Saturday, October 3, 2009

Open decentralized microblogging

I recently wanted to access twitter updates through facebook. I clicked on the add twitter application, but after seeing the authentication anti-pattern they are using I backed off (yet, many of my friends have added it; looks like their perceived risk is less than the benefits they expect).

If an imaginary dude added twitter in to their FB profile, the conversation would have been as follows.
Dude: hey FB, I want to access Tweets.
FB: sure dude, give me your Twitter username and password. (domain - facebook.com)
Dude: my Twitter username and password.
FB: hey twitter, I am (pretending to be) the dude with this user name and password.
Twitter: hey dude (actually FB pretending to be the dude - which Twitter does not know), you are authenticated and welcome back to Twitter.
FB: dude, now you are all set.

Do you want to allow FB (or any other third-party service provider) to predend like you to some other service you are already using (e.g. Twitter)? What are the possible risks/benefits of doing it?

At least there are some positive signs, Twitter already has an OAuth API (They would also like to drop the basic authentication API that uses the above conversion pattern; I guess they continue to keep it due to migration/usability issues). I would feel little safer (but not completely) if the FB folks the following conversation using a delegated authentication mechanism.

Dude: hey FB, I want to access Tweets.
FB: No problem dude, I am sending you to Twitter (open ups a new browser window - domain twitter.com).
FB: hey Twitter, a dude wants to connect to Twitter.
Twitter: hey dude, FB (or any other third-party dude) wants to access your tweets; you cool with that?
Dude: yep, I am. (Dude type his/her username and password and give approval)
Twitter: hey FB, use this token to access Dude's tweets.
FB: dude, now you are all set.

Notice that the dude did not have to give private information such as twitter password to FB. In other words, the twitter password is still under the control of the dude. Nabeel's dilemma: should I wait till FB provides such an application or should I sacrifice my private information and go ahead with the current application?

It may appear I have derailed from the $subject of this blog post, but I was telling all this to motivate you about the need to have an open decentralized microblogging (aka the $subject). There has been some research work in this area. I found the following paper interesting in this regard.

Birds of a FETHR: Open, Decentralized Microblogging by researchers at the Rice university.
Abstract:
Microblogging, as exemplified by Twitter, is gaining popularity as a way to exchange short messages within social networks. However, the limitations of current microblog services—proprietary, centralized, and isolated—threaten the long-term viability of this new medium. In
this work we investigate the current state of microblogging and envision an open, distributed micropublishing service that addresses the weaknesses of today’s systems. We draw on traces taken from Twitter to characterize the microblogging workload. Our proposal, fethr, connects
micropublishers large and small in a single global network. New messages are gossiped among subscribers using a lightweight http-based protocol. Cryptographic measures protect authenticity and continuity of updates and prove message ordering even across providers.

1 comment:

Madhu said...

I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon.

Digital Marketing Company in India