How Twitter Works

I figured I should mention this. Like right now.

Class, this is the HTTP GET protocol you send to twitter when you want to verify someone has proper credentials. It's obviously altered to protect the party at hand, but it's detailed enough to give context.

Let's take a closer look at the bolded part.

http://twitter.com/account/verify_credentials.xml
Host: twitter.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.7) Gecko/2009030422 Ubuntu/8.10 (intrepid) Firefox/3.0.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic b2hmdWNrOmFyZXlvdWtpZGRpbmdtZT8hPw==

Does this look familiar to anyone? Do you see the familiar character set, and the padding at the end?
Let's run this through base64_decode()....

Authorization: Basic ohfuck:areyoukiddingme?!?

That's right. Your login:password. In PLAIN FUCKING TEXT.

This is why HTTP BASIC IS A BAD BAD BAD BAD IDEA.

This is thanks to the Twitter API. Notice the sentence: "For the time being, HTTP Basic Authentication is the only supported authentication scheme."

This is the authentication method used by all major Twitter apps. That's right, any plugin that is constantly sending updates through Firefox or whatever desktop apps there might be. One of the reasons I've been working so hard on this web app (which is almost done, btw) is to prevent your credentials from being promiscuously tossed around your local network. It's not perfect (anyone sniffing between my amazon ec2 instance and twitter can grab it), but it's better than having a random wireshark hipster sniffing it up at starbucks.