization: an application can just request
read access, for example
- no password sharing required: many (most?) users will duplicate
usernames and passwords across various accounts. OAuth limits the
potential damage (although you could see some interesting information
assurance problems with Twitter accounts that feed other systems).
- A malicious app can be blocked system-wide (after being identified as such)
- A malicious app can be blocked from an account without changing that
account's username and pass (after being identified as such)

All that being said, *I will bet you dollars for donuts that you'll
see successful phishing attacks via OAuth*. In fact, you might even
see *more* successful attacks, because for as many folks who have
ill-advisedly entered their Twitter credentials into a 3rd-party site
to get an ego-stroke, I suspect that *more* will click a button that
says "give this application permission," no matter what permissions
are being requested.

Those who expect OAuth to be a panacea for identity theft on Twitter
simply don't understand the issues involved. Operating a modern
computer involves a lot of trust - trusting applications you run on
your machine, trusting web sites you set up accounts on, and the like.
And when you trust, there's always the potential for getting burned.
OAuth doesn't change that fundamentally.

In addition, OAuth or no, what makes us think classic phishing attacks
that collect Twitter usernames and passwords will stop? Remember,
*most Twitter users use the web site or SMS* and therefore may have
*no* interaction with the OAuth system -- all they ever do is enter a
username and password.  And even for folks who *do* have experience
with the OAuth system, I'd expect that without extensive training,
they'd still be likely to fall for classic phishing attacks.

As a side note, I wonder if Twitter API dev would have taken off as it
did if OAuth was required from the start. I believe that using HTTP
Basic Auth was a key to making API dev as accessible as possible.

--
Ed Finkler
http://funkatron.com
AIM: funka7ron
ICQ: 3922133
Skype: funka7ron

Basically, I think OAuth is awesome, but the idea that it's going to somehow
stop phishing is extreme.

Also, why do you assume that phishing attacks would have to come via
Twitter messages, though? Most come via email or web content on other
sites. Twitter currently uses email notifications for several events
-- faking those would be quite easy to do, for example.

OAuth may have mitigated (not blocked) *one* particular worm that was
sending messages directing people to a phishing site. And yes,
removing everyone's shoes does stop the shoe bombing attack. Whether
or not this actually makes you *safer* is something we should very
carefully consider. Personally, I'd say it helps, but only a little --
far less than most of our Thought Leaders claim.

Generally I think OAuth is a Good Idea, and I think it's probably a
good step for Twitter to take. I think I can say Alex agrees, or he
and the rest of the API team wouldn't be implementing it.

It's not really my job to tell Twitter what to do – first off, I think
they have people with very good security backgrounds in place, and
secondly I'm not on their payroll. But if you actually want to hear a
few things, I'll toss them out. I don't have time or motiviation atm
for a lot of detail (we just lost a family friend tonight to cancer),
but I'm happy to talk about them another day in detail if you want.

- immediately cease the development of any web-based applications that
require user credentials. I generally don't think that you're keeping
your user's best interests in mind when you do this.
- educate users about risk acceptance: what it means to trust a web
application with your credentials (or OAuth permissions), and what the
consequences could be if trust is broken.
- educate users about how to identify phishing attacks
- possibly implement some personal site ID techniques on the Twitter
homepage, like user-chosen identifier images

Even if you do a great job on all of these, though, you will always
have some people who fall for it.

Really. There isn't. People who work in security will tell you this.
The security industry spends millions and millions of dollars on
application trust issues, and there is no solution. There are things
you can do, but you can't "solve" the problem. You can only *mitigate*
risk.

People clamoring for OAuth -- this is the urgency you refer to -- are
participating in security theater. They want it implemented not
because it will make things a little better, but because they have
been whipped up into a frenzy by ye olde Thought Leaders and want
*something* to be done. I was completely serious about my shoe bomb
analogy, because it's a classic security theater – "oh shit, you could
put a bomb in your shoe! better check everyone's shoes!" It's a
temporary PR fix, but it doesn't solve the problem other than making
people feel better -- until the next security flavor of the week comes
around.

If you seriously want to study this kind of thing further, I think
starting off with Schneier's "Beyond Fear: Thinking Sensibly About
Security in an Uncertain World" would be a good idea. As a developer,
you should also dig into all the security info you can, and make
security a first-level concern. If you're a PHP dev (I know a lot of
folks here are), I'd probably start out with Chris Shiflett's
"Essential PHP Security." Rails devs should keep an eye on
http://www.rorsecurity.info/.