Here's an idea: let's reverse engineer the top desktop and mobile Twitter apps and use their oAuth keys to... Oh, wait, my bad: the top desktop/mobile apps _don't_ use oAuth and boy will they take a UX beating when they start.

But one day... :)

oAuth for desktop and mobile: making security through obscurity fun again.

Aral

Sent from my iPhone

On 2 Feb 2010, at 07:55, Dave Sherohman <d...@fishtwits.com> wrote:

On Mon, Feb 01, 2010 at 08:29:18PM +0000, Aral Balkan wrote:
I would really love to have a comment on from you guys for the blog post I'm writing: is Twitter actively discouraging the creation of new mobile and
desktop apps?

I'm not Raffi. I don't even work for Twitter. But I am very confident that the purpose of their policy regarding source params has nothing to
do with penalizing anyone or actively discouraging the creation of new
applications.

I _really_ hope you can reconsider this as I see no logic whatsoever behind
this policy.

The logic is very simple:

OAuth provides Twitter with the ability to identify the sending
application.

Basic Auth does not.

Therefore, Basic Auth source params are easily forged, allowing apps to
trivially impersonate each other, which is clearly undesirable.

(Unfortunately, this logic is not watertight, in that desktop/mobile
apps are vulnerable to having their OAuth keys extracted from them, in
which case they could still be impersonated, but that's the reasoning
I've seen given previously for the policy.)

--
Dave Sherohman

Reply via email to