#594 closed enhancement (wontfix)
SSL support for Twitter
| Reported by: | Owned by: | geert | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Version: | 1.2.6 | |
| Keywords: | Cc: | ||
| IRC client+version: | Client-independent | Operating System: | Public server |
| OS version/distro: |
Description
Twitter support should have a variable $ssl to user SSL for HTTP-Requests. In my view, this should also default to "on", since Twitter wants HTTP Authentication for pretty much every GET request.
Attachments (0)
Change History (12)
comment:1 Changed at 2010-05-23T14:02:30Z by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:2 Changed at 2010-05-24T10:33:36Z by
Ah, with "oauth off", it works. But not with OAuth :(
PS: My previous comment was eaten by Akismet because of "too many links" again.
comment:3 Changed at 2010-05-24T10:39:59Z by
This was your comment:
Hm, this doesn't work for me. Neither with base_url https://twitter.com/ nor http://twitter.com/. I always get an Authentication failure:
<@ilf> account add twitter ilf oauth
<@root> Account successfully added
<@ilf> account set 4/mode chat
<@root> mode = `chat'
<@ilf> account on 4
-!- twitter_ilf [twitter_ilf@twitter] has joined &bitlbee
-!- ServerMode/&bitlbee [+v twitter_ilf] by localhost
<@root> twitter(ilf) - Logging in: Requesting OAuth request token
<@root> twitter(ilf) - Logging in: Connecting to Twitter
<@root> twitter(ilf) - Logging in: Logged in
<@ilf> account off 4
<@root> twitter(ilf) - Signing off..
-!- twitter_ilf [twitter_ilf@twitter] has quit [Leaving...]
<@ilf> account set 4/base_url https://twitter.com/
<@root> base_url = `https://twitter.com/'
<@ilf> account on 4
-!- twitter_ilf [twitter_ilf@twitter] has joined &bitlbee
-!- ServerMode/&bitlbee [+v twitter_ilf] by localhost
<@root> twitter(ilf) - Logging in: Connecting to Twitter
<@root> twitter(ilf) - Couldn't log in: Authentication failure
<@root> twitter(ilf) - Logging in: Signing off..
-!- twitter_ilf [twitter_ilf@twitter] has quit [Leaving...]
<@ilf> account set 4/base_url http://twitter.com/
<@root> base_url = `http://twitter.com/'
<@ilf> account on 4
-!- twitter_ilf [twitter_ilf@twitter] has joined &bitlbee
-!- ServerMode/&bitlbee [+v twitter_ilf] by localhost
<@root> twitter(ilf) - Logging in: Connecting to Twitter
<@root> twitter(ilf) - Couldn't log in: Authentication failure
<@root> twitter(ilf) - Logging in: Signing off..
-!- twitter_ilf [twitter_ilf@twitter] has quit [Leaving...]
comment:4 Changed at 2010-05-24T10:41:59Z by
So I can probably relax that restriction a little bit since spam has gone down here since I enabled full Akismet checking.
Hm. Tricky. The problem here seems to be the trailing / . Can you remove it and try again?
comment:6 Changed at 2010-11-17T10:35:08Z by
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
Re-opening this case because I wanted to add a comment that I think "secure" should be the default state. Then allow people to move to insecure if they feel they need the extra performance of non-ssl. I guarantee 99.9% of people wont notice the "degradation" in performance by having SSL on by default... I certainly didn't notice the difference...
comment:7 Changed at 2010-11-17T18:44:01Z by
I like and second this. Then we only need to fix #369 :)
comment:8 Changed at 2010-11-21T19:40:00Z by
| Resolution: | → wontfix |
|---|---|
| Status: | reopened → closed |
If the user really wants SSL, s/he can easily enable this by hand. I don't see the added value of security here since Twitter is a public medium, not any IM protocol (except often XMPP) has their IMs on SSL, and even if your Tweets are marked private, the Twitter web service is still non-SSL by default.
If you really do feel strong about this, open a new bug with more convincing arguments. >-)
comment:9 follow-up: 10 Changed at 2010-11-22T10:56:37Z by
I guess our different views on this are rooted in different attitudes towards encryption in the first place.
In my view, everything should be encrypted by default, unless there are valid reasons against it. This is not yet mainstream view, especially since the internet started out unencrypted due to limited resources. But we are seeing increasing activity towards encryption as default, see https://www.eff.org/https-everywhere and https://www.accessnow.org/page/s/protectourprivacy
With that, the Twitter Web-Service is SSL only. And that's the way I use it. Also my Twitter profile is marked private, you can only follow and read my Tweets if I whitelist your account. That should counter your other arguments.
But really the difference is in the basic attitude towards encryption as default or nice option. I prefer default.
comment:10 Changed at 2010-11-22T19:47:49Z by
The comment above by "ilf" exactly matches my own opinions on the matter.
comment:12 Changed at 2013-10-02T20:41:52Z by
You might have noticed already that changeset:devel,985 did something in your favour..
With OAuth this is a bit less of an issue IMHO, since OAuth headers can't be reused/replayed or whatever.
Still, https can be used now by setting the base_url to https://twitter.com/
Not sure if I'll do this by default since using HTTPS for every request *is* more expensive, especially since BitlBee can't do HTTPS resumes (I don't think GnuTLS does this transparently, at least?).
changeset:devel,587.