On Fri, Aug 23, 2013 at 7:38 AM, Nicolas Vervelle <nverve...@gmail.com>wrote:
> > The best workaround now is probably to have each user register their copy > > of your desktop application as its own consumer. It's a little ugly > having > > to give your user instructions on cutting and pasting tokens and keys > > around, but it can work (in the early days of Salesforce, several OAuth > > apps were configured this way). > > > > Seems very complex for users, so I won't go that way for WPCleaner. > Is it possible to use only one client, with the secret key included in the > distribution ? > (A user with enough determination will be able to extract it) > This would mean that there's not 100% certainty about the client being the > true one. > But, the attacker would only be able to impersonate the application, not > the user. Unfortunately, no. This is one of the subtleties of OAuth 1. Since we don't require HTTPS for getting the user token, or using a user token, it's possible to impersonate a user by compromising the consumer's secret key if the attacker has also been able to sniff traffic generated by that consumer also. It does sound like the current iteration of the extension may not be the best fit. But it's good to know about these use cases, so we can set priorities for future development. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
