[twitter-dev] Re: Should consumer token be kept secret?
No, there's really not a good solution for open source developers. :( On Jul 10, 3:57 pm, Cameron Kaiser spec...@floodgap.com wrote: After reading that thread, it seems there is no good solution :( That is also my conclusion. -- personal:http://www.cameronkaiser.com/-- Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com -- 1-GHz Pentium-III + Java + XSLT == 1-MHz 6502. -- Craig Bruce --
[twitter-dev] Re: Should consumer token be kept secret?
Duane Roelands duane.roela...@gmail.com writes: No, there's really not a good solution for open source developers. :( If there really isn't a good solution for open source developers, there isn't a good solution for *any* developers unless you're running through a private proxy (and even that has problems). I think that the PIN solution is about as workable as anything at the present, and haven't seen any solid ideas for improving upon it without breaking the core principles of OAuth. As far as app reputation and source reporting goes, the OAuth solution is no less secure than basic auth source parameters (there's no verification that an application is authorized to use a given source parameter). -Michael -- mouse, n: A device for pointing at the xterm in which you want to type.
[twitter-dev] Re: Should consumer token be kept secret?
No, there's really not a good solution for open source developers. :( If there really isn't a good solution for open source developers, there isn't a good solution for *any* developers unless you're running through a private proxy (and even that has problems). I think that the PIN solution is about as workable as anything at the present, and haven't seen any solid ideas for improving upon it without breaking the core principles of OAuth. As far as app reputation and source reporting goes, the OAuth solution is no less secure than basic auth source parameters (there's no verification that an application is authorized to use a given source parameter). No less secure, but the problem I haven't seen an answer to is whether Twitter plans to use keys to lock out badly behaved applications. If that's true, then a rogue app can effectively DOS out an innocent unrelated app by masquerading as it and doing naughty things, and getting its key suspended. If they have no plans to do this, then I agree that it's no different than Basic Auth source parameters. -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- In memory of DeForest Kelley ---
[twitter-dev] Re: Should consumer token be kept secret?
It's different from basic auth in the way that oauth was primarily designed to be different -- the app need not know your password (thus preventing a rogue app from stealing it) and it need not send it over the wire with every request (thus preventing a rogue entity from monitoring and trapping it over the wire). On Sat, Jul 11, 2009 at 12:54, Cameron Kaiser spec...@floodgap.com wrote: No, there's really not a good solution for open source developers. :( If there really isn't a good solution for open source developers, there isn't a good solution for *any* developers unless you're running through a private proxy (and even that has problems). I think that the PIN solution is about as workable as anything at the present, and haven't seen any solid ideas for improving upon it without breaking the core principles of OAuth. As far as app reputation and source reporting goes, the OAuth solution is no less secure than basic auth source parameters (there's no verification that an application is authorized to use a given source parameter). No less secure, but the problem I haven't seen an answer to is whether Twitter plans to use keys to lock out badly behaved applications. If that's true, then a rogue app can effectively DOS out an innocent unrelated app by masquerading as it and doing naughty things, and getting its key suspended. If they have no plans to do this, then I agree that it's no different than Basic Auth source parameters. -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- In memory of DeForest Kelley --- -- Internets. Serious business.
[twitter-dev] Re: Should consumer token be kept secret?
There was just a long thread discussing these sorts of security issues. The thread title is Security Best Practices and is at http://groups.google.com/group/twitter-development-talk/browse_thread/thread/45550d6cebf86051# - h On Fri, Jul 10, 2009 at 10:05, Grant Emsley grant.ems...@gmail.com wrote: I'm almost ready to release a desktop app using OAuth. It's written in Perl, so anyone can read the source. Should I remove my consumer token and secret and make people get their own? Or is it safe to distribute?
[twitter-dev] Re: Should consumer token be kept secret?
After reading that thread, it seems there is no good solution :( On Jul 10, 1:17 pm, Howard Siegel hsie...@gmail.com wrote: There was just a long thread discussing these sorts of security issues. The thread title is Security Best Practices and is at http://groups.google.com/group/twitter-development-talk/browse_thread... - h On Fri, Jul 10, 2009 at 10:05, Grant Emsley grant.ems...@gmail.com wrote: I'm almost ready to release a desktop app using OAuth. It's written in Perl, so anyone can read the source. Should I remove my consumer token and secret and make people get their own? Or is it safe to distribute?
[twitter-dev] Re: Should consumer token be kept secret?
After reading that thread, it seems there is no good solution :( That is also my conclusion. -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- 1-GHz Pentium-III + Java + XSLT == 1-MHz 6502. -- Craig Bruce --