On Wed, Sep 1, 2010 at 10:20 PM, John Meyer <john.l.me...@gmail.com> wrote: > 1. reverse engineering a consumer key combo from a legit program, creating > user accounts and generating tokens, spamming it until it's locked out, > tracking down another legit program, reverse engineering it, lathering, > rinsing, and repeating > > vs. > > 2. generating his own consumer keys through twitter and using those. > > > the spammer's going to take #1.
... unless he manages to get hold of an app like Tweetie or even Twitter for iPhone, which are hugely used around. I really doubt Twitter would revoke those applications secret and let a huge number of users in the dark. > Somehow, I would think that #2 would be a > whole lot easier. Besides, whether or not you think it's safer I seriously > doubt that Twitter is thinking that oAuth is the only security measure. Personally, I believe that security through obscurity is no security at all. But let's assume that OAuth is more secure (or, at least, harder to be "cracked"). My problem with this all is that: 1) If I want to offer the same "hard to crack" level of closed source apps (since they require a tool different than grep), I'd have to force my users (desktop users, remember) to register their own apps. 2) If I want to offer an easier UX, I'd have to provide my own key and, thus, offer a lower security than other apps. OAuth certainly makes sense as a model for "never type your password in some weird site 'cause you don't know when they say that they couldn't connect to Twitter is really that or they are just storing your login and password to abuse the ecosystem". The whole problem with it is the revocation of keys when it's believed that the app is not behaving properly because one single point abuses it. In that case, the point should be blocked, not the application itself. -- Julio Biason <julio.bia...@gmail.com> Twitter: http://twitter.com/juliobiason -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en