We don't like it either. I can tell you with confidence that a
SSL-based dev.twitter.com will be coming in the future though. If
you're sensitive in this area, we still have the classic style app
management available at https://twitter.com/apps -- doesn't have all
the bells whistles, but gets the job done.
Taylor
On Wed, Sep 22, 2010 at 5:35 AM, Nik Fletcher nik.fletc...@gmail.com wrote:
This has been discussed quite a bit previously, and is something the
Twitter folks are aware of:
http://code.google.com/p/twitter-api/issues/detail?id=1665
Cheers
-N
On Sep 21, 6:54 pm, ManuelZ m...@alumni.sfu.ca wrote:
When you register your Twitter app athttp://dev.twitter.com, you get
an api key, a consumer secret and other awesome goodies.
The secret is necessary so that you can validate signatures of stuff
coming from Twitter (confirm it's from Twitter) and generate
signatures for stuff you're sending to Twitter (confirm it's from your
application).
All application settings are sent in clear text (http) if you follow
the links on dev.twitter, which is an attack vector: the interception
of the secret can compromise the app.
(1) It's been puzzling me for a while why the dev.twitter.com/apps (or
at least the app settings page) is not restricted to https only.
Granted, Twitter can only be affected through a slightly more
sophisticated attack (incl. spoofing the app) + they likely have
efficient ways to reverse damage from one compromised application, but
as the app developer, you're in a pretty bad spot.
(2) Suggestion: if you go tohttps://dev.twitter.com/appsfor all your
app settings business, you can protect your secret... with one small
problem: certificate error:
dev.twitter.com uses an invalid security certificate. The certificate
is only valid for the following names:
www.twitter.com, twitter.com
If anyone from Twitter is listening -- it may be a good idea to fix
this.
(3) On the bright side, Twitter is way better than Facebook, where
even if you go to your app settings over https (it works!), it will
redirect you to http after it's re-generated your key.
--
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group:
http://groups.google.com/group/twitter-development-talk?hl=en
--
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group:
http://groups.google.com/group/twitter-development-talk?hl=en