Same Kiwi, new Image Services
OAuth again? Is there an echo in here?
Today I rolled out a little release for Kiwi. The only change was the inclusion of OAuth Echo support for image posting.
Like XAuth, OAuth Echo isn’t an official specification. Echo is a special method of using OAuth that Twitter encourages. It allows one Twitter service to send another Twitter service a specially signed package that can be used to verify a user’s account.
To be perfectly honest, it seems like yet another invisible outfit for the emperor. There are more wrappers, hashes, and negotiations around the OAuth. It seems like a schizophrenic security standard already: glomming authentication and authorization into the same spec seems ill conceived at best — at least to me.
OAuth, and Echo even more so, is what I like to call “security through complexity.” It’s so complicated that even the experts aren’t sure if it’s really secure or not. Why is that bad? Because everyone will adopt it, thinking it to be secure, and will be blindsided when it is actually exploited. With enough complexity you can avoid most peer review, even in open source software.
But, in a few weeks it will be nearly the only way to post images to Twitter as Twitter will shut off “basic auth”, so there doesn’t really seem to be anything to do but include it. Somehow when the adoption of a security standard is encouraged with more “stick” than “carrot” I get pretty nervous. How ‘bout you?
Musical Chairs of Image Services
[Posterous(http://posterous.com) is out, TwitrPix is in. yFrog is out, TwitGoo is in. I wanted to support a few different services, and to be perfectly honest, I really like yFrog and Posterous. I also like Ember and Flickr, but these don’t quite fit either.
Kiwi supports image posting services that don’t require a separate login*. They use OAuth Echo to verify your Twitter credentials and let your Twitter account serve as your authorization to their service.
Posterous does actually allow un-registered posting — but it no longer seemed like it fit with the other options. And yFrog does actually support OAuth Echo, but only with xml verification — which means more security code for me since all of the other services support the JSON response.
Ember and Flickr are harder for me to part with. I love-love-love these services. Both for professional reasons and because they’re the places that I actually post my own pictures. But still they require their own login — and Flickr’s is a whole other OAuth sign-in, and without even XAuth to help make it pretty — YUCK!
Needless to say, this is a fluid and changing thing. I’ll keep you posted.
**If you know of some image services that support OAuth echo, please let me know. I’ll do my best to include them in the next update.*
