[twitter-dev] Re: @anywhere login contains unsecure content -- please help
Done. Ticket: http://code.google.com/p/twitter-api/issues/detail?id=1903 -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] @anywhere login contains unsecure content -- please help
I'm using @anywhere to provide sign in with Twitter and Twitter profiles within my app. Works like a charm! One problem: when opening the oauth authentication challenge (at https://oauth.twitter.com/2/authorize) in a popup window, some of the content is retrieved from http, which leads to browser warnings -- especially nasty in IE. Needless to say, it doesn't help build confidence in my app :) Please help! I believe this is the offending line: link href=http://twitter.com/oexchange.xrd; rel=http:// oexchange.org/spec/0.8/rel/related-target type=application/xrd+xml / My app: http://skwez.com. Cheers! Manuel -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] @anywhere rocks for Javascript development
It's simple; it feels like jQuery; gives you the basics instantly. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
[twitter-dev] dev.twitter.com sends consumer secret in clear text
When you register your Twitter app at http://dev.twitter.com, you get an api key, a consumer secret and other awesome goodies. The secret is necessary so that you can validate signatures of stuff coming from Twitter (confirm it's from Twitter) and generate signatures for stuff you're sending to Twitter (confirm it's from your application). All application settings are sent in clear text (http) if you follow the links on dev.twitter, which is an attack vector: the interception of the secret can compromise the app. (1) It's been puzzling me for a while why the dev.twitter.com/apps (or at least the app settings page) is not restricted to https only. Granted, Twitter can only be affected through a slightly more sophisticated attack (incl. spoofing the app) + they likely have efficient ways to reverse damage from one compromised application, but as the app developer, you're in a pretty bad spot. (2) Suggestion: if you go to https://dev.twitter.com/apps for all your app settings business, you can protect your secret... with one small problem: certificate error: dev.twitter.com uses an invalid security certificate. The certificate is only valid for the following names: www.twitter.com , twitter.com If anyone from Twitter is listening -- it may be a good idea to fix this. (3) On the bright side, Twitter is way better than Facebook, where even if you go to your app settings over https (it works!), it will redirect you to http after it's re-generated your key. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
