The API has been available over HTTPS since 30th September 2011. This means the transition period from HTTP logins to HTTPS logins will end up being six years, which, I believe, is a reasonable time to make the necessary changes.
Many of the applications using the EBT API are used on the road, potentially over unencrypted WiFi. Therefore it is important that the email addresses and passwords are transmitted to EBT over HTTPS to prevent malicious people from snooping the network traffic, and getting the email addresses and passwords. Some of you may think "who cares if someone gets access to my EBT account", but unfortunately there are people who use the same password everywhere. Consider the following scenario: You log in to EBT using your email address and password, which happens to be the same password that you use when logging in to your webmail. Now if someone is listening to the unencrypted network traffic, he will notice an email address and a password. He will then try this email+password pair to log in to your webmail (such as GMail), and as the password is the same, he will gain access to your emails. I believe this is undesirable. Users using those applications do not have a choice whether to use HTTP or HTTPS, therefore our only way to get people to use HTTPS is to block logins via HTTP.
Note that this is not an idle threat -- this has already happened, and I'm trying prevent it from happening again.
Here is a list of applications using the EBT API that are known to already use HTTPS:
- Billy (confirmation)
Some related guidelines
- Use api.eurobilltracker.com instead of api.eurobilltracker.eu
- In general, use eurobilltracker.com instead of eurobilltracker.eu everywhere. At some point some applications generated statistics HTML that included links to .eu, or referenced images from .eu. These should also be fixed. Rationale for .com instead of .eu. The .eu address has been deprecated for some five years now.
- When your application or script or any other automated thing accesses EBT (either through the API or otherwise), please include the application name and version number in the user agent string.
- Even though this change affects only logins (for now), you are encouraged to conduct all communication with EBT over HTTPS. It is possible that we will block unsecure HTTP entirely at some point.