Why would you be required to have a server?  To keep your consumer key and
consumer secret out of your app?  It's not required.  Mine are stored in a
database that is coupled with my application.  The database is password
protected, so nobody is getting in.


On Mon, Jan 18, 2010 at 4:27 PM, M. Edward (Ed) Borasky <zzn...@gmail.com>wrote:

> On Jan 18, 11:48 am, Dossy Shiobara <do...@panoptic.com> wrote:
> > Seriously, are we still beating this dead old horse?
> >
> > Closed or open source doesn't matter.  The fact that a consumer key and
> > secret (!) are redistributed = design FAILURE.
> >
> > It's trivial to recover the consumer key and secret from a closed source
> > application, which can in turn be used in a malicious application ...
> >
> > The consumer key and secret CANNOT be used as a form of application
> > authentication.  It's not trustworthy enough.  This is an inherent
> > design deficiency in OAuth.
> If that's the case, then *desktop* Twitter applications are not a
> viable business model. You *must* have a server, with the extra
> overhead that involves, and the extra cost that must be passed on to
> your customers, in order to protect yourself and Twitter from
> malicious users. Given the other limitations of the desktop
> application model, e.g., no production access to the Streaming API and
> no easy mobile deployment options, it's seriously looking like I am
> wasting my time developing desktop applications. Sigh ... off to do
> some more research ...
> --
> M. Edward (Ed) Borasky
> http://borasky-research.net/smart-at-znmeb
> "A mathematician is a device for turning coffee into theorems." ~ Paul
> Erdős

Reply via email to