Notice to developers using the EBT API

Concerns? Let us know by posting here.

Moderators: Phaseolus, Fons, avij, dserrano5

User avatar
Forum Moderator
Forum Moderator
Posts: 5512
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland

Notice to developers using the EBT API

Postby avij » Sat Aug 20, 2016 5:18 pm

This is an advance notification that logging in via the EBT API must be done over secure HTTPS from October 1st 2017 onwards. Logins via plain unsecure HTTP will fail.


The API has been available over HTTPS since 30th September 2011. This means the transition period from HTTP logins to HTTPS logins will end up being six years, which, I believe, is a reasonable time to make the necessary changes.

Many of the applications using the EBT API are used on the road, potentially over unencrypted WiFi. Therefore it is important that the email addresses and passwords are transmitted to EBT over HTTPS to prevent malicious people from snooping the network traffic, and getting the email addresses and passwords. Some of you may think "who cares if someone gets access to my EBT account", but unfortunately there are people who use the same password everywhere. Consider the following scenario: You log in to EBT using your email address and password, which happens to be the same password that you use when logging in to your webmail. Now if someone is listening to the unencrypted network traffic, he will notice an email address and a password. He will then try this email+password pair to log in to your webmail (such as GMail), and as the password is the same, he will gain access to your emails. I believe this is undesirable. Users using those applications do not have a choice whether to use HTTP or HTTPS, therefore our only way to get people to use HTTPS is to block logins via HTTP.

Note that this is not an idle threat -- this has already happened, and I'm trying prevent it from happening again.

Updated applications

Here is a list of applications using the EBT API that are known to already use HTTPS:
Note that some applications may already use HTTPS, but I do not know that. If you know that the application uses HTTPS (perhaps from some specific version number onwards), please let me know.

Some related guidelines
  • Use instead of
  • In general, use instead of everywhere. At some point some applications generated statistics HTML that included links to .eu, or referenced images from .eu. These should also be fixed. Rationale for .com instead of .eu. The .eu address has been deprecated for some five years now.
  • When your application or script or any other automated thing accesses EBT (either through the API or otherwise), please include the application name and version number in the user agent string.
  • Even though this change affects only logins (for now), you are encouraged to conduct all communication with EBT over HTTPS. It is possible that we will block unsecure HTTP entirely at some point.
This change does not directly affect anyone's ability to enter notes via our website. It may be possible that we will block unencrypted logins via the website as well at some point, but no decision about this has been made yet.
Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.

Return to “Feedback and Development”

Who is online

Users browsing this forum: No registered users and 1 guest