xAuth is balls
When Twitter originally released their API it had only one form of authentication what is now known as "basic auth". The issue with basic auth is that it requires any applications or websites that ends up using the API to use the username and password. Obviously, this represents a security issue because third parties have full access to the user via API or by just taking those passwords and logging in manually.
Like many other social services, Twitter eventually cottoned on that this was a bad idea, and they’ve adopted OAuth, a token based authentication delegation system.
Some have argued that OAuth is too complex, if you read the Twitter dev mailing list there are numerous requests to keep basic auth but just move it to SSL only. Security and trust shouldn’t be the easiest thing in the world, there needs to be a degree of complexity about them.
Somebody at Twitter got it into their mind that listening to the general whingers and whiners was a good idea. Instead of just relying on open standards, they’d make their own protocol dubbed xAuth which works in conjunction with Oauth. xAuth requires the user to enter in their user name and password, then the application/website can use those credentials to exchange for OAuth access token/secrets. Hang on a moment, their new security measure requires you to enter in "basic auth", essentially? This isn’t a case of two steps forward, one step backward, it’s a case of two steps forward and then a bullet in the head.
The idea of OAuth is so you don’t’ have to have complete trust in the applications – just the service. This method relies on the consumer application to "be a good citizen" and discard the username and password after they’ve got their tokens.
Twitter, please stick to social media, not security.
[...] This post was mentioned on Twitter by Paul Jenkins, Bugra Ayan. Bugra Ayan said: xAuth is balls: When Twitter originally released their API it had only one form of authentication what is now know… http://bit.ly/dk8rF0 [...]