Earlier this week, Twitter announced that all third-party applications that make data requests to the micro-blogging service’s application interface (API) must use encryption.
In a tweet, the company announced that of Jan. 14, all data requests sent to the Twitter API would have to be done using SSL or TLS. The announcement follows through on what the company said a few weeks ago.
“If your application still uses HTTP plaintext connections you will need to update it to use HTTPS connections, otherwise your app will stop functioning,” Luis Cipriani, partner engineer at Twitter, blogged in December. “You don’t need to wait until deadline to implement this change, given that api.twitter.com already supports the recommended environment. This SSL requirement will be enforced on all api.twitter.com URLs, including all steps of OAuth and all REST API resources.”
Reuven Harrison, CTO of Tufin Technologies, said apps that do not enforce SSL should not be used.
“Why? Because without SSL, your data and credentials are in the clear and it’s very easy for hackers to see them,” he said. “For example, it is a very common hacker exploit to taking advantage of user logins to non-SSL apps in unsecure WiFi networks in a café or restaurant to steal the user’s log-in information for mischievous purposes. Once these credentials are collected, hackers can use this data to get access to sensitive information, steal identities and log into other user accounts such as your bank account, especially when passwords are shared.”
With the move, Twitter is following the footsteps of Facebook and Google, which started requiring SSL for applications back in 2011.
Dan Cornell, CTO of Denim Group, called the move part of a positive larger trend of major sites using HTTPS and SSL by default, noting that Yahoo also made the switch.
“This doesn’t solve every security problem – it actually only addresses a very narrow set of them – but it represents a movement in a good direction,” he said.