
Rethinking authentication for twitter  - utnick
http://www.scripting.com/stories/2009/01/05/rethinkingAuthentication.html
======
pmjordan
_"do you see any problems??"_

Yes:

\- You're still submitting your password to an untrusted entity. As soon as
they have it, they can: (a) change your password and lock you out of your
account (b) attempt to use that password for other services you use as most
people re-use their passwords

\- IP address filtering is useless. The attacker just needs access to a botnet
to flood you with requests.

Something OAuth-like is the only way forward: granting revocable, fine-grained
access to whatever subset of operations is required for the service in
question. Bonus points for being able to undo all operations of a certain type
resulting from that third-party access. (i.e. 1-click undo of all DMs, tweets,
etc.)

I really hope they make this work soon.

~~~
ivey
_"revocable, fine-grained access to whatever subset of operations is required
for the service in question"_

This is exactly what is needed, and what the current "OAuth doesn't solve
Phishing!" response misses.

------
tptacek
I don't get it. If you're worried about someone taking the user/password you
gave them and being unscrupulous with it, exactly what does tracking IP
addresses buy you? The thing you're most worried about is that they're going
to sell every asshole on the Internet a DVD with usernames and passwords on
it.

~~~
Retric
I say let users create a 128 bit UID that let's remote users Read / or Post
messages from your account. Let people track what that UID did and you can
smack down any issues.

~~~
tptacek
At that point, might as well go with something standard, like OAuth.

~~~
Retric
_OAuth Core 1.0, the main protocol, was finalized in December._

Is there anything out there that is well known and stable?

~~~
tptacek
I'm sure there's something buried in the bowels of SAML, but that doesn't make
it well-known or stable.

------
kwamenum86
The author misses the point that OAuth allows a site to interface with
external servers WITHOUT having user credentials pass through a third party.
Further, the technique described would not have prevented today's Twitter
attacks. It would only prevent continual abuse from a single server. How hard
is it for an enterprising young (or old) hacker to find another IP to use
though?

------
jlujan
How did this make it on to HN... The author of the article is clearly confused
of the issue. More, who the hell cares... it is Twitter. If your are worried
about some one ruining your good name by hacking your twitter account, you
most certainly have more relevant personal issues to address. How was the
article "techie" at all aside for name dropping and the author's self
validation from "implementing" a similar auth API? burn:period:

------
bkudria
Sometimes I read Dave Winer for his opinion pieces. I try to avoid any
technical pieces he writes, however.

