Jaanus wrote:
Is there a reason why the OAuth URL in the api wiki could not be HTTPS
by default? Why would you want to recommend HTTP over HTTPS? (I know
that OAuth was designed to be safe over HTTP, immune against man-in-
the-middle and all, but HTTPS just gives me a warm and fuzzy feel. ;)
I also recommend everybody to use HTTPS instead of HTTP. If you don't use HTTPS for OAuth, then the authorization page that Twitter server the end user will have a form that the user will use to submit his username/password, and that form submission will happen over HTTP instead of HTTPS. That means that anybody on the same network as the user can easily grab his credentials when he's authorizing your app. (I think the http:// authorization page should always submit via HTTPS by default like the https:// version does, and it should include a link to an insecure login page for those that are unable to use HTTPS.)

Twitter's servers don't support persistent connections, so accessing several API resources over HTTPS often results in too much latency. But, even if an app avoids HTTPS for regular API methods because of performance, it should still use HTTPS for OAuth, IMO.


Reply via email to