Notice to developers using the EBT API

Concerns? Let us know by posting here.

Moderators: avij, Phaseolus, Fons, dserrano5

User avatar
avij
Forum Moderator
Forum Moderator
Posts: 6120
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Notice to developers using the EBT API

Post by avij »

This is an advance notification that logging in via the EBT API must be done over secure HTTPS from October 1st 2017 onwards. Logins via plain unsecure HTTP will fail.

Background

The API has been available over HTTPS since 30th September 2011. This means the transition period from HTTP logins to HTTPS logins will end up being six years, which, I believe, is a reasonable time to make the necessary changes.

Many of the applications using the EBT API are used on the road, potentially over unencrypted WiFi. Therefore it is important that the email addresses and passwords are transmitted to EBT over HTTPS to prevent malicious people from snooping the network traffic, and getting the email addresses and passwords. Some of you may think "who cares if someone gets access to my EBT account", but unfortunately there are people who use the same password everywhere. Consider the following scenario: You log in to EBT using your email address and password, which happens to be the same password that you use when logging in to your webmail. Now if someone is listening to the unencrypted network traffic, he will notice an email address and a password. He will then try this email+password pair to log in to your webmail (such as GMail), and as the password is the same, he will gain access to your emails. I believe this is undesirable. Users using those applications do not have a choice whether to use HTTP or HTTPS, therefore our only way to get people to use HTTPS is to block logins via HTTP.

Note that this is not an idle threat -- this has already happened, and I'm trying prevent it from happening again.

Updated applications

Here is a list of applications using the EBT API that are known to already use HTTPS: Note that some applications may already use HTTPS, but I do not know that. If you know that the application uses HTTPS (perhaps from some specific version number onwards), please let me know.

Some related guidelines
  • Use api.eurobilltracker.com instead of api.eurobilltracker.eu
  • In general, use eurobilltracker.com instead of eurobilltracker.eu everywhere. At some point some applications generated statistics HTML that included links to .eu, or referenced images from .eu. These should also be fixed. Rationale for .com instead of .eu. The .eu address has been deprecated for some five years now.
  • When your application or script or any other automated thing accesses EBT (either through the API or otherwise), please include the application name and version number in the user agent string.
  • Even though this change affects only logins (for now), you are encouraged to conduct all communication with EBT over HTTPS. It is possible that we will block unsecure HTTP entirely at some point.
  • Do not rely on some specific order of returned data items in API responses. Find the data you need from the result set by using the field name.
  • Note that we reserve the right to add additional fields to results without incrementing the API version number.
This change does not directly affect anyone's ability to enter notes via our website. It may be possible that we will block unencrypted logins via the website as well at some point, but no decision about this has been made yet.
Money makes the world go round. We track how the money goes round the world.
User avatar
avij
Forum Moderator
Forum Moderator
Posts: 6120
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Notice to developers using the EBT API

Post by avij »

April 1st isn't a good day to make announcements, but bear with me. October 1st is exactly half a year from now, that's why I'm posting this today.

This is a reminder to API users that this change will be done half a year from now. At this stage I would like to to know more about the status of apps using the API. I only know that Billy uses https, but the status of other apps is unknown to me.

If you are an app developer and haven't put any thought on this yet, now might be the time. You still have half a year to make the changes.
Money makes the world go round. We track how the money goes round the world.
User avatar
avij
Forum Moderator
Forum Moderator
Posts: 6120
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Notice to developers using the EBT API

Post by avij »

Three months to go ...
Money makes the world go round. We track how the money goes round the world.
User avatar
avij
Forum Moderator
Forum Moderator
Posts: 6120
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Notice to developers using the EBT API

Post by avij »

One month to go. As far as I can see, only Billy does logins via HTTPS. All the other applications use plain HTTP, and those applications can't be used for entering notes from October 1st onwards, unless those applications get updated to support HTTPS logins before that date.

If you use a note entering app on your phone, you may want to contact the app developer to make sure your favourite app gets updated. The EBT-Tool is also affected by this.
Money makes the world go round. We track how the money goes round the world.
User avatar
avij
Forum Moderator
Forum Moderator
Posts: 6120
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Notice to developers using the EBT API

Post by avij »

I'm told that iEBT was updated today and it will now do logins properly over HTTPS.

As far as I know, none of the Android apps have been updated to use https yet, and those will be blocked on Sunday unless they get updated prior to that day.
Money makes the world go round. We track how the money goes round the world.
User avatar
avij
Forum Moderator
Forum Moderator
Posts: 6120
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Notice to developers using the EBT API

Post by avij »

Because the API does not allow sending an error message back to the app, I tried to be creative. This is now what happens when trying to use Massilia Dev's EuroBillTracker app (identified by user agent string "Android EurobillTracker application version:22" and "Android EurobillTracker application version:0" (the latter is probably a bug, it should show 22 in there as well)). The same is not possible with the €uroNotes app, because that app does not set the user agent string.

Image 1: http://miuku.net/tmp/Screenshot_20171004-001534.png
Image 2: http://miuku.net/tmp/Screenshot_20171004-013241.png

I'm still hoping that these apps could be updated, but I have been unable to contact the developers so the prognosis is bad. Perhaps there's someone in here who would like to write a new Android app from scratch.
Money makes the world go round. We track how the money goes round the world.
User avatar
Castanhola
Euro-Master
Euro-Master
Posts: 7251
Joined: Sat May 27, 2006 11:47 pm
Location: Coimbra, Portugal
Contact:

EBT API changes?

Post by Castanhola »

Do anything change in EBT API a few days ago?
It seems the logout method change and do not send the same feedback as before.
My EBT Profile
Best portuguese ranking: 2 (2022-09-22)
Best international ranking: 74 (2024-03-18)
My EBTcheck statistics
My nigmm statistics
Link for my EBTST statistics on my EBT profile
User avatar
avij
Forum Moderator
Forum Moderator
Posts: 6120
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: EBT API changes?

Post by avij »

Well I don't know ..

$ curl 'https://api.eurobilltracker.com/?m=logo ... =123456789'
true


which matches the description on https://api.eurobilltracker.com/doc/api_logout.html and the description surely hasn't changed for a long time.

(*) the forum censors the PHPSESSID word, there should not be an underscore.
Money makes the world go round. We track how the money goes round the world.
User avatar
Castanhola
Euro-Master
Euro-Master
Posts: 7251
Joined: Sat May 27, 2006 11:47 pm
Location: Coimbra, Portugal
Contact:

Re: EBT API changes?

Post by Castanhola »

I use JSON Helper to sent commands to EBT API and to get the answer.
It works perfectly for years. But a few days ago I started to get no answer from the logout method, now I get only "".
I need to change my script...
My EBT Profile
Best portuguese ranking: 2 (2022-09-22)
Best international ranking: 74 (2024-03-18)
My EBTcheck statistics
My nigmm statistics
Link for my EBTST statistics on my EBT profile
Uns' Uwe
Euro-Regular in Training
Euro-Regular in Training
Posts: 55
Joined: Thu Jun 04, 2009 11:30 am
Location: Berlin, Germany
Contact:

Re: Notice to developers using the EBT API

Post by Uns' Uwe »

avij wrote:I'm still hoping that these apps could be updated, but I have been unable to contact the developers so the prognosis is bad. Perhaps there's someone in here who would like to write a new Android app from scratch.
I've been using MassiliaDev's Android app for a couple of years, and I was surprised when I got the error message you posted. I, too, tried to contact him at his mail address given in the contacts section at Google Play. I guess, your mail bounced, and so did mine. Instead of writing a postcard (cool idea, BTW) I googled his name, hoping to find some alternative way to contact him electronically.

The second hit was...an obituary. :(

Given the fact that one of the other apps he had published on Google Play is tour guide app for Vallon-Pont-d'Arc, and that his funeral has taken place in Vallon-Pont-d'Arc, it seems very likely that it's the same Franck Gimond we've been looking for.

Deep sympathy to his family...
MDeen
Euro-Master
Euro-Master
Posts: 2038
Joined: Mon Jul 15, 2002 11:52 am
Location: Helden, The Netherlands
Contact:

Re: Notice to developers using the EBT API

Post by MDeen »

Very strange, all of a sudden my perl script to access the api does not work anymore. I use LWP::UserAgent to access the api, which worked fine yesterday but does not work anymore today. It still works with other apis at other sites.
If I try to access the same URL with curl, then there is no problem.

Anyone have any idea why this would happen?

And if I use WWW::Curl in perl then I don't get the json response but somthing like

Code: Select all

Received response: HTTP/1.1 200 OK
Set-Cookie: PHPSESSID=somesessionid; expires=Sat, 03-Aug-2019 13:36:08 GMT; path=/; domain=.eurobilltracker.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html
Content-Length: 5
Date: Tue, 21 Aug 2018 08:16:08 GMT
Server: lighttpd/1.4.50
MDeen
Euro-Master
Euro-Master
Posts: 2038
Joined: Mon Jul 15, 2002 11:52 am
Location: Helden, The Netherlands
Contact:

Re: Notice to developers using the EBT API

Post by MDeen »

Hmm, this seems to be related to avij's message that IPv6 connectivity is problematic. I disabled IPv6 on my server and now it works.
Just need to find out if there is a way to enable it again without rebooting :?
Last edited by MDeen on Tue Aug 21, 2018 2:39 pm, edited 1 time in total.
User avatar
avij
Forum Moderator
Forum Moderator
Posts: 6120
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Notice to developers using the EBT API

Post by avij »

Maybe the script does IPv6 first, and doesn't know to retry over IPv4 if IPv6 does not work? In any case, IPv6 at EBT is fixed now, so your script should work again.
Money makes the world go round. We track how the money goes round the world.
MDeen
Euro-Master
Euro-Master
Posts: 2038
Joined: Mon Jul 15, 2002 11:52 am
Location: Helden, The Netherlands
Contact:

Re: Notice to developers using the EBT API

Post by MDeen »

Thanks. Unfortunately I read that disabling IPv6 in Ubuntu is permanent until a reboot. Now I have to reboot my server, almost 1000 days uptime :(
User avatar
avij
Forum Moderator
Forum Moderator
Posts: 6120
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Notice to developers using the EBT API

Post by avij »

I'm not particularly familiar with Ubuntu, but having to reboot seems odd. How did you disable IPv6?
Money makes the world go round. We track how the money goes round the world.
Post Reply

Return to “Feedback and Development”