On Sun, Jan 31, 2010 at 1:36 PM, Isaiah Carew <isa...@me.com> wrote: > Also, I think you have it right, that distribution of the source sans keys > and the binary with keys is the way to go. I completely agree that it's the > obvious practical solution. It's the one that took myself for my OSS OAuth > code.
I'm not convinced that distributing *any* oAuth capability to end users, even in binary form - even in a form where said binary interfaces in secure ways with the underlying desktop / mobile ways to persist the consumer key and secret - is the "way to go". I personally think the "way to go" is to deploy applications as servers with the thinnest possible client imaginable. If ChromeOS netbooks actually existed today, that's what I'd be building - servers that interacted with Twitter on behalf of users with ChromeOS netbooks. Given what I know now about oAuth, I'm not planning on releasing any oAuth desktop applications. I never *was* planning mobile ones - the kind of processing I have in mind flat out can't be done on a mobile, so I'd have to have a server anyway to deploy to mobile users. > I'd say its a pretty reasonable bet that one of the major desktop clients > will be compromised within a year or so of implementing OAuth -- and will > probably result in a lot of user frustration. It seems like their will be > ample motivation and little to prevent them. > Only time will tell, you're free to come and laugh at me if it doesn't > happen. Bookmark this email, we'll check back in 18 months. ;-) > Isaiah Well ... the motivation is there now, with or without oAuth. And oAuth doesn't make it *easier* to compromise a desktop application. As far as desktop "user frustration" is concerned, though, there are so many other sources of desktop user frustration already - botnets, weekly virus scans that take hours, browser vulnerabilities, 15-30 minute waits before the machine is "open for business", and, of course, the hundreds of dollars one pays per year for just a license to use the desktop software - that I think a compromised Twitter desktop platform isn't going to get much attention unless it does something really nasty, like a DDOS against Twitter. -- M. Edward (Ed) Borasky http://borasky-research.net "I've always regarded nature as the clothing of God." ~Alan Hovhaness