I don't normally do "web programming", but now that I have to do some of it, I have to ask: how did this end up being the security standard? (OAuth 2.0, example from PayPal's API)pic.twitter.com/nHXqajAiej
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
This is actually a non-trivial difference, unless I am missing something. For example, you could put the signing in a secure enclave, and then it would be protected, and still fast since only the signing must operate securely.
But with the OAuth model, you would have to put the entire application in a secure enclave, from the storage right on down to the part where the HTTPS packet gets encoded, which seems terrible for performance.
What do you think about using TLS client certificates for this purpose?
I'd have to see the specifics but at least in theory I feel like that would have been a much better idea.
I'm not following how a signature would address the problem of a server application in a foreign data center possessing a secret. The signature also requires the secret. Also, this token endpoint call can exist in a security enclave. Token generation is distinct from token use.
What you are describing is actually the correct way to do authentication, and is what anyone with half a brain does. The rise of JWT/OAuth type systems makes me sad because they equally more complex and less secure.
Not only oauth. All web services that provide "API" use this model of requiring you to pass the secret in the request header. Even services you pay for.
A signature would require a public/private key pair which has its own management issue no? And for financial transactions you would in any case expect the entire application to be in a secure enclave irrespective of the authorisation model.
I would guess more ‘responsible’ companies encrypt all private data in transit and at rest but don’t consider unencrypted data in processors and memory. Leaking ANY private data is a regulatory issue. Pub/Priv signature schemes are better regardless of encrypt/secureproc use.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.