Twitter API - Checking Twitter is actually Twitter

Question

Twitter API - Checking Twitter is actually Twitter

I've looked at various APIs, and since twitter seems to be a common discussion point, I'll use it as an example.

Many APIs implement oAuth, which is great for allowing the service to authenticate and authorize the app connecting to it, however from what I've seen, it looks like the app cannot verify that Twitter is actually Twitter (and not person in medium attack)? I would expect to see some sort of signature (using the public / public key) of the response body that I can use to verify that twitter has signed it.

This is simply because currently there is really no point for a person in the middle attack with twitter tweets from the start, which is the worst thing that can happen (and why would anyone want to give me the wrong tweets).

At this point, if you were to sign the response, what method would you use? I am currently considering HMAC-SHA1 signature of the response body using a shared key.

+2

api twitter signature

Rosstified 06 oct. '09 at 1:16

source to share

2 answers

Noon Silk · Answer 1 · 2009-10-06T01:17:25+0000

This is what the "trust" part of SSL does.

- Change

I note that this has been put on hold, but it is important that other readers understand this because of personal disagreement, not incorrectness.

Timothy Walters · Answer 2 · 2009-10-06T02:58:32+0000

In the .NET world, we are using WCF which has many different security models, including signing (and optionally encrypting) every message / response. This adds a nontrivial amount of overhead, but can give you more "confidence" in the security model. You can switch to using binary serialized data to reduce bloat size and message size if you like.

I'm not sure what other web service APIs offer in this area, although I'm sure someone else can add more data as needed.

Twitter API - Checking Twitter is actually Twitter

More articles: