Notice to developers using the EBT API

Concerns? Let us know by posting here.

Moderators: Phaseolus, Fons, avij, dserrano5

User avatar
avij
Forum Moderator
Forum Moderator
Posts: 5556
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Notice to developers using the EBT API

Postby avij » Sat Aug 20, 2016 5:18 pm

This is an advance notification that logging in via the EBT API must be done over secure HTTPS from October 1st 2017 onwards. Logins via plain unsecure HTTP will fail.

Background

The API has been available over HTTPS since 30th September 2011. This means the transition period from HTTP logins to HTTPS logins will end up being six years, which, I believe, is a reasonable time to make the necessary changes.

Many of the applications using the EBT API are used on the road, potentially over unencrypted WiFi. Therefore it is important that the email addresses and passwords are transmitted to EBT over HTTPS to prevent malicious people from snooping the network traffic, and getting the email addresses and passwords. Some of you may think "who cares if someone gets access to my EBT account", but unfortunately there are people who use the same password everywhere. Consider the following scenario: You log in to EBT using your email address and password, which happens to be the same password that you use when logging in to your webmail. Now if someone is listening to the unencrypted network traffic, he will notice an email address and a password. He will then try this email+password pair to log in to your webmail (such as GMail), and as the password is the same, he will gain access to your emails. I believe this is undesirable. Users using those applications do not have a choice whether to use HTTP or HTTPS, therefore our only way to get people to use HTTPS is to block logins via HTTP.

Note that this is not an idle threat -- this has already happened, and I'm trying prevent it from happening again.

Updated applications

Here is a list of applications using the EBT API that are known to already use HTTPS:
Note that some applications may already use HTTPS, but I do not know that. If you know that the application uses HTTPS (perhaps from some specific version number onwards), please let me know.

Some related guidelines
  • Use api.eurobilltracker.com instead of api.eurobilltracker.eu
  • In general, use eurobilltracker.com instead of eurobilltracker.eu everywhere. At some point some applications generated statistics HTML that included links to .eu, or referenced images from .eu. These should also be fixed. Rationale for .com instead of .eu. The .eu address has been deprecated for some five years now.
  • When your application or script or any other automated thing accesses EBT (either through the API or otherwise), please include the application name and version number in the user agent string.
  • Even though this change affects only logins (for now), you are encouraged to conduct all communication with EBT over HTTPS. It is possible that we will block unsecure HTTP entirely at some point.
This change does not directly affect anyone's ability to enter notes via our website. It may be possible that we will block unencrypted logins via the website as well at some point, but no decision about this has been made yet.
Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.

User avatar
avij
Forum Moderator
Forum Moderator
Posts: 5556
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Notice to developers using the EBT API

Postby avij » Sat Apr 01, 2017 4:54 pm

April 1st isn't a good day to make announcements, but bear with me. October 1st is exactly half a year from now, that's why I'm posting this today.

This is a reminder to API users that this change will be done half a year from now. At this stage I would like to to know more about the status of apps using the API. I only know that Billy uses https, but the status of other apps is unknown to me.

If you are an app developer and haven't put any thought on this yet, now might be the time. You still have half a year to make the changes.
Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.

User avatar
avij
Forum Moderator
Forum Moderator
Posts: 5556
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Notice to developers using the EBT API

Postby avij » Sat Jul 01, 2017 8:24 am

Three months to go ...
Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.


Return to “Feedback and Development”

Who is online

Users browsing this forum: No registered users and 1 guest