This has been discussed quite a bit previously, and is something the Twitter folks are aware of:
http://code.google.com/p/twitter-api/issues/detail?id=1665 Cheers -N On Sep 21, 6:54 pm, ManuelZ <m...@alumni.sfu.ca> wrote: > When you register your Twitter app athttp://dev.twitter.com, you get > an api key, a consumer secret and other awesome goodies. > > The secret is necessary so that you can validate signatures of stuff > coming from Twitter (confirm it's from Twitter) and generate > signatures for stuff you're sending to Twitter (confirm it's from your > application). > > All application settings are sent in clear text (http) if you follow > the links on dev.twitter, which is an attack vector: the interception > of the secret can compromise the app. > > (1) It's been puzzling me for a while why the dev.twitter.com/apps (or > at least the app settings page) is not restricted to https only. > Granted, Twitter can only be affected through a slightly more > sophisticated attack (incl. spoofing the app) + they likely have > efficient ways to reverse damage from one compromised application, but > as the app developer, you're in a pretty bad spot. > > (2) Suggestion: if you go tohttps://dev.twitter.com/appsfor all your > app settings business, you can protect your secret... with one small > problem: certificate error: > "dev.twitter.com uses an invalid security certificate. The certificate > is only valid for the following names: > www.twitter.com, twitter.com" > If anyone from Twitter is listening -- it may be a good idea to fix > this. > > (3) On the bright side, Twitter is way better than Facebook, where > even if you go to your app settings over https (it works!), it will > redirect you to http after it's re-generated your key. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
