On Wed, Sep 1, 2010 at 10:20 PM, John Meyer <john.l.me...@gmail.com> wrote:
> 1.  reverse engineering a consumer key combo from a legit program, creating
> user accounts and generating tokens, spamming it until it's locked out,
> tracking down another legit program, reverse engineering it, lathering,
> rinsing, and repeating
> vs.
> 2.  generating his own consumer keys through twitter and using those.
> the spammer's going to take #1.

... unless he manages to get hold of an app like Tweetie or even
Twitter for iPhone, which are hugely used around. I really doubt
Twitter would revoke those applications secret and let a huge number
of users in the dark.

> Somehow, I would think that #2 would be a
> whole lot easier.  Besides, whether or not you think it's safer I seriously
> doubt that Twitter is thinking that oAuth is the only security measure.

Personally, I believe that security through obscurity is no security
at all. But let's assume that OAuth is more secure (or, at least,
harder to be "cracked"). My problem with this all is that:

1) If I want to offer the same "hard to crack" level of closed source
apps (since they require a tool different than grep), I'd have to
force my users (desktop users, remember) to register their own apps.

2) If I want to offer an easier UX, I'd have to provide my own key
and, thus, offer a lower security than other apps.

OAuth certainly makes sense as a model for "never type your password
in some weird site 'cause you don't know when they say that they
couldn't connect to Twitter is really that or they are just storing
your login and password to abuse the ecosystem". The whole problem
with it is the revocation of keys when it's believed that the app is
not behaving properly because one single point abuses it. In that
case, the point should be blocked, not the application itself.

Julio Biason <julio.bia...@gmail.com>
Twitter: http://twitter.com/juliobiason

Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: 

Reply via email to