http://oauth.net/core/1.0a#signing_process
In fact, if you (meaning everyone) have never read the whole spec, you need to.
-Chad
--
Bojan Rajkovic <boj...@brandeis.edu>
Biochemistry '10, Brandeis University
PGP Signature Key ID: 0x8783D016
PGP Encryption Key ID: 0x2497B8B2
My point about announcing changes and making what's changed more
explicit still remains though.
That's a risk you run when using code you didn't write.
I'm not saying that this situation doesn't suck for those affected.
I'm sure that it does. But, for a technology so new as OAuth, the
libraries may not be mature yet.
Officially, Twitter OAuth is still in Public Beta and has never been
officially recommended to integrate into production code. That being
said, there could still be a problem on Twitter's end with their
signature verification mechanism and the libraries could all be valid.
I don't have a way of knowing.
I do agree that at least a note that "a security change was pushed
today" would be nice, though.
-Chad
I think these are excellent ideas.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- In memory of Werner Klemperer ----------------------------------------------
* We should have, it goes without saying, had more extensive test coverage of our implementation ensuring that we were fully implementing the spec so that the whole situation would have been avoided in the first place.
* We should have had an email prepared to send out immediately following the deploy explaining the vulnerability and the change that was deployed, encouraging developers to double check that their signatures were in fact being generated correctly.
We're going to do a post-mortem on our side to identify all the things we should have done better. We've read all of your feedback about how this could have been done better. To everyone who has chimed into this thread offering details and help, we extend our thanks.
If you are using a client library, please specify the library and version. There is a chance that you are all running into the same library-based incompatibility and could work together (or with the maintainer) to determine the fix.