, March 26, 2009 4:38 PM
To: oauth@googlegroups.com
Subject: [oauth] Re: Security through obscurity?
Eran Hammer-Lahav wrote:
Comparison with OpenID at this stage is not that relevant because
while
OAuth protects real data and resources, OpenID at most reveal some
silly
information
by the application.
EHL
-Original Message-
From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf
Of Martin Atkins
Sent: Wednesday, March 25, 2009 12:28 PM
To: oauth@googlegroups.com
Subject: [oauth] Re: Security through obscurity?
Eran Hammer-Lahav wrote:
But it does make
On Mar 23, 2009, at 12:19 , Nial wrote:
It seems like the best way to move forward would be to have my widget
contact my server and check for a change in consumer key/secret. Of
course, it'd be easy for anyone to visit that address for the latest
details, but it'd mean less hassle for the
I think that it ultimately depends on your security model and needs. If the
benefit of hacking your consumer key is minor, then it's probably not that
big a deal if it leaks; if you change your consumer key for every major or
minor release, you'll at least be able to track usage and
So how does this 3rd party server authenticate your widget? What's to
stop someone from reverse engineering the protocol and requesting your
CK/Secret?
We believe that it is impossible to safeguard any secrets embedded in
downloadable client applications. Someone with a debugger and some