Raindrop has always been mindful of security and privacy issues, and even though we have written about this before, we have required your password to access your email and twitter accounts. We are happy to report that things have changed.
A major impediment to working without your password has been accessing your email. While twitter supports Open Authentication (OAuth), it was impossible to access your email without a password, so support for a password-less raindrop was put on hold pending some answer to this problem. Fortunately, Google and Yahoo have recently been working on a spec for OAuth-based IMAP authentication, and with GMail providing a working implementation, raindrop could make that leap.
The raindrop front-end now has support for configuring gmail and twitter accounts using OAuth. During the account configuration process you are directed to Google or Twitter to authorize raindrop to access your account. You may need to provide your password to Google or Twitter, and after authorizing raindrop, you are directed back to raindrop to complete the account setup. On this return step, Google or Twitter provides raindrop with OAuth tokens which raindrop stores on the file-system with the account configuration information. These tokens can then be used in lieu of the username and password when communicating with Twitter or the Gmail IMAP server.
The key reason this matters is that raindrop never needs to know your password – let alone store it – and the user remains in complete control over what operations can be performed by raindrop. Thus, if raindrop managed to be compromised we might leak enough information for our existing tokens to used temporarily, but at any time the user can visit Twitter or GMail and revoke the tokens making that leaked information useless. It will be impossible for raindrop to leak your password as raindrop doesn’t know what it is.
The OAuth support for twitter was fairly easy to implement by following the examples found on the twitter API documentation site. Raindrop uses the Python twitter library, and although this library doesn’t currently support OAuth directly, we are in the process of rectifying this by working with the project on the changes necessary for such support.
The OAuth support for GMail was similarly easy given the nice examples provides by Google. While OAuth support for IMAP is currently in the early stages of becoming a standard, we hope that the appeal of password-less IMAP login will be such that other major IMAP servers will start to support this in the future – until then, Raindrop will still need to store your password for IMAP servers which do not implement this new functionality.
While raindrop still has work to do in ensuring your private information remains secure, we see OAuth support as a nice step in the right direction.
