On Mon, Feb 01, 2010 at 08:29:18PM +0000, Aral Balkan wrote:
> I would really love to have a comment on from you guys for the blog post I'm
> writing: is Twitter actively discouraging the creation of new mobile and
> desktop apps?

I'm not Raffi.  I don't even work for Twitter.  But I am very confident
that the purpose of their policy regarding source params has nothing to
do with penalizing anyone or actively discouraging the creation of new
applications.

> I _really_ hope you can reconsider this as I see no logic whatsoever behind
> this policy.

The logic is very simple:

OAuth provides Twitter with the ability to identify the sending
application.

Basic Auth does not.

Therefore, Basic Auth source params are easily forged, allowing apps to
trivially impersonate each other, which is clearly undesirable.

(Unfortunately, this logic is not watertight, in that desktop/mobile
apps are vulnerable to having their OAuth keys extracted from them, in
which case they could still be impersonated, but that's the reasoning
I've seen given previously for the policy.)

-- 
Dave Sherohman

Reply via email to