May112008
Hahlo security improving
Big props to Dean Johnson of Hahlo for improving security of the tool. After some discussion Hahlo no-longer stores your twitter authentication details in the clear in cookies. This is certainly an incremental improvement, but there are still problems.
The login page is still not SSL, so for the login request your credentials are still in cleartext for anyone nearby to snoop. Still much better than them being included with every request as was the previous situation.
Now your credentials are stored unencrypted for the duration of your session (up to 7 days) on the Hahlo server. This is unfortunate, since it means anyone that gains access to the Hahlo server now knows your twitter username and password. Since half the internet uses the same password for multiple accounts, this would mean that in addition to all Hahlo users from the previous 7 days have their Twitter accounts open to being hijacked, so to would any other online services for which they used the same credentials.
So at the end of the day, here’s my current advice. Hahlo is now probably the best choice, security-wise, of the iPhone web-based Twitter clients. BUT (and that’s a big but), change your twitter password if it’s the same as one you use for another online account, and refrain from logging in to Hahlo at a Tech Conference, College Campus, Coffee Shop, or somewhere else traffic is likely being snooped.
Hahlo could still completely solve the issue by moving to SSL for the login and encrypted credentials stored in cookies.