Seriously, are we still beating this dead old horse?

Closed or open source doesn't matter.  The fact that a consumer key and
secret (!) are redistributed = design FAILURE.

It's trivial to recover the consumer key and secret from a closed source
application, which can in turn be used in a malicious application ...

The consumer key and secret CANNOT be used as a form of application
authentication.  It's not trustworthy enough.  This is an inherent
design deficiency in OAuth.


On 1/18/10 2:46 PM, ryan alford wrote:
> Agreed. 
> 
> The reason you don't want to give out YOUR consumer key and consumer
> secret in your open-source code is because somebody could download your
> code, make malicious changes to make it do something bad, and now their
> app looks exactly like yours to Twitter since the consumer keys are the
> same.  So when that app starts causing problems for users, it YOU that
> they start contacting.

-- 
Dossy Shiobara              | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network   | http://panoptic.com/
  "He realized the fastest way to change is to laugh at your own
    folly -- then you can let go and quickly move on." (p. 70)

Reply via email to