I think the caricature of OAuth there should be taken with a grain of
salt. The author talks about "OAuth", but seems to be referring to
OAuth 2 primarily, which is very different from OAuth 1. Also, the
author says that the protocol was designed for authorizing
website-to-website communication, but then says it's insecure in a
desktop app environment, which it is. They also point to the (very
good) article about using OAuth for authentication, which again, the
protocol was not designed for.
So yes, if you don't use the protocol in the way it's intended,
absolutely it's insecure. The same can be said for AES encryption
(like if you use it in cbc mode to protect predictable messages).
Should you trust a system just because it's using OAuth? Definitely
not. But is it insecure just because it's using OAuth? I would say no.
If you disagree, you can even get paid if you can find a flaw in
Facebook's implementation, so you should take them up on it :)
On Fri, Mar 22, 2013 at 9:11 AM, Tyler Romeo <tylerromeo(a)gmail.com> wrote:
Most of those concerns are valid. Daniel Friesnen has
managed to convince
me that OAuth is absolutely horrible, and that we will probably have to
make our own authentication framework.
*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2015
Major in Computer Science
www.whizkidztech.com | tylerromeo(a)gmail.com
On Fri, Mar 22, 2013 at 11:59 AM, Yuri Astrakhan
<yastrakhan(a)wikimedia.org>wrote;wrote:
There was a discussion recently about OAuth, and
I just saw this blog
post<
http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-ap…
(posted
on slashdot<
http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues…
)
with some heavy criticisms. I am not an
expert in OAuth and do not yet have
a pro/against position, this is more of an FYI for those interested.
--yurik
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l