Jaanus wrote:
Is there a reason why the OAuth URL in the api wiki could not be HTTPS
by default? Why would you want to recommend HTTP over HTTPS? (I know
that OAuth was designed to be safe over HTTP, immune against man-in-
the-middle and all, but HTTPS just gives me a warm and fuzzy feel. ;)
I also recommend everybody to use HTTPS instead of HTTP. If you don't
use HTTPS for OAuth, then the authorization page that Twitter server the
end user will have a form that the user will use to submit his
username/password, and that form submission will happen over HTTP
instead of HTTPS. That means that anybody on the same network as the
user can easily grab his credentials when he's authorizing your app. (I
think the http:// authorization page should always submit via HTTPS by
default like the https:// version does, and it should include a link to
an insecure login page for those that are unable to use HTTPS.)
Twitter's servers don't support persistent connections, so accessing
several API resources over HTTPS often results in too much latency. But,
even if an app avoids HTTPS for regular API methods because of
performance, it should still use HTTPS for OAuth, IMO.
Regards,
Brian
