{"id":1864,"date":"2011-05-19T00:08:23","date_gmt":"2011-05-19T04:08:23","guid":{"rendered":"http:\/\/www.red-sweater.com\/blog\/?p=1864"},"modified":"2011-05-19T09:10:06","modified_gmt":"2011-05-19T13:10:06","slug":"twitter-security-smackdown","status":"publish","type":"post","link":"https:\/\/redsweater.com\/blog\/1864\/twitter-security-smackdown","title":{"rendered":"Twitter Security Smackdown"},"content":{"rendered":"<p>Today Twitter <a href=\"http:\/\/groups.google.com\/group\/twitter-api-announce\/browse_thread\/thread\/e954fc0f8b5aa6ec\">announced<\/a> a few distinct policy changes for clients of their API, all wrapped up under the banner of improved security permissions for end-users. The best response I&#8217;ve seen yet is from John Gruber, who <a href=\"http:\/\/daringfireball.net\/2011\/05\/twitter_shit_sandwich\">smells something funny<\/a> in the deli. I tend to agree. The announcements today comprise some useful security enhancements, but the security gains from some of the decisions that were announced are not so great that they offset the serious disadvantage they impose on 3rd party developers, particular developers of native mobile and desktop apps.<\/p>\n<p>Let me break the announcements today into three policy change assertions, and how I react to them.<\/p>\n<ol>\n<li>\n<p><strong>Access to Twitter direct messages will require a new level of user-granted permission.<\/strong> This is a great thing! I recently tweeted that exactly something like this was necessary, because I&#8217;ve grown tired of giving <em>every damn service <\/em>that I wish to connect to Twitter, access to all my confidential direct messages. The new permission allows developers of client apps to state their desired permissions, and those permissions will be listed prominently on <a href=\"http:\/\/twitter.com\/settings\/applications\">your list of approved applications<\/a>.<\/p>\n<p><strong>Verdict: Kudos, Twitter<\/strong>.<\/p>\n<\/li>\n<li>\n<p><strong>Developers of Twitter clients will be <em>required<\/em> to use OAuth in order to gain this new permission. <\/strong>In laymen terms, this means client apps can&#8217;t log you in with just your username and password. You will need to be redirected to the web.\u00a0This requirement is ostensibly because Twitter wants to increase the likelihood that end-users will be made aware of exactly which permissions a client application is requesting. Without this requirement, a native application could <em>claim to seek read-only access<\/em>, but behind the scenes be using your username and password, by way of Twitter&#8217;s xAuth solution, to request a higher level of permission than you intended to allow.<\/p>\n<p>I concede that this requirement is, on the face of it, an added protection for customers who are wary of providing Twitter credentials to an untrusted app. But here&#8217;s the catch with native software: you better trust it, because there is no shortage of ways in which it could screw you. It&#8217;s running with <strong>some degree of elevated permission on your own device<\/strong>. Twitter putting shackles on native app developers in the name of security is laughable. For example, it would be easy for an untrustworthy native app to provide a custom, compromised browser view that purports to drive a user through the Twitter OAuth permission flow with a given permission, but is actually requesting a different level of permission in a second, undisplayed web flow.<\/p>\n<p>This is not to say that we shouldn&#8217;t bother reining in native software that may be flawed or whose permission we may want to revoke. This is what is so clever about the xAuth workflow, the compromise that allows native apps to authenticate as if by way of an OAuth flow, but using a user&#8217;s username and password to facilitate the process. If an end-user or Twitter itself loses confidence in an xAuth based application, they can <em>still<\/em> revoke access to the application in the same way they would for any other OAuth managed client.<\/p>\n<p><strong>Verdict: Nice try, but if you don&#8217;t trust your native software, Twitter can&#8217;t do much to keep you from getting screwed.<\/strong><\/p>\n<p><em><\/em><\/li>\n<li>\n<p><strong>These requirements apply unilaterally to all native clients. Except Twitter&#8217;s.<\/strong> I grant you, <em>it makes sense<\/em> for a company to exempt itself from security restrictions that are imposed to prevent &#8220;bad guys&#8221; from taking control of a user&#8217;s credentials and doing damage to the user or to Twitter itself. But this story is complicated by the fact that Twitter entered a competitive market of native clients of its own system, where for years it was not a player, and then proceeded to adopt increasingly developer-hostile attitudes. In particular towards developers of software that aims to fill that coveted role of a &#8220;general purpose read\/write Twitter client.&#8221;<\/p>\n<p>Is it illegal to do what Twitter has done? Absolutely not, nor should it be. But in my opinion these 3rd party developers were a valuable asset that was pivotal in building passion for Twitter in the earliest years of its existence. Many of the features that we take for granted in Twitter itself were prototyped in 3rd party native applications. Hell, even Twitter&#8217;s own native Mac app was <em>itself a 3rd party application<\/em> (Tweetie) until not too long ago.<\/p>\n<p>Twitter&#8217;s attitude towards these developers seems to be: thanks for all the help, but we&#8217;re done with you. The fact that Twitter is willing to &#8220;whitelist&#8221; their own apps further suggests that this may not be a pure security play. Only legitimate developers of trustworthy apps would be interested in seeking an API key to connect to Twitter. If your aim is to write malevolent software that abuses Twitter or its users, you should be content to take an app like Twitter&#8217;s own Mac client, extract the portions that communicate &#8220;securely&#8221; with Twitter, and build your own app that only the savviest user will notice is actually posting to Twitter as &#8220;Twitter for Mac.&#8221;<\/p>\n<p>Twitter&#8217;s willingness to exempt any apps from the OAuth procedure is a concession that they don&#8217;t view xAuth authentication as <em>inherently<\/em> insecure. But they want to limit which API keys get the privilege of continuing to use it. So, expand that list of API keys. At the <em>very least<\/em>, add long-time supporters such as Iconfactory&#8217;s <a href=\"http:\/\/iconfactory.com\/software\/twitterrific\">Twitterrific<\/a>. Better? Provide some kind of approval process through which any qualified developer can seek first-class status. Best of all? Stick to what OAuth and xAuth are best for: providing the power to revoke access for bad actors after bad intentions are discovered. Forcing applications through OAuth is not going to prevent offensive, buggy, or intentionally malevolent code from being authorized by users, but it is going to degrade the user experience for all native clients except, oh, how about that? Twitter&#8217;s own.<\/p>\n<p><strong>Verdict: Dick move, Twitter.<\/strong><\/p>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Today Twitter announced a few distinct policy changes for clients of their API, all wrapped up under the banner of improved security permissions for end-users. The best response I&#8217;ve seen yet is from John Gruber, who smells something funny in the deli. I tend to agree. The announcements today comprise some useful security enhancements, but [&hellip;]<\/p>\n","protected":false},"author":10,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[50,19,4],"tags":[],"class_list":["post-1864","post","type-post","status-publish","format-standard","hentry","category-rant","category-technology","category-web"],"_links":{"self":[{"href":"https:\/\/redsweater.com\/blog\/wp-json\/wp\/v2\/posts\/1864","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/redsweater.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/redsweater.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/redsweater.com\/blog\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/redsweater.com\/blog\/wp-json\/wp\/v2\/comments?post=1864"}],"version-history":[{"count":19,"href":"https:\/\/redsweater.com\/blog\/wp-json\/wp\/v2\/posts\/1864\/revisions"}],"predecessor-version":[{"id":1883,"href":"https:\/\/redsweater.com\/blog\/wp-json\/wp\/v2\/posts\/1864\/revisions\/1883"}],"wp:attachment":[{"href":"https:\/\/redsweater.com\/blog\/wp-json\/wp\/v2\/media?parent=1864"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/redsweater.com\/blog\/wp-json\/wp\/v2\/categories?post=1864"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/redsweater.com\/blog\/wp-json\/wp\/v2\/tags?post=1864"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}