Twitter have announced that all third party site will have to use OAuth. You will no longer be able to just type in your username and password to get access to Twitter via your favourite web client.
This means that you won’t be able to log in to a third party site by giving them your username and password. You will have to use OAuth to securely validate with the main Twitter site.
But – as ever – there’s a dark side to OAuth.
One of the joys of Twitter is that its clients are decentralised from the main site.
This means that if Twitter is blocked in your country, you can use a third party client (like Dabr) to access it.
Twitter User -> Dabr -> Twitter API -> Dabr -> User
If Dabr became sufficiently popular to be blocked by an oppressive regime, you can switch to any one of the thousands of Twitter web clients.
OAuth forces you to the main Twitter site. While you may visit Dabr to start with, you would be redirected to Twitter to complete OAuth. If Twitter is blocked, you can’t connect.
At a stroke, Twitter has shut itself off to anyone in a repressive country.
A (Hacky) Way Around It
There’s really only one way around this problem. The third party web client has to act as a man-in-the-middle. There’s a patch for Dabr – developed by cnyegle – which will ask for a username and password, then proxy it to Twitter, get the OAuth token and tweet on behalf of the user.
From the user’s point of view, they are still giving the (potentially untrusted) site the username and password.
This could be solved by implemented a challenge / response system.
- Alice visits the Dabr website.
- Dabr asks Alice for her username (and only her username)
- Dabr asks Twitter for the challenge associated with Alice’s username.
- Twitter checks that Dabr is an authorised website (i.e. has signed up for OAuth).
- Twitter returns the response: A secret phrase which Alice has previously chosen.
- Dabr displays this phrase to Alice.
- Alice knows that Twitter trusts Dabr
- Dabr asks Twitter for the password challenge.
- Twitter returns that it requires the 3rd, 5th and last character from Alice’s password (the characters requested change randomly).
- Dabr asks Alice for only those characters.
- If Alice provides the correct characters, an OAuth token is granted to Dabr to tweet on behalf of Alice.
This has the advantage of proving that Dabr is trusted (by displaying Alice’s pre-defined secret phrase) and mitigating the risk that Dabr is untrusted (by only revealing part of the password).
This is a very new area, and I’ve not had a chance to read through all of the proposals. Nevertheless, it remains a fundamental problem that, if you can’t access a site, you need to delegate your trust to someone else.
I’m not a security expert – so I would appreciate someone pointing out the flaws in my reasoning.