Latest Tweets:
This is a tumbling log of things and thoughts that pass my way.
If you got here by accident, you may want to visit my website instead.
"
Time to be frank: any security that OAuth claims – with respect to native applications – is an illusion. If a native app wants to get a copy of your password, it will get a copy of your password. If it wants to hijack the authentication process, bring up a bogus “browser” for you to enter a password into, register keyloggers, muck with your system web proxy settings and sniff passwords before they hit the wire, or phish you some other way, guess what: it can and it will. OAuth does not solve these problems. It just adds complexity to the login process.
But this post is not meant to bash OAuth – I think it’s a fantastic solution to authenticate other web apps. The problem is that it flat-out sucks for everything else.
"Fixing OAuth. A frank discussion of a problem many people tend to ignore, plus a suggested solution.
