SSL can provide data privacy (with encryption) and assure the user or consumer of the service provider's identity (with certificate-based server authentication). OAuth doesn't do any of this.
A mix of HTTP and HTTPS can be used. For example, one could use HTTPS for sending token secrets and sending the user's password to the service provider, and use HTTP for access to protected resources. Of course, the consumer and service provider must agree to these choices. Some service providers support both, leaving the choice up to their consumers. Bear in mind that Twitter doesn't need very strong security, since it doesn't handle money or private information. On Jan 30, 6:26 am, David King <da...@1daylater.com> wrote: > Currently I'm using HMAC-SHA1 over HTTP and have been considering > adding in SSL to my app, but am slightly confused as to what is more > appropriate. Obviously I'll be losing a *lot* of speed with SSL, and > from reading the specification I'm unclear whether it's actually > necessary. -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.