hey @twittersecurity – just reviewing https://dev.twitter.com/webhooks/securing … – shouldn’t the HMAC’ed message include the requested URL to prevent MITM?
-
-
Replying to @benadida @twittersecurity
More generally, every custom HTTP request/response auth. spec should explain why the signatures doesn't cover request line & all headers.
1 reply 0 retweets 2 likes -
Replying to @BRIAN_____ @twittersecurity
yeah, that’s good hygiene. In this case since it’s really just endpoint verification, I think URL is enough?
1 reply 0 retweets 0 likes -
Replying to @benadida @twittersecurity
It's hard to say. I think they are just trying to prove proof of possession of the HMAC key by the other end. If you can respond at
$url and1 reply 0 retweets 0 likes
you don't have the HMAC key, you're not the authorized app, otherwise you are. Allows different apps to share an origin, I guess.
4:23 PM - 20 Sep 2017
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.