Re: [Full-disclosure] Impossible to Maintain Secure Session With Twitter.com Web Interface

[Sam Quigley <quigley@xxxxxxxxxxx>]

> iSEC Partners Security Advisory - 2010-001-twitter 
> https://www.isecpartners.com
> 
[…]
> 2010-04-26: Twitter asserts that it is now possible to maintain an HTTPS
>             session if the session begins with HTTPS; i.e. users can
>             navigate to https://twitter.com to start an HTTPS session.
>             However, https://twitter.com/ contains HTTP resources, including
>             a JSON response from http://twitter.com. An active network
>             attacker could potentially use this weakness to insert their
>             own code into the page and maintain control over the user's
>             session.
> 

Also worth noting that, until yesterday, all SSL pages (including sensitive 
ones like /oauth/authorize) loaded Javascript from maps.google.com without 
using SSL.  Like the issue iSEC identified above, this has now been fixed.

Also yesterday, they (finally) disabled unsafe SSL renegotiation, thus blocking 
the credential-stealing attack identified by Anil Kurmus last November.[1]

So: progress.  Unfortunately, they still support SSLv2 and a variety of weak 
ciphers[2] — so there's still room for improvement.

-sq


[1]: http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html
[2]: https://www.ssllabs.com/ssldb/analyze.html?d=twitter.com&s=168.143.162.36
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/