Understanding the Importance of Security

An important part of writing applications for the Twitter platform is security. In this section, we'll look at some of the potential problems you might encounter and discuss proper approaches to solving those problems. The discussion is positive and proactive, hoping that you'll secure your applications properly before you encounter any of the problems discussed here. The following paragraphs will discuss communications encryption, credential managment, and OAuth, with a focus on why these security subjects are important. Let's discuss a few problems first.

It's obvious that Twitter runs on the Web, but this very fact highlights vulnerabilities that a typical desktop application wouldn't encounter. Every query you execute, via LINQ to Twitter, sends an HTTP request accross the Internet, which streams data back to your application. Unprotected, this data is free for anyone to access. In most cases, the act of reading a tweet is not a problem because all the information will be public anyway. However, what about the information that you share via direct message with someone where your intention is for noone but you and the recipient to see? Even if you don't care if someone sees the contents of a tweet, you should care a lot about anyone reading credentials or security tokens being passed to Twitter. These are the secrets of you and the people who use your software and you don't want anyone to see this information. A hacker could use those secrets to log into your Twitter account, acting as you. What could be even worse is if many people used your application and hackers stole their secrets too. Consider how many people use the exact same password everywhere: Twitter, other social networking sites, at work, and on-line banking. An insecure application leaves all of these people vulnerable.

One way to protect tweets is via Secure Sockets Layer (SSL), a protocol for encrypting HTTP traffic. SSL is a standard transport protocol that is used throughout the world for e-commerce and is very reliable. Encryption protects the data, including your secrets, to prevent anyone from being able to read communications to and from Twitter. Since LINQ to Twitter uses standard .NET Framework class libraries for Web communication, it's easy to use SSL. All you have to do is change the prefix of your Web addresses from http to https. While LINQ to Twitter defaults to secure URL's, it's possible to specify a custom BaseUrl or SearchUrl via TwitterContext properties. This opportunity might come up if you wanted to specify a version of the Twitter API to use or wanted to point LINQ to Twitter at another on-line service that offers a Twitter-compatible API, such as WordPress or Tumblr. Remember to encrypt your requests with SSL via https URL prefixes to prevent people from stealing your secrets.

As of this writing, Twitter offers a basic authentication (username/password) capability. However, this method of logging into Twitter is being deprecated and you can expect it to expire completely after June 2010. In place of basic authentication is OAuth: a way to give applications access to Twitter on your behalf without sharing your Twitter password. You'll still have Twitter passwords, but won't be able to use them with the Twitter API. With OAuth, you can visit another site that provides services (i.e. games, photo sharing, and more) and allow that site to work with Twitter on your behalf without giving that site your Twitter credentials. Your credentials are the secret that you don't want to protect and OAuth allows you to do this. You'll learn more about OAuth and how LINQ to Twitter provides built-in OAuth support in subsequent sections of this documentation. OAuth is the way forward for authentication with the Twitter API.

Now you know some of the dangers of unprotected social networking. You've learned that you can use https URL prefixes to protect your tweets with SSL encryption. You'll also learned that basic authentication is being deprecated and replaced by OAuth. You can read more about how to use OAuth with LINQ to Twitter in subsequent sections of this documentation.

Last edited Apr 9, 2010 at 6:21 AM by JoeMayo, version 2