All Twitter Apps Must Deploy SSL/TLS

Twitter has begun enforcing HTTPS connections between applications and its API.

UPDATE: As of yesterday, Twitter’s application programming interface (API) will only recognize traffic traveling via Transport Layer Security (TLS) or Secure Sockets Layer (SSL). Any applications connecting to the API in plaintext will no longer work.

There is a vast selection of third-party Twitter applications such as Hootsuite and Tweetdeck available to Twitter users, and these apps draw information from Twitter through the service’s API. From Jan. 14 onward, Twitter is forcing developers to connect to its API over an encrypted HTTPS connection.

Developers of existing apps that connect to the API over HTTP will need to change upgrade their apps to HTTPS or they will stop functioning.

The move will improve the security and privacy of Twitter users who opt to connect to the micro-blogging service through a third party application rather than Twitter’s official Web interface.

“Connecting to the API using the SSL protocol builds a safe communication channel between our servers and your application, meaning that no sensitive data can be accessed or tampered by unauthorized agents in the middle of this communication path,” the company wrote on a developers forum back in mid-December.

We reached out to the Electronic Frontier Foundation’s technology projects director, Peter Eckersley, who told Threatpost that this is exactly the right step for Twitter.

“We know that HTTP is completely, fundamentally, inconsolably insecure,” Eckersley said. “Any website that is using HTTP is leaving its users vulnerable to eavesdropping and account hijacking.  Any API that allows HTTP is a giant invitation for hackers and intelligence agencies to slurp up data,” Eckersley said.

Eckersley’s comment about national intelligence agencies is particularly resonant given the daily reminders from the New York Times, Guardian, Washington Post, and others that the National Security Agency is allegedly doing just that: slurping up any data they can get their hands on.

“There are some cognitive barriers for a lot of developers to deploying HTTPS because of the broken certificate authority bureaucracy.  But you can go and get a free certificate from StartCom, so there’s really no excuse for any user of the Twitter API not to be HTTPS,” he said. “And for larger sites that need to deploy HTTPS/SSL/TLS at very large scales, EFF is working to promote knowledge sharing amongst site operators (google for ‘crypto ops’) and to produce better documentation on where to start.”

This article was updated at 2 p.m. ET with comments from the EFF.

Suggested articles