Restricting api.twitter.com to SSL/TLS traffic

lfcipriani
@lfcipriani Luis Cipriani

This is an important notice for developers still using HTTP plaintext connections. On January 14th, 2014, connections to api.twitter.com will be restricted to TLS/SSL connections only. If your application still uses HTTP plaintext connections you will need to update it to use HTTPS connections, otherwise your app will stop functioning. You don't need to wait until deadline to implement this change, given that api.twitter.com already supports the recommended environment.

This SSL requirement will be enforced on all api.twitter.com URLs, including all steps of OAuth and all REST API resources.

Connecting to the API using the SSL protocol builds a safe communication channel between our servers and your application, meaning that no sensitive data can be accessed or tampered by unauthorized agents in the middle of this communication path.

Any well-established HTTP client library already supports the ability to connect to a SSL-enabled server and usually the required change is just a matter of updating a few lines of code or configuration files. For specific details about using SSL to connect at api.twitter.com, please review Connecting to Twitter API using SSL.

A "blackout test" will be performed on Jan 7th, 2014, when HTTP plaintext connections will be unavailable for a time period to be defined and announced in this discussion page and via the @twitterapi account.

If you have any questions or concerns with securely connecting to api.twitter.com over SSL, please post them here.

17 weeks 5 days ago

Replies

tweetAmattress
@tweetAmattress tweetAmattress

As i recognize the importance of secure connections I know a number of embedded devices that will not be happy with the switch to SSL those devices are build around small micro controllers with little resources like memory and processing power. Those devices are mostly used for sending tweets only.
Maybe its possible to think about a simple non SSL interface for the growing little IoT devices

14 weeks 5 days ago
lfcipriani
@lfcipriani Luis Cipriani

The "blackout" test initiated Jan 7th, 19:12 UTC. I will let you know when it ended.

14 weeks 4 days ago
lfcipriani
@lfcipriani Luis Cipriani

The test finished Jan 7th, 21:08 UTC

14 weeks 4 days ago
Rovskiii
@Rovskiii Rizky Arya

it's really weird,when i was
tweet i logout and i use
twitter client i got message
code 403 and said version 1.1 i
don't understand. Anybody
know this?

14 weeks 4 days ago
artesea
@artesea Ryan Cullen

Have you broken the rest of the twitter api with this test? My app uses the standard REST api to https://api.twitter.com/ and responses are returning 403 since around the time this blackout started.
The status link above shows problems.

14 weeks 4 days ago
artesea
@artesea Ryan Cullen

So it turns out the code was using http
Thanks for having the blackout during hours sensible for those in the UK.

14 weeks 4 days ago
richardhyland
@richardhyland Richard Hyland

Yep I'm seeing 403s a lot for signing in at the moment, yes all over https!

14 weeks 4 days ago
lfcipriani
@lfcipriani Luis Cipriani

Please, would be important to check if any library you are using is still doing HTTP plaintext connections. There was some cases like this for other users.

14 weeks 4 days ago
richardhyland
@richardhyland Richard Hyland

I thought I was all SSL'd over until I found a single line in my twitter4j implementation that had an oauth call over plain HTTP. All fixed now :)

14 weeks 3 days ago
PointBurst1
@PointBurst1 Point Burst

Could you please specify if it is enough to upgrade the twitter4j library or you just fixed your local version? Thanks in advance

13 weeks 4 days ago
ygary
@ygary Gary Yang

two ways: upgrade to twitter4j 3.0.5, or, add following line to your twitter4j.properties:
http.useSSL=true

13 weeks 2 days ago
corrego
@corrego Carlos Orrego

how did your fix it?

i am trying to use configuration builder but it is not working

13 weeks 3 days ago
Bladeblaster39
@Bladeblaster39 jonathan a. parker

oh

13 weeks 3 days ago
sidhartha11
@sidhartha11 sidhartha11

In Eclispe, just ste the following VM argument:
-Dtwitter4j.http.useSSL=true

strange that twitter4j team didnt just tell people this instead of making people did thru the code to figure it out. Kindof silly

13 weeks 2 hours ago
AmitNain89
@AmitNain89 Amit Nain

It will work after setting useSSL true.

ConfigurationBuilder cb = new ConfigurationBuilder();
cb.setUseSSL(true);

Then call the twitter api with https request not http.

Tested on 19 Feb 2014

8 weeks 3 days ago
priy2609
@priy2609 Priyanka

This worked for me. Thanks.

2 days 2 hours ago
FernandoRubilar
@FernandoRubilar FernandoRubilar.

Estimados Señores de red social Twitter.
Siempre he tenido muy buena acogida de parte de ustedes,por eso,muchas gracias.
Mucho se habla de seguridad y protocolo -'https'- en mi sección cuenta; desapareció dicho casillero y,por lo tanto, no tengo casillero protección con https.
Sería su eterno agradecido de su respuesta

14 weeks 4 days ago
DustyReagan
@DustyReagan Dusty Reagan

Very sensible blackout time! Discovered this issue in my apps as well. I thought they were already using SSL! Turns out not completely.

14 weeks 4 days ago
richardhyland
@richardhyland Richard Hyland

Same here, I thought they were all SSL but found my Twitter4J still had a non ssl oauth url in it

14 weeks 4 days ago
wondDe
@wondDe wonDe

can you share your solution,please? having same issue here.

3 weeks 4 days ago
zemaj
@zemaj James Peter

Hi folks,

Is it possible for you to post important notices like these to the blog?

We were a bit blindsided by this as we didn't get any notification that it was going to occur. Previously all similar blackout test have been posted to the announcements blog which sends us email notifications.

If not, is there some other place we can sign up for email notifications of these events? This post just looks like a user's post in the API forum, so it's not clear its an important announcement.

Thank you,
James

14 weeks 3 days ago
oldergod
@oldergod Benoit Quenaudon

+1 for this one. We also found this news somewhat randomly so would be great to add such impacting news on the blog.
Thank you.

14 weeks 2 days ago
lfcipriani
@lfcipriani Luis Cipriani

Yes, we can publish this on the blog. Sorry that you miss this one because it was posted as a discussion topic.

We agree with your requests, there should be a guaranteed way of knowing these changes and we are working on that.

For now, the available ways are:
- Our calendar (https://dev.twitter.com/calendar)
- @twitterapi account
- Our blog (https://dev.twitter.com/blog)
- Sticky posts at Discussions page

14 weeks 2 days ago
dennydaugherty
@dennydaugherty Denny Daugherty

Announcements such as this should be made much further in advance. I don't see anything before the discussion post less than five weeks before the change took effect. This is not sufficient time to allow developers to update their apps, especially when you take into account busy development schedules and submission time for native mobile applications.

The ability to subscribe to these updates via email would be especially helpful as well. I follow @twitterapi and have added the blog to my news reader, however I am more likely to actually capture an important message if received in an email.

12 weeks 5 days ago
pgarvie
@pgarvie Paul Garvie

@lfcipriani

Couple questions:

  1. Are any further blackouts planned?
  2. What time on Jan. 14th do you guys plan on flipping the switch? The idea being if we know approximately when this is to occur, we can be monitoring our logs to make sure everything continues working.

Thanks!!

PaulG

PS: Here it says this will occur Jan 14th, but in this @twitterapi post it says this will occur on Jan 13th:
https://twitter.com/twitterapi/status/420302564605702144

Could you check that out for us?

14 weeks 3 days ago
lfcipriani
@lfcipriani Luis Cipriani

1) No, on January 14th the change will be completely done.
2) I will have this info soon and will post an update here.

ps.: The tweet you mention is about another change that will happen at Streaming API and is related to HTTP 1.0 deactivation. The change announced in this post will be only in api.twitter.com and is related to SSL traffic restriction.

14 weeks 2 days ago
lfcipriani
@lfcipriani Luis Cipriani

The deploy will start at 11am PST, Jan 14th

14 weeks 1 day ago
pgarvie
@pgarvie Paul Garvie

Got it. Thanks Luis.

Appreciate it.

PaulG

14 weeks 2 days ago
fanaticly
@fanaticly Fanaticly

Will this also break calls to the TWRequest API in iOS apps? That is, do we need to update the NSURLs we use from http:// to https:// ?

14 weeks 1 day ago
lfcipriani
@lfcipriani Luis Cipriani

If these URLs are connecting to api.twitter.com, yes, you need to update it.

13 weeks 5 days ago
AZOMITE
@AZOMITE AZOMITE

We fixed ours by just adding an 's' to the http in our twitter.php file. Whoo-hoo. Easy.

12 weeks 6 days ago
EPEelche
@EPEelche ElcheParqEmpresarial

Good morning. I'm developing a web to capture and send tweets and I received the news that as of January 14 using a SSL cerfiticate to use the Twitter API is required.
I have seen that you can get with Verisign and Digicert. My question is Can I use another certificate from another company? What requirements should meet?

13 weeks 5 days ago
lfcipriani
@lfcipriani Luis Cipriani

Usually HTTP client libraries available for the language you are using already handle SSL requests. For api.twitter.com you must use only Verisign certificates, given that other certificates won't be validated by your clients.

Please, read the documentation about Connecting to Twitter API with SSL: https://dev.twitter.com/docs/security/using-ssl

13 weeks 5 days ago
EPEelche
@EPEelche ElcheParqEmpresarial

Okay, another question: the only valid certificate for api.twitter.com is Verisign Class 3 Secure Server CA - G3? Are there other valid alternatives?

13 weeks 4 days ago
lfcipriani
@lfcipriani Luis Cipriani

Yes, and there's no other valid alternatives.

13 weeks 4 days ago
EPEelche
@EPEelche ElcheParqEmpresarial

Thanks

13 weeks 4 days ago
HakimGhoula
@HakimGhoula Hakim Jonas Ghoula

I'm using Twython to read from user_timeline and last night my script was working fine now it doesn't. I don't have any http or https in my code so I guess that is handled by twython. Only thing is I was under the impression that it uses https per default. Why am I getting 401s now and how do I go about fixing it?

13 weeks 4 days ago
lfcipriani
@lfcipriani Luis Cipriani

The deploy of this change will start at 11am PST, so at the time of writing it didn't start yet. Your problem can not be related to SSL restriction. But would be interesting to check Twython source code to check if everything will be fine after the restriction is applied.

13 weeks 4 days ago
HakimGhoula
@HakimGhoula Hakim Jonas Ghoula

Seems very strange that a script that works fine all of a sudden stops working while running and thus have had no changes to code or dependencies from working state to not working state.

Has anything been changed to oauth version 2?

EDIT: I have now made a new app and it seems to work, now I'm anxious to see if it will also get the same problems.

13 weeks 4 days ago
Al_Sweetman
@Al_Sweetman Al Sweetman

I've an interesting one here - Hosebird has stopped functioning, today.

Even the "sample code" in the repository returns an IOException (the same as what I'm seeing) - "2014-01-14 17:05:20,506 [hosebird-client-io-thread-0] WARN com.twitter.hbc.httpclient.ClientBase.establishConnection.184 - Hosebird-Client-01 IOException caught when establishing connection to https://stream.twitter.com/1.1/statuses/filter.json?delimited=length&stall_warnings=true"

Debugging this, under the covers, I see a request to "Connect to stream.twitter.com:80 timed out". How bizzare!

It seems quite coincidental that this is just happening, today, on the day of the switch over. What I can't understand, however, is where the "http" request comes in at all when everything from within hosebird is set up to use https.

13 weeks 4 days ago
Al_Sweetman
@Al_Sweetman Al Sweetman

Code below: This is what's happening with my "proper" client as well as the test client I just created for a proof-of-concept. Incidentally developed against Hosebird 1.4.0

  1. import com.google.common.collect.Lists;
  2. import com.twitter.hbc.ClientBuilder;
  3. import com.twitter.hbc.core.Client;
  4. import com.twitter.hbc.core.Constants;
  5. import com.twitter.hbc.core.Hosts;
  6. import com.twitter.hbc.core.HttpHosts;
  7. import com.twitter.hbc.core.endpoint.StatusesFilterEndpoint;
  8. import com.twitter.hbc.core.event.Event;
  9. import com.twitter.hbc.core.processor.StringDelimitedProcessor;
  10. import com.twitter.hbc.httpclient.auth.Authentication;
  11. import com.twitter.hbc.httpclient.auth.OAuth1;
  12.  
  13. import java.util.List;
  14. import java.util.concurrent.BlockingQueue;
  15. import java.util.concurrent.LinkedBlockingQueue;
  16.  
  17. /
  18.  * Created with IntelliJ IDEA.
  19.  */
  20. public class TwitterTest
  21. {
  22.     public static void main(String[] args )
  23.     {
  24.         String consumerKey = "XXX";
  25.         String consumerSecret = "XXX";
  26.         String token = "XXX";
  27.         String secret = "XXX";
  28.  
  29.         / Set up your blocking queues: Be sure to size these properly based on expected TPS of your stream */
  30.         BlockingQueue<String> msgQueue = new LinkedBlockingQueue<String>( 100000 );
  31.         BlockingQueue<Event> eventQueue = new LinkedBlockingQueue<Event>( 1000 );
  32.  
  33. /** Declare the host you want to connect to, the endpoint, and authentication (basic auth or oauth) */
  34.         Hosts hosebirdHosts = new HttpHosts( Constants.STREAM_HOST );
  35.         StatusesFilterEndpoint endpoint = new StatusesFilterEndpoint();
  36.         List<String> terms = Lists.newArrayList( "twitter", "api" );
  37.         endpoint.trackTerms( terms );
  38.  
  39.         Authentication hosebirdAuth = new OAuth1( consumerKey, consumerSecret, token, secret );
  40.         ClientBuilder builder = new ClientBuilder()
  41.                 .name( "Hosebird-Client-01" )                              // optional: mainly for the logs
  42.                 .hosts( hosebirdHosts )
  43.                 .authentication( hosebirdAuth )
  44.                 .endpoint( endpoint )
  45.                 .processor( new StringDelimitedProcessor( msgQueue ) )
  46.                 .eventMessageQueue( eventQueue );                          // optional: use this if you want to process client events
  47.  
  48.         Client hosebirdClient = builder.build();
  49.  
  50.         hosebirdClient.connect();
  51.         int count = 0;
  52.         while ( !hosebirdClient.isDone() && count++ < 10 )
  53.         {
  54.             String msg = null;
  55.             try
  56.             {
  57.                 msg = msgQueue.take();
  58.             }
  59.             catch ( InterruptedException e )
  60.             {
  61.                 e.printStackTrace();  //To change body of catch statement use File | Settings | File Templates.
  62.             }
  63.             System.out.println( "message  " + msg );
  64.         }
  65.         hosebirdClient.stop();
  66.     }
  67. }
13 weeks 4 days ago
Al_Sweetman
@Al_Sweetman Al Sweetman

Investigations reveal that there is a bug in RestartableHttpClient which I'm going to try to write a patch for whereby it doesn't respect the https scheme if it's present when constructing HttpHost instances.

13 weeks 4 days ago
lfcipriani
@lfcipriani Luis Cipriani

Indeed, this is not a problem related to this change. Glad that you found the bug.

13 weeks 4 days ago
Al_Sweetman
@Al_Sweetman Al Sweetman

Well, it is kind of related? To quote: "If your application still uses HTTP plaintext connections you will need to update it to use HTTPS connections, otherwise your app will stop functioning. "

From what I can see, the http://stream.twitter.com/1.1 has now been "turned off" as part of this change, hence causing all instances of hosebird to fail? This is hosebird that fails, rather than our individual application.

13 weeks 3 days ago
bartwegrzyn
@bartwegrzyn Bart Wegrzyn

Having the same issue. HBC tries to connect to a non HTTPS endpoint.

org.apache.http.conn.ConnectTimeoutException: Connect to stream.twitter.com:80 timed out

Any updates on how to fix this?

Update: For anyone else trying to debug this... it turns out the com.amazonaws:aws-java-sdk requires version 4.2 of org.apache.httpcomponents:httpclient, which has a bug that doesn't respect the scheme of a URL when using DecompressingHttpClient. This issue was fixed in 4.2.1, see https://issues.apache.org/jira/browse/HTTPCLIENT-1200.

I had to exclude the old dependency on com.amazonaws:aws-java-sdk and let com.twitter:hbc-core use its newer dependency.

13 weeks 2 days ago
lfcipriani
@lfcipriani Luis Cipriani

The change was deployed at 17:25 UTC (Jan 14, 2014)

13 weeks 4 days ago
pgarvie
@pgarvie Paul Garvie

Thanks Luis. Nice job!!

PaulG

13 weeks 4 days ago
Catfe_LA
@Catfe_LA Catfe

Thanks!

7 weeks 1 day ago
followfever_com
@followfever_com FollowFever

I get the same troubles that one week ago (during several hours). I do not know what is wrong...

13 weeks 4 days ago
newsytweets
@newsytweets News As It Happens

I am positive that I am using the https endpoint, but still getting 403 error code. Anyone else seeing the same problem? I am using Net::Twitter perl module. I checked the source code and it is indeed using https.

13 weeks 4 days ago