This has been discussed quite a bit previously, and is something the
Twitter folks are aware of:



On Sep 21, 6:54 pm, ManuelZ <> wrote:
> When you register your Twitter app at, you get
> an api key, a consumer secret and other awesome goodies.
> The secret is necessary so that you can validate signatures of stuff
> coming from Twitter (confirm it's from Twitter) and generate
> signatures for stuff you're sending to Twitter (confirm it's from your
> application).
> All application settings are sent in clear text (http) if you follow
> the links on dev.twitter, which is an attack vector: the interception
> of the secret can compromise the app.
> (1) It's been puzzling me for a while why the (or
> at least the app settings page) is not restricted to https only.
> Granted, Twitter can only be affected through a slightly more
> sophisticated attack (incl. spoofing the app) +  they likely have
> efficient ways to reverse damage from one compromised application, but
> as the app developer, you're in a pretty bad spot.
> (2) Suggestion: if you go to all your
> app settings business, you can protect your secret... with one small
> problem: certificate error:
> " uses an invalid security certificate. The certificate
> is only valid for the following names:
> If anyone from Twitter is listening -- it may be a good idea to fix
> this.
> (3) On the bright side, Twitter is way better than Facebook, where
> even if you go to your app settings over https (it works!), it will
> redirect you to http after it's re-generated your key.

Twitter developer documentation and resources:
API updates via Twitter:
Issues/Enhancements Tracker:
Change your membership to this group:

Reply via email to