mailing list archives
Re: Impossible to Maintain Secure Session With Twitter.com Web Interface
From: Sam Quigley <quigley () emerose com>
Date: Sat, 1 May 2010 13:47:22 -0700
iSEC Partners Security Advisory - 2010-001-twitter https://www.isecpartners.com
2010-04-26: Twitter asserts that it is now possible to maintain an HTTPS
session if the session begins with HTTPS; i.e. users can
navigate to https://twitter.com to start an HTTPS session.
However, https://twitter.com/ contains HTTP resources, including
a JSON response from http://twitter.com. An active network
attacker could potentially use this weakness to insert their
own code into the page and maintain control over the user's
Also worth noting that, until yesterday, all SSL pages (including sensitive ones like /oauth/authorize) loaded
Also yesterday, they (finally) disabled unsafe SSL renegotiation, thus blocking the credential-stealing attack
identified by Anil Kurmus last November.
So: progress. Unfortunately, they still support SSLv2 and a variety of weak ciphers — so there's still room for
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Re: Impossible to Maintain Secure Session With Twitter.com Web Interface Sam Quigley (May 03)