Twitter enforces SSL encryption for apps connecting to its API
Developers whose apps are still using HTTP plaintext connections to connect to Twitter's API feeds may find their applications broken from today.
Twitter has enforced new rules for developers to enhance privacy for end users, which from 14 January will see it block connections to all its API URLs for apps that have not enabled TLS (Transport Layer Security)/ SSL (Secure Sockets Layer) encryption.
Twitter alerted developers about a month ago to the new requirements, including a 'black out' test run last week, which temporarily broke such HTTP-only apps and should have alerted most developers of the changes in store. The company issued another reminder yesterday.
"Connecting to the API using the SSL protocol builds a safe communication channel between our servers and your application, meaning that no sensitive data can be accessed or tampered by unauthorized agents in the middle of this communication path," Twitter wrote on its developer blog in December.
The change has been enforced for all Twitter API URLs, including all steps of OAuth — which prevents user passwords from being captured in transit — and its various REST API resources.
The new rules for developers follow Twitter's efforts to bolster privacy for end-users, late last year enabling "perfect forward secrecy" for traffic on its main website, mobile website and API lists.
Following Google and Facebook, Twitter enabled SSL protected sessions in 2011, while the addition of perfect forward secrecy to its SSL implementation would thwart attempts at "retrospective decryption".