OAuth has rightly gained lots of popularity these days and even given the current session fixation issues, I’m a strong fan of the delegated access control it promotes and helps implementing. (For those of you who might not know, OAuth in a nutshell provides a Site A with access to data and features hosted on a Site B without asking you to provide your username/password to Site A.)
One of the prominent service providers offering OAuth based authentication is… Twitter. As more and more people are using Twitter as a personal and professional communication tool, I’m wondering why many of the additional third party services have not yet implemented OAuth based authentication. I don’t know about you but I’m getting slightly annoyed when an independent (often poorly designed) web site asks me to enter my full Twitter credentials. They all promise to not cache or store my username and password but still, it’s does not feel right. Some don’t even use an SSL encrypted HTTP connection for retrieving my secret user information.
Today I’d like to encourage all third party Twitter services to jump onto the OAuth bandwagon and offer their users with a secure and trusted way to delegate access control.
And here is my list of services that are carelessly insecure don’t use OAuth AND do not secure your Twitter account information by leveraging SSL:
I don’t want to finish this post without giving outstanding, positive examples of doing it right: Check out WeFollow and TwitterCounter.
We plan to update this list accordingly and will add service providers, that don’t do it right and move those that switch to OAuth off from this hall of shame.
Which 3rd party Twitter services are you using? Please submit via the comments!
you can add to list topify.com we just implemented oAuth for existing users http://topify.com/oauth and full oAuth registrations is coming up in a couple of days
Both tweetvalue.com and tweetbackup.com support Twitter oAuth
Twinterface uses SSL & OAuth,… if someone wants a generic CodeIgniter OAuth Library,.. just send us a tweet/mail.
:)
I couldn’t agree with this more! Very important. I’m currently working on OnePage which makes use of the Twitter API. We’ve developed it with OAuth from the outset. If anyone wants to support and try out a new beta service please check out http://getonepage.com :)
Maybe something the OAuth team could do on their website?
Mark,
I couldn’t agree more.
The EV SSL indicator (Green URL Bars) can tell the user that they actually are on Twitter.com and not some fruadulent Web site pretending to be Twitter.com
I think Twitter should implement EV SSL as soon as possible.
(And force https at login)
Some 3rd-party Twitter vendors are reluctant in offering oAuth integration because the API has been less than stable in the past months.
Idea: instead of publishing a shame list, how about offering a public spreadsheet where vendors can submit links to their applications and indicate the status of oAuth-integration?
Let me “see” this, and I’ll even raise you a few chips: I would personally like to see these sites (Twitter especially, but 3rd party apps should follow) adopting more strenuous anti-phishing measure like extended validation ssl. I think the proliferation of 3rd party log-ins has created a scenario where it’s much, much easier for hackers to steal credentials — and, as many have pointed out, hacking into facebook or twitter could have seriously negative repercussions.
OAuth would be another great safeguard for these sites, and as you point out twitter itself is already using it. That plus the green url bar might really be something.
Write4net (http://write4.net) uses Twitter oAuth as login. It’s easy, quick and secure.
indeed!! check out my rant on @use_oauth
thanks for chiming in. it is absolutely ridiculous not to mention the fact that the top tech blogs dont care about this issue at all and are constantly promoting these sites without even a mention of oauth/ssl missing.
What about TweetDeck?
Or Thwirl?
Or Twitterfox?
Or any other alternate client that one would wish to use?
It seems Twitter is abandoning those uses of the API for purposes of furthering the whole “mashable” shit going around.
I have created a twitter apps gallery showcasing Twitter OAuth usage in their apps/site. Have a look at http://twitoauth.com and submit if you have yours
A Twitter-based word game Phrays uses it -> http://phrays.com
We’re using Oauth… was *relatively* easy ;)