Re: [twitter-dev] Re: Twitter API SSL certificate failing validation
Make sure in /etc/ssl/certs that you have a copy of the Verisign root CA file, just like in the java example above. If you're loading all files from /etc/ssl/certs you should be able to just drop in the http://curl.haxx.se/ca/cacert.pem file and that should fix your issue. -j On Wed, Jul 20, 2011 at 3:29 AM, Haitham haitham.moham...@gmail.com wrote: Pardon me, I have the same problem, but I seem to be missing something about the solution. My application is in Ruby on Rails, with a gem called OmniAuth doing the OAuth work. It was working just fine before this change, automatically fetching my certificates from /etc/ssl/certs directory. What should I do to adjust to the new CA? Thanks in advance. On Jul 19, 5:54 am, John Adams j...@twitter.com wrote: On Mon, Jul 18, 2011 at 8:17 PM, pgarvie garvie.p...@gmail.com wrote: Has Twitter done something with its SSL certificates lately? As in sometime this afternoon? We've been seeing a ton of sun.security.validator.ValidatorExceptions coming out of Twitter4J since about 5:30PM, USCentral. The certificate for api.twitter.com previously used a wildcard certificate which was issued by Rapid SSL. We switched the API SSL certificate (after much testing) to a Verisign SSL certificate today and the IP to dedicated VIPs. If you are using Java, there may be a chance that you do not have the Verisign Root CA Certificate installed in the Java Keychain of your application. Make sure that exists. You'll need that to verify our certificate chain. You want this Root CA, which is available from Verisign (or in this file: http://curl.haxx.se/ca/cacert.pem) i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network You may also need to clear your DNS cache and/or restart your application. I've seen Java's security layer not revalidate SSL certificates correctly until restart, but I know little about how your application functions. -John Twitter Security -- Have you visited the Developer Discussions feature on https://dev.twitter.com/discussions yet? Twitter developer links: Documentation and resources: https://dev.twitter.com/docs API updates via Twitter: https://twitter.com/twitterapi Unsubscribe or change your group membership settings: http://groups.google.com/group/twitter-development-talk/subscribe -- Have you visited the Developer Discussions feature on https://dev.twitter.com/discussions yet? Twitter developer links: Documentation and resources: https://dev.twitter.com/docs API updates via Twitter: https://twitter.com/twitterapi Unsubscribe or change your group membership settings: http://groups.google.com/group/twitter-development-talk/subscribe
Re: [twitter-dev] Twitter API SSL certificate failing validation
On Mon, Jul 18, 2011 at 8:17 PM, pgarvie garvie.p...@gmail.com wrote: Has Twitter done something with its SSL certificates lately? As in sometime this afternoon? We've been seeing a ton of sun.security.validator.ValidatorExceptions coming out of Twitter4J since about 5:30PM, USCentral. The certificate for api.twitter.com previously used a wildcard certificate which was issued by Rapid SSL. We switched the API SSL certificate (after much testing) to a Verisign SSL certificate today and the IP to dedicated VIPs. If you are using Java, there may be a chance that you do not have the Verisign Root CA Certificate installed in the Java Keychain of your application. Make sure that exists. You'll need that to verify our certificate chain. You want this Root CA, which is available from Verisign (or in this file: http://curl.haxx.se/ca/cacert.pem) i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network You may also need to clear your DNS cache and/or restart your application. I've seen Java's security layer not revalidate SSL certificates correctly until restart, but I know little about how your application functions. -John Twitter Security -- Have you visited the Developer Discussions feature on https://dev.twitter.com/discussions yet? Twitter developer links: Documentation and resources: https://dev.twitter.com/docs API updates via Twitter: https://twitter.com/twitterapi Unsubscribe or change your group membership settings: http://groups.google.com/group/twitter-development-talk/subscribe
Re: [twitter-dev] Tweet button fails to parse URL - query strings beginning with rather than ?
On Fri, Jan 28, 2011 at 3:02 AM, JonM j...@altstudio.co.uk wrote: The following URLs won't parse using the tweet button: 'url' parameter does not contain a valid URL. http://www.pitchero.com/clubs/stockport/j/team-news-1249.htmlnews_id=247910 Well, that's not a valid URL. See the RFC. http://www.ietf.org/rfc/rfc1738.txt If you need a right there, you'll have to encode it. I expect this is because the string has an ampersand rather than a question mark ? before the first GET variable. Yes. Facebooks share and like functions both accept this formatting, as do Google and Yahoo. My guess is that they are encoding the URL for you, and Twitter does not at this time. Is there a reason Twitter's API does not? Is there any work around I can use? Mainly security. We've seen people abusing the tweetbutton URLs in cross-site-scripting attempts and other forms of abuse. -j Thanks -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Exposing IP addresses for legal threats
On Tue, Jan 4, 2011 at 6:39 AM, Felipe Knorr Kuhn fkn...@gmail.com wrote: Hello everyone, Although this is probably not the best list to discuss this, perhaps you guys have some experience to share. A friend of mine is being threated by a Twitter user via DMs and public messages. He doesn't know the identity of the user and thought about tracking him via the IP he uses to post to Twitter. Have your friend report the user to our Trust and Safety team. With regards to private user data, such as IP addresses: Private information requires a subpoena or court order In accordance with our Privacy Policy https://twitter.com/privacy and Terms of Service https://twitter.com/tos, non-public information about Twitter users is not released unless we have received a subpoena, court order, or other valid legal process document. Some information we store is automatically collected, while other information is provided at the user’s discretion. Though we do store this information, it may not be accurate if the user has created a fake or anonymous profile. Twitter doesn’t require email verification or identity authentication. See here for reporting guidelines and our Abusive user policy http://support.twitter.com/articles/15794 -john -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Re: Different crossdomains for a0.twimg.com a2.twimg.com, a3 etc
a0 through a4 should offer identical crossdomain.xml files. They are all going through a CDN, so it might be the case that the CDN endpoint you are hitting has a stale file. I just checked all of the CDN endpoints from here and they are returning the same data. Try again? -john On Wed, Dec 15, 2010 at 5:20 PM, WildFoxMedia wildfoxme...@gmail.comwrote: Im currently seeing the same issue, however, in completely reverse. As of this moment, a0 a1 are not allowing other domains and a2 a3 are allowing all domains. The other day, all 4 were not allowing other domains. Is there any reason or rhyme for this and more importantly, what is the expectation? Are we supposed to be able to make calls from Flash for profile images or not? On Nov 28, 3:57 pm, stephen sno...@bcm.com.au wrote: Hey, It appears the crossdomains for a2, a3, etc are different and are preventing flash from accessing profile images on these domains. a0 and a1 are fine, however the api returns profile image urls using all of these domains (a0 - a?). Are the crossdomains suppose to be all the same or are we suppose to target only the first two? From the few that I've tested, it seems all profile images are accessible through the a0 or a1 domains despite what the api returns. Crossdomains http://a0.twimg.com/crossdomain.xmlhttp://a1.twimg.com/crossdomain.xmlhttp://a2.twimg.com/crossdomain.xmlhttp://a3.twimg.com/crossdomain.xml Stephen -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Re: Not able to connect to twitter through Google Appengine, getting Timeouts
The way that Google App Engine handles outbound connections is that many applications share and reuse outbound IPs from a proxy pool. This makes rate limiting much harder and determination of where abuse is sourcing from difficult to determine. The request timing out issue you're experiencing means that there are (possibly) still some IPs out of GAE that are being blocked, or some of your requests are failing. I'll have another look through our system. -j On Mon, Sep 27, 2010 at 11:09 PM, nischalshetty nischalshett...@gmail.comwrote: @John thanks a lot. 2 things : 1. Requests are still timing out though at a lesser rate, I guess this should die down in some time? 2. Can we prevent this from happening? I know apps from GAE end up misusing the API and your algo blocks the IP. But, won't you be able to whitelist the good apps? So that the next time there is an IP block, the calls where a registered app sends requests, you can allow it to go through? -Nischal On Sep 28, 10:49 am, John Adams j...@twitter.com wrote: We talked with GAE and have resolved this issue. -j On Mon, Sep 27, 2010 at 7:06 PM, nischalshetty nischalshett...@gmail.comwrote: Hi John, Just got news from appengine that it is being blocked. http://twitter.com/app_engine/status/25743996553 Can you please have a check? It must be the blocking issue, had one a few months back for Appengine apps. Seems to work fine on my local dev environment. -N On Sep 28, 6:49 am, John Adams j...@twitter.com wrote: We're not currently blocking google app engine; Could you pass along some source IPs and we'll research? -john On Mon, Sep 27, 2010 at 6:25 PM, nischalshetty nischalshett...@gmail.comwrote: My apphttp://www.justunfollow.comisnot able to connect to Twitter from the Google Appengine. I had faced this problem a few months ago where you guys found out that the appengine IPs were being blocked due to some rogue app. Please help, thousands of my users are getting timeout errors! -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter:http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter:http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Not able to connect to twitter through Google Appengine, getting Timeouts
We're not currently blocking google app engine; Could you pass along some source IPs and we'll research? -john On Mon, Sep 27, 2010 at 6:25 PM, nischalshetty nischalshett...@gmail.comwrote: My app http://www.justunfollow.com is not able to connect to Twitter from the Google Appengine. I had faced this problem a few months ago where you guys found out that the appengine IPs were being blocked due to some rogue app. Please help, thousands of my users are getting timeout errors! -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Re: Not able to connect to twitter through Google Appengine, getting Timeouts
We talked with GAE and have resolved this issue. -j On Mon, Sep 27, 2010 at 7:06 PM, nischalshetty nischalshett...@gmail.comwrote: Hi John, Just got news from appengine that it is being blocked. http://twitter.com/app_engine/status/25743996553 Can you please have a check? It must be the blocking issue, had one a few months back for Appengine apps. Seems to work fine on my local dev environment. -N On Sep 28, 6:49 am, John Adams j...@twitter.com wrote: We're not currently blocking google app engine; Could you pass along some source IPs and we'll research? -john On Mon, Sep 27, 2010 at 6:25 PM, nischalshetty nischalshett...@gmail.comwrote: My apphttp://www.justunfollow.comis not able to connect to Twitter from the Google Appengine. I had faced this problem a few months ago where you guys found out that the appengine IPs were being blocked due to some rogue app. Please help, thousands of my users are getting timeout errors! -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter:http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Tweet button SSL
At the moment SSL tweet buttons are unsupported. -j On Thu, Sep 9, 2010 at 3:23 PM, Jordan McKible jmcki...@gmail.com wrote: As far as I can tell, the Tweet button javascript does not work on https pages without warnings. Chrome in particular gives one of those big red page warnings involving an Akamai domain. Is there a way to use the tweet button on https pages, or is that unsupported? -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
Re: [twitter-dev] Re: REST API Limits going down
Whitelisting only affects your rate limits. It does not remove authentication or change security requirements. -j On Thu, Aug 26, 2010 at 9:09 AM, David Toussaint david.toussa...@azionare.de wrote: Thanks! I am aware of that switch already but I was not aware that it is necessary to use any Authentification method if the IP is whitelisted. On 26 Aug., 17:58, Nik Fletcher nik.fletc...@gmail.com wrote: Are you using OAuth for your application? If not, the wind-down of Basic auth is probably the reason for this decrease - and you'll be without Basic Auth at the end of the month http://countdowntooauth.com/ -N On Aug 26, 4:49 pm, David Toussaint david.toussa...@azionare.de wrote: Hi, My company is offering a regional tweet-monitoring tool (http:// twittercrawl.de) and is collecting all tweets from Germany. For doing this we decided to use the REST API and got our IP-Address whitelisted a little while ago. Everything is working fine except that we are getting reduced API-limits on the REST API for some days now. Instead of being allowed to post 20k requests the number is going up and down from 16k to 2.6k to 6k and so on. Unfortunately we are really depending on those 20k API requests per hour and are now wondering what could be the reason for that? Any help is appreciated! Thanks a lot, David -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
Re: [twitter-dev] Twitter 140 character limit break
I filed a bug with our webclient team. Thanks for finding this. -john On Sat, Aug 14, 2010 at 12:43 PM, Tom van der Woerdt i...@tvdw.eu wrote: On 8/14/10 9:29 PM, Tom van der Woerdt wrote: On 8/14/10 9:27 PM, Chris White wrote: It appears that the new twitter share link can be used to break the 140 character limit. Basically in Firefox you can do this: 1) In the URL bar enter http://twitter.com/share?url=Some over 140 character text 2) Hit enter 3) On the page resulting page click Tweet 4) View in web and notice the limit broken I'm not sure if clients can handle this, but it could turn into a pretty nasty annoyance for users of web if it continues. Might be a good idea to have it looked at. I'm assuming a simple check to verify it's a valid URL would suffice. Just tested it - yes, you are right. How clients handle it? Well, very simple, they simply display a t.coURL. Should be some more checks on the URL though, I agree. Tom One more note, You can't visit a page that has a long link on it. @barthoekstra and I (@tvdw) just tested this - I posted 5 paragraphs of the well-known lorem ipsum (don't worry, deleted after a few seconds) but his timeline started saying Something is technically wrong. I removed my tweet and it was fine again. He then posted an url as well but now he can't remove it anymore. I am assuming that all his ~1500 followers can't use the timeline anymore at the moment. Proof: http://twitter.com/barthoekstra Tom
Re: [twitter-dev] Twitter site URL hijacks my sharepoint portal page
On Thu, Jul 29, 2010 at 4:29 AM, Hemanth hemant...@gmail.com wrote: I have a sharepoint portal page with few web parts. One of these web parts is a sharepoint page viewer web part. When I configure the page viewer web part with the URL www.twitter.com and click on OK button, my portal page is hijacked and redirected to twitter home page. I am not able to open and edit my portal page now. As soon as I open my portal page in IE, it redirects to twitter page. I am using IE 8. Twitter employs some frame-busting code to defeat using the site in an IFRAME. This is intended to stop click jacking attacks and may be the root cause of this behavior. -j
Re: [twitter-dev] Hosted proxy server service?
Setting up an open (or private) proxy in an attempt to get around our rate limits will possibly result in your application or IP being banned. The rate limits are there so that everyone can share the service. -j On Fri, Jul 23, 2010 at 9:07 AM, Ryan W rwilli...@gmail.com wrote: I've given up trying to get anything done with Twitter Search API from Google App Engine because of the rate limiting. Are there any services that provide just proxy hosting, where I can pay a few bucks a month to get a dedicated IP and proxy server running? I'd like to keep it simple and avoid the full VPS option, but it's difficult to wade through the noise when googling to see if such a service exists. Looks like most VPS providers charge $2/month for a dedicated IP. Somebody with an existing VPS could even offer such a service.
Re: [twitter-dev] Re: Not able to connect to twitter API from Google Appengine
Please post or forward your app's IP range so we can investigate. Thanks. -j On Fri, Jul 23, 2010 at 11:50 AM, nischalshetty nischalshett...@gmail.comwrote: Alrite, I can see intermittent errors. So all's not well yet... -Nischal On Jul 23, 11:35 pm, nischalshetty nischalshett...@gmail.com wrote: Oh my GOD! I can see it working! Yippe Thank you so much. A post or update on what caused the issue would be welcome! -Nischal On Jul 23, 9:51 pm, Greg Jones psycle@gmail.com wrote: Hi Taylor, It doesn't connect to either http or https. Happy to help testing anything else...app's not live yet, but was a bit of a scare this morning! cheers, Greg On Jul 23, 5:32 pm, nischalshetty nischalshett...@gmail.com wrote: @Taylor The problem is even with the simple search request. So basically its for all API calls to twitter. -Nischal On Jul 23, 8:56 pm, Taylor Singletary taylorsinglet...@twitter.com wrote: Hey all, We're still looking into this. To help us eliminate some possibile issues, can someone who's working behind the Google App Engine IP addresses attempt to connect to bothhttp:// api.twitter.com/oauth/request_tokenandhttps://api.twitter.com/...know if you're seeing a difference between the two? (I'm trying to rule out that the SSL wildcard certificate is to blame or not). Thanks, Taylor On Fri, Jul 23, 2010 at 7:45 AM, nischalshetty nischalshett...@gmail.com wrote: @Taylor Ah! You're my hero! I've been frantically trying to get in touch with anyone and everyone over twitter and google app engine. The App engine folks are yet to read the long thread I've started in their forum. I hope if the issue is on your end you find a fix soon. It's been well over 15-20 hours since my app has been unusable, it hurts! -Nischal On Jul 23, 7:06 pm, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi folks on Google App Engine experiencing difficulties, We're looking into it! Taylor On Fri, Jul 23, 2010 at 3:13 AM, Livid v2ex.li...@me.com wrote: I'm getting the same error for my community (with a built-in Twitter OAuth client) running on GAE:http://v2ex.appspot.com Traceback (most recent call last): File /base/python_runtime/python_lib/versions/1/google/appengine/ ext/webapp/__init__.py, line 511, in __call__ handler.get(*groups) File /base/data/home/apps/v2ex/1.343564127440067233/t.py, line 157, in get statuses = twitter.GetHomeTimeline(count = 100) File /base/data/home/apps/v2ex/1.343564127440067233/twitter/ twitter.py, line 1451, in GetHomeTimeline json = self._FetchUrl(url, parameters=parameters) File /base/data/home/apps/v2ex/1.343564127440067233/twitter/ oauthtwitter.py, line 101, in _FetchUrl url_data = opener.open(url).read() File /base/python_runtime/python_dist/lib/python2.5/urllib2.py, line 381, in open response = self._open(req, data) File /base/python_runtime/python_dist/lib/python2.5/urllib2.py, line 399, in _open '_open', req) File /base/python_runtime/python_dist/lib/python2.5/urllib2.py, line 360, in _call_chain result = func(*args) File /base/python_runtime/python_dist/lib/python2.5/urllib2.py, line 1115, in https_open return self.do_open(httplib.HTTPSConnection, req) File /base/python_runtime/python_dist/lib/python2.5/urllib2.py, line 1080, in do_open r = h.getresponse() File /base/python_runtime/python_dist/lib/python2.5/httplib.py, line 197, in getresponse self._allow_truncated, self._follow_redirects) File /base/python_runtime/python_lib/versions/1/google/appengine/ api/urlfetch.py, line 241, in fetch return rpc.get_result() File /base/python_runtime/python_lib/versions/1/google/appengine/ api/apiproxy_stub_map.py, line 501, in get_result return self.__get_result_hook(self) File /base/python_runtime/python_lib/versions/1/google/appengine/ api/urlfetch.py, line 325, in _get_fetch_result raise DownloadError(str(err)) DownloadError: ApplicationError: 2 It was fine several days ago. On Jul 23, 2:15 pm, nischalshetty nischalshett...@gmail.com wrote: My apphttp://www.justunfollow.comisjustnotabletoconnect to twitter from Google Appengine. It's most probably an app engine issue (none of the app engine apps seem to be able to connect to twitter), but nevertheless I'm writing here to see if it so happened that twitter has blocked access to app engine. The error says : Could not fecth URL for http calls made to twitter from
Re: [twitter-dev] Re: Not able to connect to twitter API from Google Appengine
About thirty minutes ago we lifted all of the blocks on Google App engine IPs; You should no longer have issues connecting from GAE to us. -j On Fri, Jul 23, 2010 at 3:06 PM, Marco Gomes mvtgo...@gmail.com wrote: I am with same problema, DownloadError: ApplicationError: 2 On both my GAE apps: http://apoiomaisfeliz.appspot.com/ http://apoio.minhamarina.org.br/ Can Twitter API block the proxy farm without stopping our permitted apps? On Jul 23, 4:26 pm, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi Everyone, Here are the details on the issues with Google App Engine. Twitter blocked a portion of the GAE network because an unknown user set up a large proxy farm, forwarding large amounts of traffic to twitter.com. This was probably an attempt to avoid our rate limits, which is against the Twitter terms of service, among other privacy and security issues. We recognize that those in shared hosting environments like Google App Engine are often held hostage by the actions of their peers and will continue to investigate ways that we can deal with issues like this without necessarily cutting off all traffic from a shared hosting services, but those operating under such circumstances should be aware that this kind of blacklisting will occur from time to time. If you continue to experience issues with your Google App Engine application, please reply to this thread with a link to your application, and, if possible, the IP address from which your remote requests are originating. Thanks, Taylor On Fri, Jul 23, 2010 at 12:08 PM, nischalshetty nischalshett...@gmail.com wrote: @John It's hosted on the Google Appengine. I guess you guys are already on it to fix the issue. -Nischal On Jul 23, 11:55 pm, John Adams j...@twitter.com wrote: Please post or forward your app's IP range so we can investigate. Thanks. -j On Fri, Jul 23, 2010 at 11:50 AM, nischalshetty nischalshett...@gmail.comwrote: Alrite, I can see intermittent errors. So all's not well yet... -Nischal On Jul 23, 11:35 pm, nischalshetty nischalshett...@gmail.com wrote: Oh my GOD! I can see it working! Yippe Thank you so much. A post or update on what caused the issue would be welcome! -Nischal On Jul 23, 9:51 pm, Greg Jones psycle@gmail.com wrote: Hi Taylor, It doesn't connect to either http or https. Happy to help testing anything else...app's not live yet, but was a bit of a scare this morning! cheers, Greg On Jul 23, 5:32 pm, nischalshetty nischalshett...@gmail.com wrote: @Taylor The problem is even with the simple search request. So basically its for all API calls to twitter. -Nischal On Jul 23, 8:56 pm, Taylor Singletary taylorsinglet...@twitter.com wrote: Hey all, We're still looking into this. To help us eliminate some possibile issues, can someone who's working behind the Google App Engine IP addresses attempt to connect to bothhttp:// api.twitter.com/oauth/request_tokenandhttps://api.twitter.com/...knowif you're seeing a difference between the two? (I'm trying to rule out that the SSL wildcard certificate is to blame or not). Thanks, Taylor On Fri, Jul 23, 2010 at 7:45 AM, nischalshetty nischalshett...@gmail.com wrote: @Taylor Ah! You're my hero! I've been frantically trying to get in touch with anyone and everyone over twitter and google app engine. The App engine folks are yet to read the long thread I've started in their forum. I hope if the issue is on your end you find a fix soon. It's been well over 15-20 hours since my app has been unusable, it hurts! -Nischal On Jul 23, 7:06 pm, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi folks on Google App Engine experiencing difficulties, We're looking into it! Taylor On Fri, Jul 23, 2010 at 3:13 AM, Livid v2ex.li...@me.com wrote: I'm getting the same error for my community (with a built-in Twitter OAuth client) running on GAE:http://v2ex.appspot.com Traceback (most recent call last): File /base/python_runtime/python_lib/versions/1/google/appengine/ ext/webapp/__init__.py, line 511, in __call__ handler.get(*groups) File /base/data/home/apps/v2ex/1.343564127440067233/t.py, line 157, in get statuses = twitter.GetHomeTimeline(count = 100) File /base/data/home/apps/v2ex/1.343564127440067233/twitter/ twitter.py, line 1451, in GetHomeTimeline json = self._FetchUrl(url, parameters=parameters) File /base
Re: [twitter-dev] Re: New SSL certificate issue with WTK 2.5.2
The mobile site has used a wildcard certificate for the last two years; Did you recently begin experiencing this issue or was your code working in the past? -j On Thu, Jul 22, 2010 at 6:43 AM, bjcoredev jme...@gmail.com wrote: It seems that SUN WTK 2.5.2 doesn't accept wildcard certificates I hope that mobile platforms accept wildcard SSL certificates. If this not the case, it will make twitter xAuth/oAuth unusable Regards On 22 juil, 14:57, bjcoredev jme...@gmail.com wrote: Hi My mobile app logged to twitter using xAuth and was working like a charm until the last SSL certicate changed (seehttp:// groups.google.com/group/twitter-development-talk/browse_thread...) My app logs correctly with the new certicate on real device (N97) but failed with the 2.5.2 Sun Wireless Toolkit wich i use to develop my app. when i request token with the url (with all the parameters needed): https://api.twitter.com/oauth/access_token I get the following error message relative to the SSL certificate: Subject alternative name did not match site name It seems that the SSSL certificate doesn't match the host name (api.twitter.com) I can't now no longer code end test my app on the computer Help !!! I repeat: All was working fine before the SSL certificate change on the 21/07/2001 1AM GMT. Regards
Re: [twitter-dev] Re: New SSL certificate issue with WTK 2.5.2
Unfortunately, the current situation is that api.twitter.com is on a wildcard certificate. We have plans to move it a fixed SSL certificate in the near future, but no definite date yet. -j On Thu, Jul 22, 2010 at 11:50 AM, bjcoredev jme...@gmail.com wrote: My app doesn't use the mobile site. My twitter client is written in J2ME (Java Micro Edition) and is not using the mobile site but the Twitter API. I m coding my client with WTK 2.5.2 Sun Wireless Toolkit (like many other Java mobile developers) and since the 21/07/2001 1AM GMT my app running under WTK can't access the url https://api.twitter.com/oauth/access_token because the WTK CAN'T HANDLE WILDCARD SSL certificates. returning the error:Subject alternative name did not match site name. I'have read that real (real devices opposite to the emulator) mobile JAVA platforms (Sony ericsson,WM 5.0,..) don't accept wildcard SSL certificates so twitter clients using twitter API written in J2ME running under these platform can't access the url https://api.twitter.com/oauth/access_token anymore so can't process xAuth authentication wich will be mandatory on 15 august So . On 22 juil, 20:20, John Adams j...@twitter.com wrote: The mobile site has used a wildcard certificate for the last two years; Did you recently begin experiencing this issue or was your code working in the past? -j On Thu, Jul 22, 2010 at 6:43 AM, bjcoredev jme...@gmail.com wrote: It seems that SUN WTK 2.5.2 doesn't accept wildcard certificates I hope that mobile platforms accept wildcard SSL certificates. If this not the case, it will make twitter xAuth/oAuth unusable Regards On 22 juil, 14:57, bjcoredev jme...@gmail.com wrote: Hi My mobile app logged to twitter using xAuth and was working like a charm until the last SSL certicate changed (seehttp:// groups.google.com/group/twitter-development-talk/browse_thread...) My app logs correctly with the new certicate on real device (N97) but failed with the 2.5.2 Sun Wireless Toolkit wich i use to develop my app. when i request token with the url (with all the parameters needed): https://api.twitter.com/oauth/access_token I get the following error message relative to the SSL certificate: Subject alternative name did not match site name It seems that the SSSL certificate doesn't match the host name (api.twitter.com) I can't now no longer code end test my app on the computer Help !!! I repeat: All was working fine before the SSL certificate change on the 21/07/2001 1AM GMT. Regards- Masquer le texte des messages précédents - - Afficher le texte des messages précédents -
Re: [twitter-dev] api.twitter.com SSL cert expiring on 7-27-2010?
We have renewed the existing wildcard certificate and will be deploying it soon to api.twitter.com and oauth.twitter.com. It's from the same vendor, so there should be no issues. -j On Fri, Jul 16, 2010 at 11:26 AM, Carlos carlosju...@gmail.com wrote: After getting SSL errors on Windows Mobile 6.0 with connections to api.twitter.com due to that OS not having that cert installed, I started up firefox and connected to https://api.twitter.com and noticed this see screenshot http://twitpic.com/25ultr/full It's listed as expiring on 7/27/2010. I'm sure that twitter is aware of this and planning a cert change but since it's less than 2 weeks away I thought I'd bring it up just in case. Also, will the new cert be trusted by default on most current mobile OSes? -Carlos
Re: [twitter-dev] SSL Cert not working on a1.twimg.com
What the main site currently does is to provide SSL images directly from s3 when a user is on https and to provide images over our CDN (twimg.com) when using a non-ssl connection. i.e.: https://s3.amazonaws.com/twitter_production/profile_images/64195496/IMG_1875_normal.JPG vs. http://a1.twimg.com/profile_images/64195496/IMG_1875_normal.JPG This may change in the future if we put a valid cert on twimg,com, though. -j On Mon, Jul 12, 2010 at 6:42 AM, Amir finda...@gmail.com wrote: Hi, We are trying to use https for twitter images but the certs seem to be broken. https://a1.twimg.com/profile_images/517692382/box_normal.jpg Can someone confirm that is going to be fixed or if its already known bug?
Re: [twitter-dev] Re: New attack/Phish going on?
Twitter Trust Safety has been notified and will be dealing with this issue. -j On Mon, Jul 12, 2010 at 3:06 PM, Jann Gobble janngob...@gmail.com wrote: We (at Barracuda Networks) have investigated and blocked both of these domains for our customer base because of the type/number of links we have seen. ...if that means anything to those who are asking. Jann Gobble jgob...@barracuda.com On Jul 12, 2010, at 2:44 PM, @IDisposable wrote: As further information, supportcenter-twitter.com was registered TODAY and man-plus.com was registered on the 28th of June... I smell a phish. On Jul 12, 4:40 pm, @IDisposable idisposa...@gmail.com wrote: We've seen a huge increase in links coming in for http://*.man-plus.com orhttp://supportcenter-twitter.comdomains in the last couple hours... Given the name, and the fact that those domains are not reliably resolving, I wonder if a Phish is ongoing Are any Twitter folks or other API users seeing this? Marchttp://stltweet.com
Re: [twitter-dev] tco crawler details
t.co is not a crawler; Are you referring to the URL unpacking process or something else? -john On Thu, Jun 10, 2010 at 11:46 PM, Ken k...@cimas.ch wrote: If tco is to be the new three-letter agency and gatekeeper, we would like to treat it nice and whitelist its crawler. If tco is inadvertantly blocked, what happens? I do not know if we have already been checked by tco as I have not sent or received a dm with one of our own URLs. What are the user-agent and IP addresses used by this crawler? Does it check robots.txt? And since, for some, a tco thumbsdown could be a problem, is there a (speedy) appeals process?
Re: [twitter-dev] Window.open twitter.com doesnt work inIE6
There is a fair amount of framebusting code and anti-XSRF/CSRF code designed to stop Twitter from being opened in a popup window or IFRAME. That might be what's blocking such requests. -j On Fri, Jun 4, 2010 at 12:11 AM, tweetphp zubi...@gmail.com wrote: THis simple javascript code does not work in IE6 :window.open('http:// twitter.com', '', 'resizable,scrollbars') Can anybody help?
Re: [twitter-dev] Encrypted data over Twitter
I think you're referring to ITAR, most of which was repealed in 1997. Until 1996–1997, ITAR classified strong cryptography as arms and prohibited their export from the U.S. Times have changed quite a bit since then. I don't speak for our terms of service group, and this is by no means an official statement, but I do think that passing encrypted traffic in public tweets would be fairly antisocial and against the spirit of the service. -john On Wed, May 26, 2010 at 10:09 AM, M. Edward (Ed) Borasky zn...@borasky-research.net wrote: Quoting bujanga buja...@gmail.com: Just curious. Which laws would be violated? There are numerous US laws governing encryption technologies. I'm not familiar with them in detail but mostly they attempt to restrict access to the technologies to just our closest allies.
Re: [twitter-dev] [OT] new ssl-cert for twitter.com?
On Thu, May 13, 2010 at 10:37 AM, kuhkatz kuhk...@googlemail.com wrote: i got a knew ssl-cert from twitter.com today, which looks suspicious to me, but i am not sure. issue date: 26.05.2009 valid until: 28.05.2010 The twitter.com cert, as assigned by Equifax/RapidSSL is about to expire and we are going to upgrade (in the next day or two) to a Verisign Class 3 EV Cert for twitter.com. On api.twitter.com, the cert will expire on July 26th, and we are upgrading that certificate as well. We are also deprecating the use of SSLv2 and will remove that cipher from our supported cipher list, asking anyone who connects via SSL to use SSLv3 or TLS. i am unsure about its validity because of the very short validity date around two weeks, and because my firefox now shows the twitter.com page as 'completly encrypted' which was 'encrypted with cleartext parts' until now. can anyone confirm if this is a valid cert from twitter.com or if something fishy is going on? It's valid, for the next couple of weeks. -john -- John Adams Twitter Operations
Re: [twitter-dev] Re: Chirp Streaming API Slides -- Streaming API Architecture Thinking In Streams
On Apr 27, 2010, at 10:51 AM, Jonathon Hill wrote: Awesome! I've been looking forward to it. Any word on the other's slides? I was told they would all be posted after @chirp. Many slides from Chirp are on www.slideshare.net Mine's here: http://www.slideshare.net/netik/billions-of-hits-scaling-twitter The rest are available through a search: http://www.slideshare.net/search/slideshow?q=chirp -j -- Subscription settings: http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
Re: [twitter-dev] IP temp banned??
On Jan 14, 2010, at 10:49 AM, Ryan Rosario wrote: I have noticed a strange problem when I started executing API requests in parallel. After some time, my machine cannot ping twitter.com and my operations stall. Other machines have no problem with Twitter.com at the same time. I am not exhausting my hourly limit, and even if I were, I have code that waits until the next hour. In other words, as far as I know, I am not hammering the Twitter servers. Has anyone else had this problem? Is my IP being temp banned or something? If so, how can I prevent this from happening in the future? This might be at the ISP level; It's certainly not the way that we ban hosts. For example, there are some firewalls/IPS systems that will block outbound traffic when met with repeated attempts to access the same IP. If you hit a dynamic rate limit, all of the dynamic rate limits will still allow you to connect and we'll send you a status indicating that we've rate-limited you. If we find it necessary to ban an IP or IP Block, we will block all traffic from the IP for an extended amount of time, and not in the on- off way that you are experiencing. -j --- John Adams (@netik) Twitter Operations j...@twitter.com http://twitter.com/netik
Re: [twitter-dev] Re: What You Put In Not The Same As What You Get Back Out
On Dec 30, 2009, at 4:21 PM, Kyle Mulka wrote: My application uploads a background image on a user's behalf. I want to be able to figure out if they are still using the background image at some future point in time. The filename might work as a test for this, instead of the computationally expensive MD5 on an image hack. We still retain the original file (basename) on images. -j --- John Adams (@netik) Twitter Operations j...@twitter.com http://twitter.com/netik
Re: [twitter-dev] crossdomain.xml stoped working
On Dec 28, 2009, at 2:53 AM, Drekey wrote: My company developed a small Flash/AS3 app that pulled some twitts and twitters from twitters. All was working well even when we put it online, so the http://static.twitter.com/crossdomain.xml should be allowing by then. Our crossdomain.xml file has the proper settings in it, and it has not changed in quite some time. lapintosh:bin jna$ curl http://static.twitter.com/crossdomain.xml ?xml version=1.0 encoding=UTF-8? cross-domain-policy xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xsi:noNamespaceSchemaLocation=http://www.adobe.com/xml/schemas/PolicyFile.xsd allow-access-from domain=twitter.com / allow-access-from domain=api.twitter.com / allow-access-from domain=search.twitter.com / allow-access-from domain=static.twitter.com / site-control permitted-cross-domain-policies=master-only/ allow-http-request-headers-from domain=*.twitter.com headers=* secure=true/ Do you see the same results when you curl? -john
Re: [twitter-dev] 168.143.162.36... Connection timed out
On Dec 20, 2009, at 9:17 AM, shiplu wrote: Used all these ips. 128.121.146.100 128.121.146.228 128.121.243.228 168.143.161.20 168.143.162.116 168.143.162.36 168.143.162.52 168.143.162.68 168.143.171.84 It is possible your IP or network was blacklisted on our routers or firwealls. Could you email me your source IP and I can check in our lists for you? Thanks. chrisLiveFyre, post your IP as well and we'll research. -john Twitter Operations
Re: [twitter-dev] Retweet is gone from the web page with no entry on the status page
On Dec 3, 2009, at 1:09 AM, M. Edward (Ed) Borasky wrote: It looks like the retweet capability on the standard Twitter web interface has been turned off. I didn't see an entry on the Twitter status page about this. Did I miss an announcement? Retweet should be back on now, Sorry for the confusion. -john Operations
[twitter-dev] Re: Bad ssl certs on some servers for api.twitter.com/1 ?
On Nov 17, 2009, at 10:50 AM, David Dellanave wrote: Could this be related to when an API request returns raw HTML like the over-loaded page? That would be my first guess. SSL/TLS negotiation happens much earlier in the transaction, so no, raw HTML is not a cause of this. -john
[twitter-dev] Re: Bad ssl certs on some servers for api.twitter.com/1 ?
On Nov 15, 2009, at 1:16 PM, Tim Haines wrote: Hi there, I'm doing some dev work and I'm getting occasional ssl errors when making calls against api.twitter.com/1. The most recent was posting to favorites/create. Is it possible some of the servers have bad certificates? Or is it likely I'm doing something very wrong? All of our servers have the same certificates; We have had some people report a similar issue before and we verified all of the certificates at that time. I do know of people having validation issues when they don't have current versions of OpenSSL, a current Root CA bundle, or their code has problems processing chained SSL certificates. Which program are you using to make requests against api.twitter.com? curl? Firefox? Twitter's SSL certs are issued by RapidSSL/Equifax. Make sure you have the proper root CA certs installed. If you're using OpenSSL libraries directly, remember that OpenSSL ships without any Root CA certs installed. Curl users will have similar problems as well -- you'll want to run mk- ca-bundle to get the proper ca-bundle installed. The TTYtter developers have a script that pulls the current CA bundle from Mozilla, here: http://www.floodgap.com/software/ttytter/mk-ca-bundle.txt -john
[twitter-dev] Re: api.twitter.com not returning compressed data
On Thu, Nov 5, 2009 at 8:20 PM, Marcel Molina mar...@twitter.com wrote: We've confirmed this and reported it to our operations team. We've identified the problem and are actively fixing it. Thanks for the detailed report. I'll let you know when the gzip compression is restored. This configuration has been fixed as of 1:30AM PST. -- John Twitter Ops
[twitter-dev] Re: Suspended account?
On Oct 31, 2009, at 7:04 PM, Zac Bowling wrote: http://twitter.com/suspended I'm seeing some profiles redirect to this. It looks like a user. Weird? It is a user, unfortunately. There was a small web server change in the way that suspended accounts are processed, and the normal suspended page will be shown again on Monday after we deploy some final changes to that system. -j
[twitter-dev] Re: Laying the foundation for API versioning
Could you let us know what errors you are seeing via SSL on api.twitter.com? I'd like to investigate. I do not see any SSL errors under Firefox and/or Safari on 10.5 nor 10.6. -j On Oct 16, 2009, at 1:00 AM, Marcel Molina wrote: I've alerted our ops team. Thanks for the heads up. On Fri, Oct 16, 2009 at 12:56 AM, Rich rhyl...@gmail.com wrote: I did notice though that api.twitter.com doesn't have a valid SSL certificate so any clients using the API over SSL will error out too. On Oct 16, 8:49 am, Marcel Molina mar...@twitter.com wrote: The OAuth endpoints aren't strictly speaking part of the REST API. http://api.twitter.com/oauth/authorizeand family works at the api subdomain, but those paths aren't versioned (though maybe they should be...). As for search...one step at a time ;-) But thanks for noticing. On Fri, Oct 16, 2009 at 12:46 AM, Rich rhyl...@gmail.com wrote: Great news guys, I noticed that the search and oauth API's aren't in the version one API stream though. Is this intentional? -- Marcel Molina Twitter Platform Teamhttp://twitter.com/noradio -- Marcel Molina Twitter Platform Team http://twitter.com/noradio -- John Adams Twitter Operations j...@twitter.com Follow me: @netik
[twitter-dev] Re: Stop playing around with Source parameters
This was patched yesterday afternoon. -j On Aug 25, 2009, at 11:38 PM, Costa Rica wrote: Hello Twitter, Any official word on this apparent vulnerability around the Source parameter and cross site scripting? http://www.davidnaylor.co.uk/massive-twitter-cross-site-scripting-vulnerability.html TCI On Aug 22, 9:46 am, Chad Etzel jazzyc...@gmail.com wrote: Hi All, We did not intend for the nofollow string to be included in API results. It is on our list to fix. In the meantime you will need to parse around it. Thanks, -Chad On Sat, Aug 22, 2009 at 11:20 AM, Costa Ricaticoconid...@gmail.com wrote: Thanks to all for your suggestions on how to parse, remove nofollows or extract the URL, but that's not the bottomline of my message. There are some source parameters that are posting automated crap constantly, and since I run a trending engine I continuously exclude these tweets. Yes I can parse and str replace and even base myself only on the URL, but the 2 side effects are that my processing time increase (a simple string compare vs a regex) - which becomes significant as I increase the volume I intend to process, and that the URL's themselves can easily change to workaround these filters. I will keep my simple compare - the sites are not that many and the processing toll of regex'ing this does not merit it - but I would appreciate some word from Twitter when the source parameter is being changed, or else some sourceid that is stable. R On Aug 21, 10:17 pm, TCI ticoconid...@gmail.com wrote: Recently you added nofollow's, and now you moved the nofollow after the href. Some of us filter these out and you changing them is only making it more complicated. Please make up your mind and stop changing these... a href=http://fun140.com/;Fun140/a a rel=nofollow href=http://fun140.com/;Fun140/a a href=http://fun140.com/; rel=nofollowFun140/a
[twitter-dev] Re: Twitpocalypse: The Second Coming is on the horizon
On Jul 31, 2009, at 3:37 PM, Josh Roesslein wrote: Well 64 bit should last for a while. Curious how long it will be until 128 bit will be required. Mathematica tells me: Fri 24 Sep 58821 22:55:00 I think you'll be fine for a long time at 64 bit. -john --- John Adams Twitter Operations j...@twitter.com http://twitter.com/netik
[twitter-dev] Re: Twitpocalypse: The Second Coming is on the horizon
On Jul 31, 2009, at 4:04 PM, Andrew Badera wrote: but why not go with 128 bit decimal/floating point precision datatypes to begin with, and never have this issue? if anyone says overhead I'm gonna whack 'em like a popup weasel. in this day and age of CPU cycles and RAM, you might as well go big or go home. Because none of us will be alive in the year 58,821. -john
[twitter-dev] Re: Geographical distribution / latency of api servers
On May 29, 2009, at 2:14 AM, jmathai wrote: What's the geographical distribution of the api servers? And, are requests routed to the nearest farm/colo? All servers are currently on the west coast. -j --- John Adams Twitter Operations j...@twitter.com http://twitter.com/netik
[twitter-dev] Re: Can Twitter please pick a From: and stick with it?
This is a bug introduced in the last deploy. We've all agreed on the VERP format, twitter-follow-emailname=domain@postmaster.twitter.com I'll follow up with engineering and file a bug. Sorry about this. -john On May 6, 2009, at 2:53 PM, TjL wrote: The email notifications for new followers used to come from (From:) Twitter nore...@twitter.com then it changed to Twitter twitter-follow-emailname=domain@postmaster.twitter.com then it changed to Twitter nore...@twitter.com again. Every time you do this, every single person using TwitReport has to change their filters, and I spend 2 weeks, at least, explaining to people why it stopped working, and some number of people probably assume that things are broken on my end and stop using it altogether. I'm not making a dime off of this project (nor do I want to), it's something that I'm doing to make Twitter a bit nicer to use, but having something as basic as this change twice and break the entire thing is a bit of a pain in the ass and a not-insignificant waste of time. So I hope that y'all will keep this one, since you've liked it enough to use it twice now :-) THAT SAID, I'm glad that the *format* of the notifications has improved. I certainly think that is the right way to go. - TjL --- John Adams Twitter Operations j...@twitter.com http://twitter.com/netik
[twitter-dev] Re: Can Twitter please pick a From: and stick with it?
nore...@twitter.com isn't the best choice because many mailers on the Internet refuse to acknowledge Errors-To: headers. Right now, because there is little industry consensus on how to properly handle a bounce (aside from send a message back to the Return- Path:) our VERP methodology on address is the best way that we can ensure our bounce processing mechanism is fired. If we don't process bounces, major ISPs will start to block us for excessive bad addresses, and then no one gets mail. Matt and I are working to push out proper addressing changes today, and we'll have this sorted shortly. -john On May 6, 2009, at 3:13 PM, TjL wrote: FWIW I think nore...@twitter.com is the right choice, it's certainly a lot easier for image display, etc. But it sounds like John Adams thinks this is going to change back. I hope this will be clarified. On Wed, May 6, 2009 at 5:58 PM, Matt Sanford m...@twitter.com wrote: Hi there, We had changed the from address to try and improve bounce reporting and prevent being marked as spam by major ISPs. When we added the HTML formatting we found that we needed a consistent address for the 'always display images' option in many clients so we changed things around again. Hopefully this will be the last change as it causes us a bunch of work as well. I'll keep an eye out for future changes and try and let people know. Thanks; – Matt Sanford / @mzsanford Twitter Dev On May 6, 2009, at 2:53 PM, TjL wrote: The email notifications for new followers used to come from (From:) Twitter nore...@twitter.com then it changed to Twitter twitter-follow-emailname=domain@postmaster.twitter.com then it changed to Twitter nore...@twitter.com again. Every time you do this, every single person using TwitReport has to change their filters, and I spend 2 weeks, at least, explaining to people why it stopped working, and some number of people probably assume that things are broken on my end and stop using it altogether. I'm not making a dime off of this project (nor do I want to), it's something that I'm doing to make Twitter a bit nicer to use, but having something as basic as this change twice and break the entire thing is a bit of a pain in the ass and a not-insignificant waste of time. So I hope that y'all will keep this one, since you've liked it enough to use it twice now :-) THAT SAID, I'm glad that the *format* of the notifications has improved. I certainly think that is the right way to go. - TjL --- John Adams Twitter Operations j...@twitter.com http://twitter.com/netik
[twitter-dev] Re: Direct Message Emails Vulnerable?
On May 4, 2009, at 10:14 PM, Arik Fraimovich wrote: You're right. After doing a quick reading yesterday, I realized that I can configure Postfix to do this validations for me. The only reason I'm still considering doing the DomainKeys validation in my code is because I heard more than once that DomainKeys is still not stable enough and can cause problems. Having it in my code instead of Postfix configuration makes it more maintainable, isn't it? DK was abandonded by Yahoo awhile ago, but DKIM is very stable. Twitter runs DKIM signing and verification code on all of our mail servers, as does Google, Facebook, Yahoo, and many other major sites. With regards to maintainability, it depends if you're the admin, or the developer, I suppose. Both come with their own levels of associated work. -j --- John Adams Twitter Operations j...@twitter.com http://twitter.com/netik
[twitter-dev] Re: Direct Message Emails Vulnerable?
On May 4, 2009, at 12:02 AM, Dale Cook wrote: So my question is, is there anyway to authenticate that the email is actually coming from twitter and not someone else? It's pretty easy to prove the mail was sent from us. We use DomainKeys. Validate our domainkey signature at the top of the email, and if it doesn't validate, it's not from us. -j --- John Adams Twitter Operations j...@twitter.com http://twitter.com/netik
[twitter-dev] Re: Direct Message Emails Vulnerable?
On May 4, 2009, at 5:15 AM, Arik Fraimovich wrote: The from address is always of the form: twitter-dm-[name]=[domain] @postmaster.twitter.com, so if your email address is u...@example.com the from address will be: twitter-dm- user=example@postmaster.twitter.com. If you set the address to be something random and non public, like MD5(time)@yourdomain.com, it will make it hard to guess/fake. And then all you have to verify when receiving the email is the from address. Ah, but then your email address wouldn't be very human readable and you'd have to change your email address all the time (if you were using the current time as your MD5 seed.) Maybe using both methods will give you maximum security. @netik - would love to hear your opinion on that. Domain Keys is very secure, and easier than the address hack method you describe. You could also validate received: headers, or the originating message path if you don't want to implement domain keys. There exists many standard libraries to do so, though. -j --- John Adams Twitter Operations j...@twitter.com http://twitter.com/netik
[twitter-dev] Re: Direct Message Emails Vulnerable?
On May 4, 2009, at 1:28 PM, Arik Fraimovich wrote: The MD5(time) was just a suggestion for _one time_ generation of the mailbox name.. of course they can pick up something more readable, as long as they keep it private and unguessable. That's what I figured - I just wanted to indicate why it was a bad idea if the address was changing all the time. I guess you're right. It's time for me to google for domain keys. If you have any suggested reading material - feel free to post some links :) http://en.wikipedia.org/wiki/DomainKeys Also, while we send DK and DKIM, we will someday soon discontinue sending DomainKeys, and will only send DKIM. Code for DKIM. I do have to question having your client verify DKIM again, though. These activities should be dealt with inside of your MTA and not a mail destination script hanging off of the MTA. What exactly are you trying to protect against? A user forging an email to your MTA as twitter? That's defensible by fixing your MTA's configuration (to validate DKIM and SPF coming from twitter.com hosts) and not doing it in your script. --john --- John Adams Twitter Operations j...@twitter.com http://twitter.com/netik
[twitter-dev] Re: http://twitter.com/home?status=thisusedtowork
On Apr 30, 2009, at 4:00 PM, Matt Sanford wrote: Hi there, We're working on getting that fix out right now. I was hoping we would get the fix pushed out and I could just re-cap after the fact :) Thanks; – Matt Sanford / @mzsanford Twitter Dev On Apr 30, 2009, at 2:51 PM, Dave Winer wrote: I happy to report that I have the new UI on my account and it's nice. However, apparently the status param is no longer recognized. http://twitter.com/home?status=thisusedtowork That would put thisusedtowork in the What are you doing? box. Now of course I'm probably reading this wrong, or missed something. :-) Any help would be much appreciated... Dave --- John Adams Twitter Operations j...@twitter.com http://twitter.com/netik
[twitter-dev] Re: Connection Keep-Alive and Max Simultaneous Connections
On Apr 8, 2009, at 10:33 PM, orange80 wrote: Yeah, I started checking the headers and realized that. It doesn't seem like there's any hard limit on simultaneous connections though so that helps quite a bit. Our web servers do not support Keep-Alive. -j --- John Adams Twitter Operations j...@twitter.com http://twitter.com/netik
[twitter-dev] Re: The OAuth Conundrum
On Mar 26, 2009, at 10:34 AM, atebits wrote: I'm not saying OAuth is a panacea, but it is better than handing over a password. That's the crux of it. It's not a panacea (the UX sucks, especially for iPhone apps), but the fact is it's only marginally better than handing over a password. I mentioned this in my blog post (linked above), but if I'm a native app, I can get your password if I want it - OAuth or not. It's nothing more than the illusion of security in this case. It's not an illusion of security, it's a shift of control. In the current system, the third party application has the user's credentials. If the third party app goes rogue and performs malicious actions, under OAuth, Twitter can revoke the application's rights wholesale, or the user can revoke the application's rights to their account only. To the twitter-folk: for implementation simplicity, I think you should run with token-based authentication and deprecate Basic Auth. All I ask in return is a special API method to exchange a username +password for an access token. This way I can collect a username +password client side (without directing the user to a webpage) and authenticate. Ah, but then your application would have the user's password. The scheme you propose is a good intermediary step for a transition, but not as a long term solution. From the user's perspective, it's just as easy as OAuth. Although much harder to revoke! -j --- John Adams Twitter Operations j...@twitter.com http://twitter.com/netik
[twitter-dev] Re: Accept header and OPTIONS method
On Mar 7, 2009, at 1:25 PM, Tom Nichols wrote: 2. Also, shouldn't any valid URL respond to the OPTIONS method with an Allow header? i.e. I would expect OPTIONS /statuses/destroy/12345.json to return Allow: POST, DELETE Right? I attempted this (on a status ID that my user owns) and I got a 400 Bad Request reply. Am I doing something wrong, or just something that isn't supported? We block both the TRACE and OPTIONS method within our web servers for security reasons. -john
Re: Recent Changes To Twitter.com Has Broken My App
Actually, forcing an app to use the API is better for Twitter. You get the data directly, and the system doesn't spend any time rendering the HTML. Less data from us = less time tying up server resources. There's no reason why you can't write a small amount of code to fetch a user's Tweets and display them in an IFRAME in the same way that you've described, with your site as the IFRAME's source. There were few options to defend against clickjacking. Denying IFRAMEs and preventing authenticated sessions from opening in them (when part of another page) was our best defense. -john On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote: I hope Twitter will reconsider these changes. With My Tweeple, I was able to provide a preview of a user's updates by displaying the page in an iframe. It was very convenient for the user to review someone's tweets before deciding to follow someone. It also appears that Twummize.com no longer works (one of my favorite simple mashups of Twitter and Twitter Search). Forcing an app to hit the API to recreate a page that already exists on Twitter.com seems like a bad thing for Twitter. On Feb 13, 3:10 pm, Cameron Kaiser spec...@floodgap.com wrote: Because if the click-jacking incident yesterday it seems you've added something like: //![CDATA[ twttr.form_authenticity_token = '966f6780e3bb206fe5f451d9ea40407f6532277f'; if (window.top !== window.self) { setTimeout(function() {document.body.innerHTML='';},1);window.self.onload=function(evt) {document.body.innerHTML='';};} //]] Which I guess fixes the click-jack problem but now our app at http://topichawk.com/is broken because we use an iFrame in a harmless way to display tweets. Is there a process to keep our site from being treated like a spammer? Twitter doesn't support using iframes and anything you had working before was almost certainly by accident. You're going to have to code something up that queries the API. -- personal:http://www.cameronkaiser.com/-- Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com -- The faster we go, the rounder we get. -- The Grateful Dead, on relativity --- Hide quoted text - - Show quoted text -
Re: Recent Changes To Twitter.com Has Broken My App
I'm fairly certain we've patched the IE vulnerability, and that it only affected users on IE6. I'd have to ask our UX team, though. -j On Feb 15, 2009, at 12:19 PM, Abraham Williams wrote: Supposedly there are a couple of methods of blocking Twitters JavaScript but I can't find the page anymore. My recollection is they mostly relied on vulnerabilities in IE... Kind of ironic actually. I would not recommend this method as it probably could get you banned from Twitter. On Sun, Feb 15, 2009 at 12:11, John Adams j...@twitter.com wrote: Actually, forcing an app to use the API is better for Twitter. You get the data directly, and the system doesn't spend any time rendering the HTML. Less data from us = less time tying up server resources. There's no reason why you can't write a small amount of code to fetch a user's Tweets and display them in an IFRAME in the same way that you've described, with your site as the IFRAME's source. There were few options to defend against clickjacking. Denying IFRAMEs and preventing authenticated sessions from opening in them (when part of another page) was our best defense. -john On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote: I hope Twitter will reconsider these changes. With My Tweeple, I was able to provide a preview of a user's updates by displaying the page in an iframe. It was very convenient for the user to review someone's tweets before deciding to follow someone. It also appears that Twummize.com no longer works (one of my favorite simple mashups of Twitter and Twitter Search). Forcing an app to hit the API to recreate a page that already exists on Twitter.com seems like a bad thing for Twitter. On Feb 13, 3:10 pm, Cameron Kaiser spec...@floodgap.com wrote: Because if the click-jacking incident yesterday it seems you've added something like: //![CDATA[ twttr.form_authenticity_token = '966f6780e3bb206fe5f451d9ea40407f6532277f'; if (window.top !== window.self) { setTimeout(function() {document.body.innerHTML='';},1);window.self.onload=function(evt) {document.body.innerHTML='';};} //]] Which I guess fixes the click-jack problem but now our app at http://topichawk.com/is broken because we use an iFrame in a harmless way to display tweets. Is there a process to keep our site from being treated like a spammer? Twitter doesn't support using iframes and anything you had working before was almost certainly by accident. You're going to have to code something up that queries the API. -- personal:http://www.cameronkaiser.com/-- Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com -- The faster we go, the rounder we get. -- The Grateful Dead, on relativity --- Hide quoted text - - Show quoted text - -- Abraham Williams | http://the.hackerconundrum.com Web608 | Community Evangelist | http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from: Madison Wi United States. --- John Adams Twitter Operations j...@twitter.com http://twitter.com/netik
Re: Is SSL (TLS/https) officially supported?
Officially supported, and recommended. -j On Nov 28, 2008, at 12:24 PM, Ed Finkler wrote: I'm pretty sure it's officially supported. -- Ed Finkler http://funkatron.com AIM: funka7ron ICQ: 3922133 Skype: funka7ron On Fri, Nov 28, 2008 at 3:18 PM, Jon Colverson [EMAIL PROTECTED] wrote: Hello. I've just started playing around with the REST API and I noticed that https requests work, but I couldn't find this documented in the API docs. Is it officially supported, or something that works accidentally and might go away without warning? Thank you. -- Jon