On Tue, Jan 12, 2010 at 11:21 PM, Raffi Krikorian <ra...@twitter.com> wrote:
>> If that is the reason for disallowing the source param, why is this
>> policy not being applied uniformly? How would users of Tweetie,
>> Twitterrific, etc. feel if all their updates now said 'from web'? How
>> would the developers of those apps feel?
> those applications have been grandfathered in -- requiring oauth to set the
> source parameter applies to newer applications.
> Raffi Krikorian
> Twitter Platform Team
Not sure I agree with twitter discission to give the current
applications a break, yet force new apps to conform. Come on its been
like 6 months, pull the plug already and stop babying these old apps.
So new apps should have to deal with the headaches, while these guys
get to sit back and relax until things cool down?? Heh.
>> the ability to "forge" the source parameter is too easy when simply using
>> basic auth.
That's a pretty lame excuse. Desktop apps using oauth are just as
susceptible to this as basic apps. You must distribute your consumer
credentials with the app. A hacker can strip these and use them for
forging. So OAuth provides no protection there.
Only safety to be had with oauth is with server based apps that can
keep their credentials safe.