twitter did this for 1 reason and only 1 reason,, sucks i know but they did this because of all the desktop and net applications that are mass sending messages,, parsing, you name it,, now they have controll to kill the key,,
i think its a horrable solution because now all the developers will do is steal our keys and impliment it in their solution until the key gets cut off, then they will just move on to the next key they took. hmm,, twitter just doesnt have the staff that knows how these developers think. Mike On Jul 15, 9:22 pm, "uberChicGeekChick(*KaityGB);" <uberch...@uberchicgeekchick.com> wrote: > So basically Twitter's "solution" to keep consumer keys out of oss > apps code base is: > - to require a hard coded url, which will be easily found in any apps > source( or by simply scanning one's network traffic ). > - this uri than responds by displaying the consumer key, consumer > secret, and even more information in plan text(which can also be > easily sniffed from network traffic). > - than these "credentials" are displayed in plain text which the user > has to copy & paste back into my app > > i have further issues but i'll start here. with the apps oauth > credentials all being displayed in plain text after a user grants an > oss application access to their account. so how does this remotely > rationally solve anything? so now instead of a cracker needing to dig > through my code to find my consumer secret they can simply run my, or > any open source app, and grant this app access to my, i.e. the > cracker's account, and now the cracker has my app's consumer key, > consumer secret, & even more. and once they have this they need not > even paste it into my app, or have looked through, even one line, of > my open source code. > > so how does this do anything but make my apps oauth "credentials" > even easier for a cracker to get a hold of? now they can grep/search > my code base for the uri and use a simple curl/wget script to get my > apps "key & secret". > > What's being solved here? an oauth access problem, twitter's lack of > awareness, or complete disregard for open source apps using your > service? > > And now even supposing that my app gets this uri "pasted" back into > it: my apps going to have to store these credentials. Now what? > Whether i store this information in GConf, a ini/conf file, or even an > encrypted storage system, e.g.: gnome-keyring/a ggp locked data file. > no matter what i do there are three glaring wholes in the "solution", > 1st) even at this point, my process of storing & retrieving twitter's > precious oauth credentials *has* to be viewable in my source code, > 2nd) once my app is running & sending request to & form twitter these > credentials are now sitting in ram & again easily accessible to any > cracker who'll spend 5minutes looking for it(any decent debugger, or > countless other methods, will grant them access to this information). > 3rd) its all still easily accessible by sniffing network traffic. > > now if an ssl connection where to be *required* this would solve the > networking sniffing issue - but none of the others. There are other > issues which are more fundamental short comings in oauth itself, which > i've already mentioned in my original xauth request support ticket & > else where online. > > by any logical evaluation: implement & require oauth is a mistake. > if only Twitter could stand up and be technically competent enough to > just admit it. > > thankfully statusnet/identica & other open source micro-blogging > platforms will learn from twitter's mistake. the only truly > depressing part of this situation is that iamno going to be loosing > my primary "social connection". especially as a disabled open source > artist: this is incredibly sad & i can honest say that i will miss > more of my twitter friends than i can even count... all because i > create & use open source applications. > > i wish i weren't being force to say good bye to so many beautiful > friends who've become corner-stones of my personal support network.... > But that's what i get for having made so many friends who rely on a > closed sourced 3rd party. > > At least i can say that, for a time, twitter truly did improve my > quality of life. ~alas~ now my only choice left is to say goodbye. > thankfully many of my friends have joined statusnet. and of course i > can always keep holding out hope that twitter will reverse this > mistake. a hope i'll hold on to until the day when my own open source > app can no longer access twitter. hopefully hopemayprove to be > powerful enough. > > sincerely & hopefully, > kaity g.b. - get2gnow's artist, author, code, & creator. > http://uberChicGeekChick.com/?projects=get2gnow.
