| hey bootload, thanks for your detailed response. you raise a lot of good points. we've definitely spent a lot of time thinking about these issues. first, you're right that just extracting info from twitter doesn't require username and password. our initial twitter interface is an update though, which does require authentication. - we do use SSL for all usernames / passwords that are submitted, though we should make that clear, b/c right now we don't give an indication. - because twitter does not offer token-based authentication, and because we do not currently want to store passwords, we are actually submitting to twitter via the web interface; that means we submit the u+p just once, and then we hold onto a cookie, but not the u+p. when we login to twitter on your behalf, it is via https. - one goal in the near / mid term is to give users a choice about the combination of privacy / convenience that they want. right now we have opted on the side of privacy, since we're not storing usernames and passwords. but some users have told us they would like wundrbar to basically act as a password manager, so we'll be building in that option. - i hope twitter (and other sites) implement open auth soon, because i know there are alot of users who will be more comfortable using wundrbar through that authentication mechanism. |
hey ngrandy, sorry for the delay in getting back to you and thanks for explaining your setup. It reads like a well considered approach ~ http://flickr.com/photos/bootload/2348875304/