Gmail Calendar Documents Reader Web more »
Recently Visited Groups | Help | Sign in
Google Groups Home
Twitxr API developers
Home
+ new post
Pages
Files
About this group
Join this group
a suggestion
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   3 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post will appear after it is approved by moderators
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
livibetter  
View profile  
 More options Feb 20 2008, 10:18 am
From: livibetter <livibet...@gmail.com>
Date: Wed, 20 Feb 2008 07:18:42 -0800 (PST)
Local: Wed, Feb 20 2008 10:18 am
Subject: a suggestion
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Hi,

First I am not an expert of security, but I am thinking these:

About the authentication of API, I think it's no secure enough.
Because HTTP 1.1 Basic Auth has no encryption, if just send md5(pass)
and the user uses lazy password, or short password, then the password
will be found soon.

I suggest it to be

http://user:md5(pass+email)@twitxr.com/api/rest/method?param1=value&p...

That will be longer, and prevent from lazy password problem.

Second thing is the website doesn't support HTTP over SSL while
logging process. Although it uses md5 hash before sending login
information, it's still not secure. The reason is the same as
mentioned above.


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
livibetter  
View profile  
 More options Feb 20 2008, 10:34 am
From: livibetter <livibet...@gmail.com>
Date: Wed, 20 Feb 2008 07:34:20 -0800 (PST)
Local: Wed, Feb 20 2008 10:34 am
Subject: Re: a suggestion
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
I think I made a big mistake.

If someone can intercept what is sending to Twitxr:
http://user:md5(pass+email)@twitxr.com/api/rest/method?param1=value&p...

This won't help. Someone can use http://user:md5(pass+email)@twitxr.com/
with their own method and parameters

It should be something like

http://user:md5(pass+email+/api/rest/method?param1=value&p...
)@twitxr.com/api/rest/method?param1=value&p...

However this is still not safe, they can keep sending that. Digest
authentication may help.

On Feb 20, 11:18 pm, livibetter <livibet...@gmail.com> wrote:


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Albert (twitxr.com founder)  
View profile  
 More options Feb 22 2008, 4:14 am
From: "Albert (twitxr.com founder)" <albert.mar...@gmail.com>
Date: Fri, 22 Feb 2008 01:14:06 -0800 (PST)
Local: Fri, Feb 22 2008 4:14 am
Subject: Re: a suggestion
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
We see your point and agree that our current API auth scheme is quite
weak several webapps are using something similar.

We are studying the possibility to switch to an 'auth tokens' based
scheme that wouldn't require anyone to send his password on any API
call (Flickr,Facebook among many others are using that)

Albert

On 20 feb, 16:34, livibetter <livibet...@gmail.com> wrote:


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google