Does Twitter turn its back on Chinese web users?

This week, Twitter has announced that it’s changing the way people need to sign in as of june 30th august 16th. (updated: the scheduled date has been postponed due to technical problems during the football world cup. Starting august 16th, Twitter will limit the number of requests you can do with the old-style sign in) This has got quite some publicity, mostly positive. From a security point of view, the new sign in system offers several advantages. However, one aspect seems to get overlooked.

Users in censored countries like China and Iran will no longer be able to use Twitter through the web. This has been discussed on Twitter’s developers forum here and here, so Twitter is aware of this problem. Until now, Twitter has not yet come up with a solution.

Why blocking Twitter is difficult for governments

Censoring countries often try shut down or limit access to websites like Google, YouTube and Twitter by using something like a firewall. The power of Twitter is that it allows all its data to be used by third parties (through something called an API). This makes it possible for everyone to build their own Twitter application. Since there are so many applications and websites that allow you to use Twitter, it is impossible for those countries to shut them all down.

What is changing now?

Twitter is changing the way it lets users of third party website sign in. Until now, Twitter supported two different log in methods: basic authentication and oAuth. Now they have announced to stop support for basic authentication. Let me explain the difference between the two methods – and the consequences.

Basic authentication

Basic authentication is the simplest method. Let’s consider Website x, which offers Twitter functionality. It simply asks users for their username and password. It then verifies these credentials with Twitter’s server. Twitter answers it’s ok, and website x tells the user he’s signed in. The username and password are then sent by website x with any subsequent request to get data from Twitter, or to send data back on the user’s behalf. Since the censoring governments do not know all websites and servers, the user’s requests can pass through their firewall.

oAuth

With the second authentication method (called oAuth), website x doesn’t ask the user for his username and password, but offers a link to Twitter.com. At Twitter.com the user signs in, and clicks a button to allow website x to access his account. Twitter then redirects the user back to website x, and gives x a secret key (called a token). Website x can now use this token in its communication with Twitter. Website x never gets the user’s password, and the user can revoke its access anytime he wants. For security, this is a great benefit.

The diagram below shows how oAuth works when there’s no firewall in place:

Why this now blocks Chinese web users

When Twitter makes oAuth required, users always have to go to Twitter.com to give a website permission to use their account. So if Twitter.com is blocked for you, you will have no way of granting this access. This is illustrated in this diagram, which shows the situation with a firewall:

Who will and won’t be affected?

Applications other than web apps can ask permission to continue using the username and password. (Well, sort of. Expand details) [Details: Those apps are allowed to use yet another authentication method, called xAuth. xAuth uses the username and password to obtain the necessary oAuth tokens. These tokens can then be used to communicate with Twitter's API using oAuth.] So these apps’ users will not necessarily be affected by this.

Web apps that store usernames and passwords, can be allowed to exchange these for oAuth tokens. That way, their existing users do not have to renew their permission. This is meant for one-time bulk conversions only, and will only be allowed in the process of changing from basic authentication to oAuth. Also, not all web apps do store their users’ data centrally. That means they can not do such bulk conversions. (An example is my own web app, Twimply, which only stores data on the user’s phone or computer).

This leaves us with the group of affected users in censoring countries:
1. New users of all web apps
2. Users of web apps that can’t or don’t want to do bulk conversions
3. Users of other apps that do not use xAuth (username/password) for first authentication

This decision is Twitter’s responsibility

I have really no idea how many users we are talking about, but I do know this are users that really need Twitter. Twitter has often proved to be an important source of information in countries like China and Iran, and Twitter has (justifiably) used this as examples of its success.

I know it is countries like China who decide which sites get blocked, and not Twitter. But it is Twitter who now decides to change their sign in system. It will have benefits for them, but they seem to consider these consequences as collateral damage.

Possible solutions?

The simplest solutions seem to be to postpone the disabling of basic authentication, or to allow web apps to use xAuth. But both do not solve the security problems Twitter is trying to solve, and have thus been rejected.

Sending permission by tweet?

While writing this post, I have come up with another possible direction for a (partial) solution. Simply let users allow/deny permission by sending a tweet from another Twitter app: “@twitter allow/deny appname”. Twitter would then have to provide the user with a temporary token, and the app should than be allowed to exchange that for a permanent token for that user.

This way, the user does not have to give his password, and Twitter knows it’s dealing with the actual user. This may be a much to oversimplified solution, and may have other drawbacks (for starters, the user would have to have access to another Twitter app first). But it may be worthwhile to investigate further.

Update In the meantime, I have come up with the following solution, that will work for users who have access to Twitter.com somewhere:

Solution for users who have access to Twitter.com somewhere

There are also a lot of users who do not have access to Twitter.com on computer A (at work or school for example), but who do have access somewhere else on computer B. I have come up with a solution for those users: letting them create al link to “copy” the Sign In token from computer B to computer A.

I have implemented this in Twimply, so you can now try this yourself: Create your Sign In for where Twitter.com is blocked. For a detailed description of this method, please read my blog post Sign in with oAuth where Twitter.com is blockedBewerken.

The biggest drawback of this method is obviously that you will still have to visit Twitter.com somewhere. However, I hope it will help some people out. If you have any other ideas, please let me know!

Please tell me I’m wrong

I must say I was a bit anxious to write this post. I had to be wrong. I could not imagine the always engaged-looking company Twitter would take these consequences for granted. And if it does, then why isn’t anybody writing about it? And my own solution – it will probably be way to simple. I would not like to look like a fool on my own blog.

But I think this is important enough to risk being stupid. Maybe a solution will come in time, maybe this does not affect so many users after all. If you think that’s the case, I really hope you’ll prove me wrong in the comments. But if you think I am right, please help rasing awareness for this problem.