<<
It's worse than that. You don't even have to intercept the key, just
use the application itself to obtain tokens for other users' accounts.
How are they going to tell the difference between their copy of TweetX
and someone elses' in their auth dialogs?>>

Sorry. I didn't get this. How are you going to obtain tokens for *other *
users?
The worst you can do is use the key/secrets to trap *new *users. Even if you
assume the app
is storing tokens locally, it does only for that desktop user.True there is
a risk if some one steals his access tokens but he is not completely wiped
out as he still has the option of revoking the access to the app.

Srikanth

On Tue, Aug 18, 2009 at 2:39 AM, Chris Babcock <cbabc...@kolonelpanic.org>wrote:

>
> On Mon, 17 Aug 2009 23:32:58 +0530
> srikanth reddy <srikanth.yara...@gmail.com> wrote:
>
> > @chris
> > You cannot ask every user to get new consumer token/secret.
> > There is no way you can protect a consumer secret.
>
> I did have a blind spot operating here. When someone says, "Open
> Source," I'm usually thinking server software not Joe's ShareWare.
> Since we were talking about source code distribution, I wasn't even
> thinking about user binaries.
>
> > @Joseph
> > <<fetch the key and secret at runtime from a secure
> > server somewhere?  that could be trivially intercepted.>>
> > As far as i know this is the best way to hide the consumer secret.
> > This will not stop a determined user who try to intercept the keys
> > but you have the option of changing your key/secret values( for a
> > consumer) periodically. Other options are obfuscating/encrypting
> > secrets at client side (again it will not stop a determined user).
> > But the key management is difficult here as you have to download the
> > app everytime(or whenever the risk of keys being compromised is high)
>
> It's worse than that. You don't even have to intercept the key, just
> use the application itself to obtain tokens for other users' accounts.
> How are they going to tell the difference between their copy of TweetX
> and someone elses' in their auth dialogs?
>
> Chris Babcock
>
>

Reply via email to