This has been discussed quite a bit previously, and is something the
Twitter folks are aware of:

http://code.google.com/p/twitter-api/issues/detail?id=1665

Cheers

-N

On Sep 21, 6:54 pm, ManuelZ <m...@alumni.sfu.ca> wrote:
> When you register your Twitter app athttp://dev.twitter.com, you get
> an api key, a consumer secret and other awesome goodies.
>
> The secret is necessary so that you can validate signatures of stuff
> coming from Twitter (confirm it's from Twitter) and generate
> signatures for stuff you're sending to Twitter (confirm it's from your
> application).
>
> All application settings are sent in clear text (http) if you follow
> the links on dev.twitter, which is an attack vector: the interception
> of the secret can compromise the app.
>
> (1) It's been puzzling me for a while why the dev.twitter.com/apps (or
> at least the app settings page) is not restricted to https only.
> Granted, Twitter can only be affected through a slightly more
> sophisticated attack (incl. spoofing the app) +  they likely have
> efficient ways to reverse damage from one compromised application, but
> as the app developer, you're in a pretty bad spot.
>
> (2) Suggestion: if you go tohttps://dev.twitter.com/appsfor all your
> app settings business, you can protect your secret... with one small
> problem: certificate error:
> "dev.twitter.com uses an invalid security certificate. The certificate
> is only valid for the following names:
>  www.twitter.com, twitter.com"
> If anyone from Twitter is listening -- it may be a good idea to fix
> this.
>
> (3) On the bright side, Twitter is way better than Facebook, where
> even if you go to your app settings over https (it works!), it will
> redirect you to http after it's re-generated your key.

-- 
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: 
http://groups.google.com/group/twitter-development-talk?hl=en

Reply via email to