Why Twitter's New Security Solution Could Pave the Way to a Future Web of Mashups
Microblogging service Twitter's habit of playing fast and loose with user passwords may be coming to an end, if a technical trial started today can be successfully implemented by its development team. Earlier this month, the company saw the accounts of users from Barack Obama to Fox News to Britney Spears get "hacked." More importantly, millions of Twitter users hand out their passwords to strangers every day, because there's no other way to access the fabulous ecosystem of applications built on top of the famous Twitter data platform, or API.
Today Twitter opened up trial access to a new user sign-in protocol for third party developers - until it was swamped by demand and the trial was closed just two hours later. This isn't just a geek story, though, this could impact all users of Twitter and other sites all around the web.
The solution being explored (called OAuth) could not only make the much-watched Twitter more secure, it could help usher in an era where effective user security enables an explosion of mashups across every website we store our data in. Twitter is planning its own showcase of trusted applications, but this could be an important part of an even bigger story.
Hi, It's Nice to Meet You - Can I Have the Keys to Your House?
Twitter's hype and VC fortunes are largely founded on interfaces on desktops, iPhones and other unaffiliated webpages - built by developers who don't work for Twitter. Those applications are all about interacting with user data stored on Twitter's servers, and yet the company has offered nothing but the simplest method of accessing that user data by those outside apps.
The makers of everything from desktop apps like Tweetdeck and Twhirl, to web services like FriendFeed, Twitterfeed and others have been required to ask users to give up their Twitter usernames and passwords in order to read and write to Twitter user data. And apps built outside of the Twitter.com web page are by far the best way to post messages to Twitter.
Who wants to give some brand new website they've never seen before the password to their Twitter account - an increasingly important part of millions of peoples' communication online? The fact is, many of us are doing so every day - and it makes a lot of us very uncomfortable.
The recent hacking of Twitter accounts wouldn't have been prevented by the steps Twitter is taking today, that hack required nothing more than a teenager running the most elementary brute force trial-and-error script until the password "happiness" was found for the login at twitter.com/admin. But these steps were called for much more loudly none the less by the Twitter community after those hacks.
So Finally...Twitter Is Readying OAuth!
Twitter's proposed solution to making users all be "password-sluts" is a system called OAuth. It's an open user-authentication protocol based in large part on work done years ago at Flickr. If you've used an outside application for, say, uploading your photos to Flickr, you've seen how it works. You tell the application "my name is marshallk on Flickr and I want to use your service to access my account there." The service goes and asks Flickr for permission, Flickr pops up a window and says "this other website wants to access your private data on Flickr, can you prove you are really you and tell us to give them access?" Then you give Flickr your Flickr password, not the outside service.
The idea is that with OAuth, users can say to a website - "I'd like to bring my Twitter data over to your site, but let me log into Twitter and give them permission to give it to you."
Right now, outside websites are forced to essentially pretend to be you after cajoling your secret password out of you, tricking Twitter into giving up the data, and then promising you that they will not abuse this secret password knowledge they've been entrusted with.
It's a pretty unsustainable situation.
OAuth looks and feels to users a whole lot like the new Facebook Connect, or OpenID login. Why go with OAuth instead? Facebook Connect is a proprietary system that hoards all the user data over the long term and takes too much control over sites that use it. OpenID can't be used by desktop apps and is too often ugly enough that you'd rather stay home than take it to a party. Enter OAuth, a technology that hopes to solve all those problems.
By being an "open standard" it can essentially be replicated all around the web. That means that authenticating sites can just plug in a secure user login procedure with relative ease, and 3rd parties wanting to build a bridge between their apps and OAuth supporting apps don't have to build to a new data interface (API) every time, because there's a standard.
It doesn't always work perfectly. The Google-led OpenSocial initiative was supposed to herald a new day of data and application portability across scores of the social networks around the web (all the ones that are less popular than Facebook). Things like OAuth were supposed to make OpenSocial a "write once - apply everywhere" platform, but for political, technical and business reasons, it turned out much harder than that and almost no one cares anyway.
The Moral of the Story: Never Give Your Twitter Password to a Stranger Again
If the OAuth trial that started today is a success, you shouldn't ever have to wince and hand over your Twitter username and password to a stranger again. That will be very nice. It's the kind of thing that ought to be best practice everywhere that two applications swap spit (user data), and we hope it will be someday soon.
A key part of "data portability" will be letting users feel secure and in control enough of their data to go ahead and use it in multiple places. That's something Facebook has put a huge emphasis on, at the expense of open community standards and to the benefit of their business interests as the would-be only social networking game in town.
Announcing (?) The Twitter App Showcase
What's Twitter's plan for this surprisingly important technical direction they are exploring? We asked Twitter API lead Alex Payne and this is what he said:
My goal for our OAuth launch is to give our users more control and confidence in their interactions with third-party Twitter-powered applications. Basic Auth has worked for a certain class of single-user application running on a trusted network, but OAuth will increase the reach of Twitter apps that can be used safely and securely on a variety of platforms. What's more, OAuth gives us the data we need to build an application gallery to better showcase the great work Twitter developers are doing.Our launch plan entails a month or two in private beta, a similar amount of time in public beta, and then a final release. After the final release, we'll allow OAuth to co-exist with Basic Auth for no less than six months, and hopefully not much longer. OAuth should be
the sole supported authentication mechanism for the Twitter API by the end of 2009.
Those are solid gold words, right there. We hope the OAuth community and Twitter can nail this test and implementation, opening the door to a new era of interfaces and applications built by anyone on earth but securely leveraging Twitter user data. A Twitter ecosystem where people feel secure sharing their data could end up being a much bigger Twitter ecosystem.
That should be not just be future of Twitter, that should be the future of data-centric online computing in every part of our lives.
And Then The Dominoes Fall
Many people say that Twitter is changing the web all around it. It's not just a symbol of a new communication paradigm, it's training millions of people to communicate publicly in very short, rapid messages.
That same influence could extend to helping spread secure, standards based user authentication protocols like OAuth.
Is isn't hard to imagine people saying "Twitter lets me use applications like Tweetdeck to send public messages to The_Real_Shaq - so why can't my bank data be shared with Mint without me giving Mint my bank password? Why can't my school transcripts be exposed to Netflix to get recommendations of the most popular movies related to the subjects I'm studying - without me giving Netflix my school password?"
That kind of future could come all the faster if all of these services used a standardized authentication system, like OAuth. As of this September, that's exactly what Netflix uses, in fact.
You get the picture. Effective Twitter implementation of OAuth is a far more important matter than it might seem. This isn't something small, dry and technical. This is the future of integrated, hyper-smart social computing being built right before our eyes.
Share
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
Thank you. Now I actually understand what OAuth is! Also, I like the part about swapping spit. :-)
Great post, Marshall. One thing though: OAuth and OpenID are complementary not competing protocols as your post makes it should like. The "auth" in OAuth is short for authorization not authentication (which is what OpenID is for). OpenID answers the question "Who are you?" while OAuth answers the questions "What are you allowed to do". See http://tinyurl.com/2emme5 for more info.
OAuth isn't the only show in town as you probably know. Other phenomenal protocols and technologies that will help usher in the Netflix/university data exchange software are WS-Federation, WS-Trust, SAML, and WS-Security. These standards are really complex, but another open technology, Information Card, abstracts away the complexities from developer (for the most part), allowing them to concentrate on creating that movie-look-up-by-subject application instead of security-related protocol adherence.
With technologies like OAuth, OpenID, WS-*, SAML, and Information Card, a new day of openness and data portability is certainly on the near horizon.
Thanks again for the info both here and on Twitter.
As we were developing TimePoke we really wanted to start out with Twitter integrated, but we could not justify the security hazard in asking our users for their Twitter passwords. We even went to a model where they would have to enter it for each session.
We eventually decided to start with Yammer as they supported OAuth almost from the beginning. We saw on the Twitter development google group that Twitter was headed in the right direction.
So far it has been the right decision, but has forced us to be patient since Yammer has far fewer users.
Nice post Marshall -- above and beyond your typical vigor!
@Adam: It's funny that you mention Yammer. Yammer originally invented their own OAuth-like protocol and after a rather curt introduction to the OAuth community, came around to embracing OAuth:
http://groups.google.com/group/oauth/browse_thread/thread/88d1c4155dcc1699/362f574028de6c2e
Great to see more successes like this!
Posted by: factoryjoe.com
|
January 23, 2009 9:43 PM
Wow! Really great post. Thanks for helping explain this important stuff to mainstream users,
Yup... Netflix API uses OAuth too... I think OAuth is the way to go for twitter.
http://developer.netflix.com/blog/read/Introducing_the_Netflix_API
Nice post Marshall.
Travis - thanks for the clarification between OAuth and OpenID. I was just about to address that but saw your comment.
Posted by: shopfiber.myopenid.com
|
January 24, 2009 5:32 AM
Thanks for the great intro to OAuth. A small typo in the article, if you will -
This
"The Google-led OpenSocial ...."
instead of
"The Google-lead OpenSocial ...."
As always, a great post with some great insight. Let's hope that OAuth can help the Twitter ecosystem flourish.
Mark
thnks for the feedback, everybody. adding a note re the discussion re OpenID/OAuth in comments
Interesting post but lacking proper understanding of the issues involved.
First of all using the phrase "tricking Twitter into giving up the data" is FUD. There are no tricks involved, Twitter offers up their API as a legitimate way to access users data and painting it as something that's not by design makes application developers who use it look like crooks.
Secondly, as other commenters have said, the fact you pitch OpenID as a competitive technology to OAuth shows that you don't really understand what's going on.
And finally you state that application developers have "been required to ask users to give up their Twitter usernames and passwords in order to read and write to Twitter user data". This is not at all accurate.
The only operations that require another users authentication details are changes to their account (e.g. follow another user or post a tweet). The Twitter API goes out of its way to ensure that all other data can be accessed using the developers account details.
Consider how many apps are out there that ask for your password but only use it to post a tweet on your behalf pimping the app to your followers.
OAuth will be a great addition to Twitter and it's been a long time coming, but let's not forget that the only thing it really prevents is developers hijacking your account by changing your password. You're still going to give apps permission to access your DMs and tweet for you.
I've been accepted into the private beta and I'm very excited to see what Twitter have done, but I have no delusions that this will put an end to security issues, and posts like this which imply it will are not helping the general public become more security conscious.
Dear Soggy Blanket Stuart, thanks for your comment, lots of important points. I'll try to respond.
1. "tricking Twitter into giving up the data" You're right, in this case there's no trickery per se, though this trickery is exactly how other systems like it work, is it not? For example, find out which of your GMail friends are on Facebook? (Unless Facebook is using the new GMail contacts API, which I hope they are, but not everyone is.)
2. "the fact you pitch OpenID as a competitive technology to OAuth shows that you don't really understand what's going on." I don't now that I pitched it as competitive, I think that for most casual users who are just wrapping their heads around OpenID, "why can't I just use OpenID" is a pretty legit question to ask about OAuth. My understanding is that OAuth is for mashups and works with desktop apps, whereas with OpenID neither of those is really true.
3. "And finally you state that application developers have "been required to ask users to give up their Twitter usernames and passwords in order to read and write to Twitter user data". This is not at all accurate."
You are right, there's a bunch of data that doesn't require user login, but as I say later, in order to tweet through a third party, you have to give up your password.
In conclusion, all these seem like details that deserve clarification and in some cased ways I am wrong, but hardly deserved the "you suck and are part of the problem" comment you left.
...I'd also add that a lot of Twitter apps ask for your password merely to get access to protected accounts -- that is, for many people with public Twitter accounts, third-party apps work without authentication... but for the small number with private accounts, third-party apps probably just dispense with the complexity of saying "if your account is private, please give us your password" -- and ask EVERYONE for their credentials.
This is probably also true so that third-party apps can see private tweets of a user's friends... kind of like the FOAF problem where, if I have the email address of my friends, I would expose them by publishing my FOAF profile (this has been improved with email hashing, but demonstrates the problem with third party data disclosure of other people's data).
Posted by: factoryjoe.com
|
January 24, 2009 9:53 AM
Lots of good points here, can't wait til more systems use 'pull validation' rather than 'push validation'
I would say that the system that taught people to communicate in short burst is Instant Messenger, and Twitter is basically like IM with the world.
Mmm, soggy blanket. That's a new one ;-) First of all let me apologise if my comment came off with a "you suck and are part of the problem" attitude. My intention was mainly to point out that there are similar risks associated with giving third parties permission with OAuth, they're just a little more limited than sharing your password.
1. I agree that trickery has and is used to access data from other services, but why imply that here?
2. If people really are asking "why can't I just use OpenID", surely it's in your remit to explain why and educate your readers rather than including it in a discussion of the options. As I understand it, and I could be wrong, there is nothing technically preventing the use of OpenID from a desktop app. After all, your browser is a desktop app.
3. In that case your text should have read "been required to ask users to give up their Twitter usernames and passwords in order to write to Twitter user data" which is a whole lot more accurate.
Again I apologise if my comment came off a bit angrier than intended, I'm just concerned that unrealistic expectations are being set where OAuth is concerned. There will still be nothing stopping applications harvesting your direct messages or posting tweets as you without your prior permission.
I don't yet know how fine-grained the permissions system Twitter have implemented is, but people need to be made aware that OAuth will not make third-party access to Twitter "safe", it just makes it a little safer and a whole lot easier to clean up when they misbehave.
It's great to see a thoughtful conversation around OAuth, SAML, etc. It's also great to see that Twitter has finally embraced OAuth; I look forward to a time when more people will feel comfortable interacting with some of the great third-party apps that will enhance the twitter ecosystem.
I am more than a bit biased; Mashery's API infrastructure service powers the OAuth implementation used by Netflix and the SAML implementation used by the New York Times for its developer site. After implementing a half dozen or so "OAuth-like" protocols before OAuth came along, it is nice to have a standard that people have embraced, and that we can switch on easily for our clients.
@travis - you are spot on. Authentication and Authorization are separate but both important issues, solved by different standards.
@factoryjoe - indeed, and thank you so much for your tireless work to get OAuth promulgated and accepted so quickly.
Bottom line - there are so many great apps being developed on twitter that we should not put our account and password at risk each time we try one, and we should not be force to change our passwords a dozen places if we decide we don't want a particular developer to have access any longer
We're thrilled with the reception that Netflix's OAuth implementation has received, and honored to be a part of that launch. Look for more Mashery-powered APIs supporting OAuth and SAML in the near future
Oren Michels
CEO
Mashery
While it is certainly true that Twitter needs to beef up its security, OAuth wouldn't have prevented the hacking of Obamas Account as I wrote some days ago http://blog.snyke.net/2009/01/08/would-oauth-have-prevented-the-latest-attack-on-twitter/
Nevertheless I'm excited that they finally move beyond password sharing, which always felt a bit shady ^^
I think the last paragraph was the best, I almost didn't read that far!!
So,What do you all think about this new Social Network Gadget ?
Do You Poken?
Have you ever wished your social network could expand with a wave of your hand? Or, that you could scroll back in time to see who you met, where and when? Now you can! Just tap poken-to-poken, and you are instantly connected to your friends and colleagues. Choose how people view your contact information, and view your friends' pages on Facebook,Twitter MySpace,and many other networks. Never again will you need to scribble your email address, screen name, or telephone number on a napkin!
Marshall - be sure to let us know when Twitter opens up the OAuth beta.
This is one of the most hypocritical things I've ever heard! Twitter is going to use OAuth? When you sign up for Twitter it asks you for the username and password for your EMAIL ACCOUNT!
When you give someone the password to your email you've essentially given them the power to reset your password on all your bank accounts, all your credit cards, and all your online shopping accounts. Most banks, credit cards, and shops allow you to reset your password by sending it to your email. So, all a hacker would have to do is request a password from a place like Amazon.com and, since they have access to your email account, they now have access to your Amazon.com account.
Twitter has no moral problems asking you to cough up your personal email account password, but now I'm supposed to think they're enlightened because they don't want their users to be "password sluts?"
Dumb.
Twitter should not ask you for your email password. Neither should Facebook. Neither should any of the dozens of "social networking" sites out there. It's morally reprehensible!