Restricting api.twitter.com to SSL/TLS traffic


#1

This is an important notice for developers still using HTTP plaintext connections. On January 14th, 2014, connections to api.twitter.com will be restricted to TLS/SSL connections only. If your application still uses HTTP plaintext connections you will need to update it to use HTTPS connections, otherwise your app will stop functioning. You don't need to wait until deadline to implement this change, given that api.twitter.com already supports the recommended environment.

This SSL requirement will be enforced on all api.twitter.com URLs, including all steps of OAuth and all REST API resources.

Connecting to the API using the SSL protocol builds a safe communication channel between our servers and your application, meaning that no sensitive data can be accessed or tampered by unauthorized agents in the middle of this communication path.

Any well-established HTTP client library already supports the ability to connect to a SSL-enabled server and usually the required change is just a matter of updating a few lines of code or configuration files. For specific details about using SSL to connect at api.twitter.com, please review [node:4598].

A "blackout test" will be performed on Jan 7th, 2014, when HTTP plaintext connections will be unavailable for a time period to be defined and announced in this discussion page and via the @twitterapi account.

If you have any questions or concerns with securely connecting to api.twitter.com over SSL, please post them here.


#2

As i recognize the importance of secure connections I know a number of embedded devices that will not be happy with the switch to SSL those devices are build around small micro controllers with little resources like memory and processing power. Those devices are mostly used for sending tweets only.
Maybe its possible to think about a simple non SSL interface for the growing little IoT devices


#3

The “blackout” test initiated Jan 7th, 19:12 UTC. I will let you know when it ended.


#4

it’s really weird,when i was
tweet i logout and i use
twitter client i got message
code 403 and said version 1.1 i
don’t understand. Anybody
know this?


#5

Have you broken the rest of the twitter api with this test? My app uses the standard REST api to https://api.twitter.com/ and responses are returning 403 since around the time this blackout started.
The status link above shows problems.


#6

Yep I’m seeing 403s a lot for signing in at the moment, yes all over https!


#7

So it turns out the code was using http
Thanks for having the blackout during hours sensible for those in the UK.


#8

Estimados Señores de red social Twitter.
Siempre he tenido muy buena acogida de parte de ustedes,por eso,muchas gracias.
Mucho se habla de seguridad y protocolo -‘https’- en mi sección cuenta; desapareció dicho casillero y,por lo tanto, no tengo casillero protección con https.
Sería su eterno agradecido de su respuesta


#9

Very sensible blackout time! Discovered this issue in my apps as well. I thought they were already using SSL! Turns out not completely.


#10

Same here, I thought they were all SSL but found my Twitter4J still had a non ssl oauth url in it


#11

The test finished Jan 7th, 21:08 UTC


#12

Please, would be important to check if any library you are using is still doing HTTP plaintext connections. There was some cases like this for other users.


#13

Hi folks,

Is it possible for you to post important notices like these to the blog?

We were a bit blindsided by this as we didn’t get any notification that it was going to occur. Previously all similar blackout test have been posted to the announcements blog which sends us email notifications.

If not, is there some other place we can sign up for email notifications of these events? This post just looks like a user’s post in the API forum, so it’s not clear its an important announcement.

Thank you,
James


#14

I thought I was all SSL’d over until I found a single line in my twitter4j implementation that had an oauth call over plain HTTP. All fixed now :slight_smile:


#15

@lfcipriani

Couple questions:

  1. Are any further blackouts planned?

  2. What time on Jan. 14th do you guys plan on flipping the switch? The idea being if we know approximately when this is to occur, we can be monitoring our logs to make sure everything continues working.

Thanks!!

PaulG

PS: Here it says this will occur Jan 14th, but in this @twitterapi post it says this will occur on Jan 13th:

Could you check that out for us?


#16

+1 for this one. We also found this news somewhat randomly so would be great to add such impacting news on the blog.
Thank you.


#17

Yes, we can publish this on the blog. Sorry that you miss this one because it was posted as a discussion topic.

We agree with your requests, there should be a guaranteed way of knowing these changes and we are working on that.

For now, the available ways are:


#18
  1. No, on January 14th the change will be completely done.
  2. I will have this info soon and will post an update here.

ps.: The tweet you mention is about another change that will happen at Streaming API and is related to HTTP 1.0 deactivation. The change announced in this post will be only in api.twitter.com and is related to SSL traffic restriction.


#19

Got it. Thanks Luis.

Appreciate it.

PaulG


#20

The deploy will start at 11am PST, Jan 14th