When you register your Twitter app at http://dev.twitter.com, you get
an api key, a consumer secret and other awesome goodies.

The secret is necessary so that you can validate signatures of stuff
coming from Twitter (confirm it's from Twitter) and generate
signatures for stuff you're sending to Twitter (confirm it's from your
application).

All application settings are sent in clear text (http) if you follow
the links on dev.twitter, which is an attack vector: the interception
of the secret can compromise the app.

(1) It's been puzzling me for a while why the dev.twitter.com/apps (or
at least the app settings page) is not restricted to https only.
Granted, Twitter can only be affected through a slightly more
sophisticated attack (incl. spoofing the app) +  they likely have
efficient ways to reverse damage from one compromised application, but
as the app developer, you're in a pretty bad spot.

(2) Suggestion: if you go to https://dev.twitter.com/apps for all your
app settings business, you can protect your secret... with one small
problem: certificate error:
"dev.twitter.com uses an invalid security certificate. The certificate
is only valid for the following names:
  www.twitter.com , twitter.com"
If anyone from Twitter is listening -- it may be a good idea to fix
this.

(3) On the bright side, Twitter is way better than Facebook, where
even if you go to your app settings over https (it works!), it will
redirect you to http after it's re-generated your key.

-- 
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: 
http://groups.google.com/group/twitter-development-talk?hl=en

Reply via email to