Topic on Manual talk:Bot passwords

Hi!

I've been reading quite a bit of documentation about OAuth1 and OAuth2 lately, both of which I've understood to be (relatively) insecure in the case of public clients (such as bots on the user's computer, or mobile applications).

So, when I read that “If the wiki and the bot support OAuth, use that instead; it is more secure, especially on wikis without robust HTTPS support.”, I wonder if there's something I've misunderstood or if that statement is not somewhat misleading…

Without robust HTTPS, that statement is obviously true, as using bot passwords is vulnerable to MITM, like using regular passwords and unlike OAuth1. In that case, one's main concern should probably be to get robust HTTPS first (as only HTTPS can protect regular passwords used by the users to authenticate to the server to authorize the OAuth client), but anyway: OAuth is for sure a security improvement over bot passwords.

But, with robust HTTPS (which I'm going to assume should be the norm in 2018) is there any reason to think OAuth is more secure than bot passwords?

I'm asking mostly out of curiosity and for my own understanding, but I'm also considering using bot passwords for a mobile application, as the bot password form is “just complicated” for the end user, whereas the OAuth token form is “horribly complicated” (no offense to be taken: I think it's perfectly fine for the public of developers it was designed for — it's just being used out of its scope, for legitimate reasons).

Thanks a lot for any clarification :)

I've been reading quite a bit of documentation about OAuth1 and OAuth2 lately, both of which I've understood to be (relatively) insecure in the case of public clients (such as bots on the user's computer, or mobile applications).

It's insecure if the OAuth key and secret are bundled with the code (ie. different people running the bot use the same OAuth consumer). It's not insecure if you create your own consumer for the bot, as recommended for Pywikibot for example.

But, with robust HTTPS (which I'm going to assume should be the norm in 2018) is there any reason to think OAuth is more secure than bot passwords?

If the communication channel is secure, then the security advantage is minimal. That's a big if, though - we are used to taking it for granted that HTTPS is safe, because browsers have gotten very good at implementing it securely, but most bots do not use a browser, and a lot can go wrong with SSL support of whatever request library is being used, system-default CA bundles etc. I wouldn't worry about using bot passwords, but I wouldn't say the difference is negligible, either. (I am not a security expert, though.)

the bot password form is “just complicated” for the end user, whereas the OAuth token form is “horribly complicated”

Yeah it sucks currently. T142282 subtasks and especially T165219 are some relevant issues.