When you register your Twitter app at http://dev.twitter.com, you get an api key, a consumer secret and other awesome goodies.
The secret is necessary so that you can validate signatures of stuff coming from Twitter (confirm it's from Twitter) and generate signatures for stuff you're sending to Twitter (confirm it's from your application). All application settings are sent in clear text (http) if you follow the links on dev.twitter, which is an attack vector: the interception of the secret can compromise the app. (1) It's been puzzling me for a while why the dev.twitter.com/apps (or at least the app settings page) is not restricted to https only. Granted, Twitter can only be affected through a slightly more sophisticated attack (incl. spoofing the app) + they likely have efficient ways to reverse damage from one compromised application, but as the app developer, you're in a pretty bad spot. (2) Suggestion: if you go to https://dev.twitter.com/apps for all your app settings business, you can protect your secret... with one small problem: certificate error: "dev.twitter.com uses an invalid security certificate. The certificate is only valid for the following names: www.twitter.com , twitter.com" If anyone from Twitter is listening -- it may be a good idea to fix this. (3) On the bright side, Twitter is way better than Facebook, where even if you go to your app settings over https (it works!), it will redirect you to http after it's re-generated your key. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
