Mace Moneta September 10, 2010 9:31 AM

I just recently converted a small script to use oauth. In practice, it’s little more than a secondary, application specific, userid and password.

The only advantage that I could see is that when you are compromised you can identify the application that was the entry point of the attack.

The keys, whether internal to the application or external, still need to be accessible to the application. There’s no more security than a userid and password – it’s just considerably more cumbersome to use in practice.

This is the step-by-step guide I used by the way, if you want to see the process:

Oauth just appears to be an obfuscation of an otherwise simple userid, password, and application ID.

Smail September 10, 2010 10:02 AM

Interesting that he mentions customers switching away from compromised clients. Something similar has been happening over the last two weeks as many people found their twitter apps of choice hadn’t been updated to deal with oauth. Lots of complaining that “my twitter app stopped working” and people quickly downloading another to use in its place.

Pete September 13, 2010 5:42 AM

The attempt to use a “device key” in software seems to be the problem; it’s fundamentally a bad idea and doesn’t seem to gain them anything.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.