Last week, Twitter opened up it's «sign-in with Twitter» open authentication or OAuth service under the radar. To be fair to Twitter, the news last week was more focused on the one million follower story and the arrival of big media names onto the service. Now, I've always been an advocate of using OAuth type services (I personally use OpenID as much as possible) to both simplify a user's life and to avoid the problem of password re-use.
It also goes to Twitter's credit to move in this direction and to provide this type of service to ease the integration of external applications as well as make it easier for user's to provide their Twitter information.
Disclaimer: I have not had the time and that's not likely to change in the near future to fully investigate and examine the security of the Twitter OAuth service. The following rant is purely about Twitter's current public track record...
Twitter's public track record of securing and making a reliable service is less than top par. My top 3 frontal issues that have been discussed, re-discussed and overall made serious news for Twitter can be summed up with this list:
- The service has a huge history of availability issues, well rather non-availability in times of high traffic although this hasn't occurred in a while it's bound to happen again seeing the growth patterns of late;
- The security has a number of times criticized the continued use of basic-authentication (inc. accepting base64 password encoding) to use the service. The problem being that this is an easy way to grab the user's password which would break or poke serious holes in the OAuth service;
- There have been a repeat number of XSS attacks and worms including the most recent mikkey work which last over two weeks in its different iterartions.
These three points push me to think on whether or not I would be able to really trust such a service. Will I be able to use it at all times? Am I sure the authentication might not lead to a password leak? Am I sure that the OAuth won't be replayable? Can I be sure that the OAuth session isn't being misdirected or stolen somehow in XSS or via a worm? Makes me wonder if the service will actually provide a decent and safe mechanism for authentication and whether or not my credentials are going to be safe :- scary......
Related Links:
- hueniverse: Introducing 'Sign-in with Twitter', OAuth-Style "Connect"
- TechCrunch: Did Twitter Just Quietly Start Twitter Connect? If Not, It Should.
- Dave Winer: Twitter and OAuth, interesting brew
- Twitter OAuth FAQ
- Mashable mikkey worm coverage: http://mashable.com/2009/04/11/stalkdaily-twitter/; http://mashable.com/2009/04/12/mikeyy-another-twitter-worm-on-the-loose/
0 comments:
Post a Comment