[twitter-dev] Re: dev.twitter.com sends consumer secret in clear text

2010-09-22 Thread Nik Fletcher 
This has been discussed quite a bit previously, and is something the
Twitter folks are aware of:

http://code.google.com/p/twitter-api/issues/detail?id=1665

Cheers

-N

On Sep 21, 6:54 pm, ManuelZ m...@alumni.sfu.ca wrote:
 When you register your Twitter app athttp://dev.twitter.com, you get
 an api key, a consumer secret and other awesome goodies.

 The secret is necessary so that you can validate signatures of stuff
 coming from Twitter (confirm it's from Twitter) and generate
 signatures for stuff you're sending to Twitter (confirm it's from your
 application).

 All application settings are sent in clear text (http) if you follow
 the links on dev.twitter, which is an attack vector: the interception
 of the secret can compromise the app.

 (1) It's been puzzling me for a while why the dev.twitter.com/apps (or
 at least the app settings page) is not restricted to https only.
 Granted, Twitter can only be affected through a slightly more
 sophisticated attack (incl. spoofing the app) +  they likely have
 efficient ways to reverse damage from one compromised application, but
 as the app developer, you're in a pretty bad spot.

 (2) Suggestion: if you go tohttps://dev.twitter.com/appsfor all your
 app settings business, you can protect your secret... with one small
 problem: certificate error:
 dev.twitter.com uses an invalid security certificate. The certificate
 is only valid for the following names:
  www.twitter.com, twitter.com
 If anyone from Twitter is listening -- it may be a good idea to fix
 this.

 (3) On the bright side, Twitter is way better than Facebook, where
 even if you go to your app settings over https (it works!), it will
 redirect you to http after it's re-generated your key.

-- 
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: 
http://groups.google.com/group/twitter-development-talk?hl=en

Re: [twitter-dev] Re: dev.twitter.com sends consumer secret in clear text

2010-09-22 Thread Taylor Singletary 
We don't like it either. I can tell you with confidence that a
SSL-based dev.twitter.com will be coming in the future though. If
you're sensitive in this area, we still have the classic style app
management available at https://twitter.com/apps -- doesn't have all
the bells  whistles, but gets the job done.

Taylor

On Wed, Sep 22, 2010 at 5:35 AM, Nik Fletcher nik.fletc...@gmail.com wrote:
 This has been discussed quite a bit previously, and is something the
 Twitter folks are aware of:

 http://code.google.com/p/twitter-api/issues/detail?id=1665

 Cheers

 -N

 On Sep 21, 6:54 pm, ManuelZ m...@alumni.sfu.ca wrote:
 When you register your Twitter app athttp://dev.twitter.com, you get
 an api key, a consumer secret and other awesome goodies.

 The secret is necessary so that you can validate signatures of stuff
 coming from Twitter (confirm it's from Twitter) and generate
 signatures for stuff you're sending to Twitter (confirm it's from your
 application).

 All application settings are sent in clear text (http) if you follow
 the links on dev.twitter, which is an attack vector: the interception
 of the secret can compromise the app.

 (1) It's been puzzling me for a while why the dev.twitter.com/apps (or
 at least the app settings page) is not restricted to https only.
 Granted, Twitter can only be affected through a slightly more
 sophisticated attack (incl. spoofing the app) +  they likely have
 efficient ways to reverse damage from one compromised application, but
 as the app developer, you're in a pretty bad spot.

 (2) Suggestion: if you go tohttps://dev.twitter.com/appsfor all your
 app settings business, you can protect your secret... with one small
 problem: certificate error:
 dev.twitter.com uses an invalid security certificate. The certificate
 is only valid for the following names:
  www.twitter.com, twitter.com
 If anyone from Twitter is listening -- it may be a good idea to fix
 this.

 (3) On the bright side, Twitter is way better than Facebook, where
 even if you go to your app settings over https (it works!), it will
 redirect you to http after it's re-generated your key.

 --
 Twitter developer documentation and resources: http://dev.twitter.com/doc
 API updates via Twitter: http://twitter.com/twitterapi
 Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
 Change your membership to this group: 
 http://groups.google.com/group/twitter-development-talk?hl=en


-- 
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: 
http://groups.google.com/group/twitter-development-talk?hl=en