> > > We just updated our Twitter plugin for WordPress to use the new
> > > OAuth API.  Someone just asked if it was safe to store the consumer
> > > key and consumer secret in plain text (which it basically has to be
> > > as I understand it, since ultimately it needs to be sent to the
> > > server in a plain text form).  I can't really think of a way that
> > > would work for all end users to protect the two.  Ultimately I
> > > guess this means that someone could pretend to be our application
> > > if they wanted?  Anyone have any thoughts on this or any possible
> > > work arounds?
> > 
> > Speaking from personal experience, Twitter will not allow you to have
> > your consumer secret in plain text in (visible form in) your code.
> How do you propose people do that for desktop/mobile apps? You have to
> install the code on the user device, and that device at some point has
> to generate the consumer secret in clear text, so it can be signed. An
> intruder can examine the code and intercept the secret. 

Without jumping the gun too much on Raffi, for this particular class of apps
the application secret must be generated for each instance. The trick is
doing this without inconveniencing users or forcing them to "become
developers". Streamlining this process is what we're working out.

------------------------------------ personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com
-- PRIVACY. IT'S EVERYONE'S BUSINESS. -- Evil, Inc. ---------------------------

Reply via email to