Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy & Compliance

Twitter Makes Apps Use Encryption to Connect to API

Earlier this week, Twitter announced that all third-party applications that make data requests to the micro-blogging service’s application interface (API) must use encryption.

Earlier this week, Twitter announced that all third-party applications that make data requests to the micro-blogging service’s application interface (API) must use encryption.

In a tweet, the company announced that of Jan. 14, all data requests sent to the Twitter API would have to be done using SSL or TLS. The announcement follows through on what the company said a few weeks ago.

“If your application still uses HTTP plaintext connections you will need to update it to use HTTPS connections, otherwise your app will stop functioning,” Luis Cipriani, partner engineer at Twitter, blogged in December. “You don’t need to wait until deadline to implement this change, given that api.twitter.com already supports the recommended environment. This SSL requirement will be enforced on all api.twitter.com URLs, including all steps of OAuth and all REST API resources.”

Reuven Harrison, CTO of Tufin Technologies, said apps that do not enforce SSL should not be used.

“Why? Because without SSL, your data and credentials are in the clear and it’s very easy for hackers to see them,” he said. “For example, it is a very common hacker exploit to taking advantage of user logins to non-SSL apps in unsecure WiFi networks in a café or restaurant to steal the user’s log-in information for mischievous purposes. Once these credentials are collected, hackers can use this data to get access to sensitive information, steal identities and log into other user accounts such as your bank account, especially when passwords are shared.”

With the move, Twitter is following the footsteps of Facebook and Google, which started requiring SSL for applications back in 2011.

Dan Cornell, CTO of Denim Group, called the move part of a positive larger trend of major sites using HTTPS and SSL by default, noting that Yahoo also made the switch.

“This doesn’t solve every security problem – it actually only addresses a very narrow set of them – but it represents a movement in a good direction,” he said.

Written By

Click to comment

Expert Insights

Related Content

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Compliance

The Federal Communications Commission (FCC) is proposing tighter rules on the reporting of data breaches by wireless carriers.The updated rules, the FCC says, will...