On Mon, 17 Aug 2009 23:32:58 +0530
srikanth reddy <srikanth.yara...@gmail.com> wrote:

> @chris
> You cannot ask every user to get new consumer token/secret.
> There is no way you can protect a consumer secret.

I did have a blind spot operating here. When someone says, "Open
Source," I'm usually thinking server software not Joe's ShareWare.
Since we were talking about source code distribution, I wasn't even
thinking about user binaries.

> @Joseph
> <<fetch the key and secret at runtime from a secure
> server somewhere?  that could be trivially intercepted.>>
> As far as i know this is the best way to hide the consumer secret.
> This will not stop a determined user who try to intercept the keys
> but you have the option of changing your key/secret values( for a
> consumer) periodically. Other options are obfuscating/encrypting
> secrets at client side (again it will not stop a determined user).
> But the key management is difficult here as you have to download the
> app everytime(or whenever the risk of keys being compromised is high)

It's worse than that. You don't even have to intercept the key, just
use the application itself to obtain tokens for other users' accounts.
How are they going to tell the difference between their copy of TweetX
and someone elses' in their auth dialogs?

Chris Babcock

Reply via email to