Is oauth (for twitter/or in general) safe over http
I'm thinking of implementing twitter login into my website. I'm using a library which takes care of everything. However on the fi开发者_开发问答rst step: retrieving a request token, twitter strongly recommends that you use HTTPS for all OAuth authorization steps
.
One more question, does the oauth_token that twitter send back to you change on every request? And when twitter sends you an access token array, will its values change the next time a user logs in-- I ask this because I want to save them in a database.
I see a lot of websites not using HTTPS. So back to my question, is it safe to use oauth without https?
I'd say no, it's not secure to use regular http for OAuth. It is relatively simple to do a man in the middle attack on logins that don't use https. Many people have recently complained of having their twitter and facebook accounts hacked by this method. Many people, such as myself, now use browser plugins to force sites twitter and facebook automatically onto https when available. The attack is particularly prevalent for people you use wireless internet. Especially shared wireless such as in a cafe, hotel or airport.
精彩评论