Notice to developers using the EBT API

Concerns? Let us know by posting here.

Moderators: Fons, avij, Phaseolus, dserrano5

User avatar
avij
Forum Moderator
Forum Moderator
Posts: 5614
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Notice to developers using the EBT API

Postby avij » Sat Aug 20, 2016 5:18 pm

This is an advance notification that logging in via the EBT API must be done over secure HTTPS from October 1st 2017 onwards. Logins via plain unsecure HTTP will fail.

Background

The API has been available over HTTPS since 30th September 2011. This means the transition period from HTTP logins to HTTPS logins will end up being six years, which, I believe, is a reasonable time to make the necessary changes.

Many of the applications using the EBT API are used on the road, potentially over unencrypted WiFi. Therefore it is important that the email addresses and passwords are transmitted to EBT over HTTPS to prevent malicious people from snooping the network traffic, and getting the email addresses and passwords. Some of you may think "who cares if someone gets access to my EBT account", but unfortunately there are people who use the same password everywhere. Consider the following scenario: You log in to EBT using your email address and password, which happens to be the same password that you use when logging in to your webmail. Now if someone is listening to the unencrypted network traffic, he will notice an email address and a password. He will then try this email+password pair to log in to your webmail (such as GMail), and as the password is the same, he will gain access to your emails. I believe this is undesirable. Users using those applications do not have a choice whether to use HTTP or HTTPS, therefore our only way to get people to use HTTPS is to block logins via HTTP.

Note that this is not an idle threat -- this has already happened, and I'm trying prevent it from happening again.

Updated applications

Here is a list of applications using the EBT API that are known to already use HTTPS:
Note that some applications may already use HTTPS, but I do not know that. If you know that the application uses HTTPS (perhaps from some specific version number onwards), please let me know.

Some related guidelines
  • Use api.eurobilltracker.com instead of api.eurobilltracker.eu
  • In general, use eurobilltracker.com instead of eurobilltracker.eu everywhere. At some point some applications generated statistics HTML that included links to .eu, or referenced images from .eu. These should also be fixed. Rationale for .com instead of .eu. The .eu address has been deprecated for some five years now.
  • When your application or script or any other automated thing accesses EBT (either through the API or otherwise), please include the application name and version number in the user agent string.
  • Even though this change affects only logins (for now), you are encouraged to conduct all communication with EBT over HTTPS. It is possible that we will block unsecure HTTP entirely at some point.
  • Do not rely on some specific order of returned data items in API responses. Find the data you need from the result set by using the field name.
  • Note that we reserve the right to add additional fields to results without incrementing the API version number.
This change does not directly affect anyone's ability to enter notes via our website. It may be possible that we will block unencrypted logins via the website as well at some point, but no decision about this has been made yet.
Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.

User avatar
avij
Forum Moderator
Forum Moderator
Posts: 5614
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Notice to developers using the EBT API

Postby avij » Sat Apr 01, 2017 4:54 pm

April 1st isn't a good day to make announcements, but bear with me. October 1st is exactly half a year from now, that's why I'm posting this today.

This is a reminder to API users that this change will be done half a year from now. At this stage I would like to to know more about the status of apps using the API. I only know that Billy uses https, but the status of other apps is unknown to me.

If you are an app developer and haven't put any thought on this yet, now might be the time. You still have half a year to make the changes.
Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.

User avatar
avij
Forum Moderator
Forum Moderator
Posts: 5614
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Notice to developers using the EBT API

Postby avij » Sat Jul 01, 2017 8:24 am

Three months to go ...
Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.

User avatar
avij
Forum Moderator
Forum Moderator
Posts: 5614
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Notice to developers using the EBT API

Postby avij » Fri Sep 01, 2017 9:17 am

One month to go. As far as I can see, only Billy does logins via HTTPS. All the other applications use plain HTTP, and those applications can't be used for entering notes from October 1st onwards, unless those applications get updated to support HTTPS logins before that date.

If you use a note entering app on your phone, you may want to contact the app developer to make sure your favourite app gets updated. The EBT-Tool is also affected by this.
Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.

User avatar
avij
Forum Moderator
Forum Moderator
Posts: 5614
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Notice to developers using the EBT API

Postby avij » Tue Sep 26, 2017 10:04 am

I'm told that iEBT was updated today and it will now do logins properly over HTTPS.

As far as I know, none of the Android apps have been updated to use https yet, and those will be blocked on Sunday unless they get updated prior to that day.
Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.

User avatar
avij
Forum Moderator
Forum Moderator
Posts: 5614
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Notice to developers using the EBT API

Postby avij » Tue Oct 03, 2017 11:45 pm

Because the API does not allow sending an error message back to the app, I tried to be creative. This is now what happens when trying to use Massilia Dev's EuroBillTracker app (identified by user agent string "Android EurobillTracker application version:22" and "Android EurobillTracker application version:0" (the latter is probably a bug, it should show 22 in there as well)). The same is not possible with the €uroNotes app, because that app does not set the user agent string.

Image 1: http://miuku.net/tmp/Screenshot_20171004-001534.png
Image 2: http://miuku.net/tmp/Screenshot_20171004-013241.png

I'm still hoping that these apps could be updated, but I have been unable to contact the developers so the prognosis is bad. Perhaps there's someone in here who would like to write a new Android app from scratch.
Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.

User avatar
Castanhola
Euro-Master
Euro-Master
Posts: 4861
Joined: Sat May 27, 2006 11:47 pm
Location: Coimbra, Portugal
Contact:

EBT API changes?

Postby Castanhola » Wed Oct 04, 2017 11:00 am

Do anything change in EBT API a few days ago?
It seems the logout method change and do not send the same feedback as before.

User avatar
avij
Forum Moderator
Forum Moderator
Posts: 5614
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: EBT API changes?

Postby avij » Wed Oct 04, 2017 11:09 am

Well I don't know ..

$ curl 'https://api.eurobilltracker.com/?m=logout&v=1&PHP_SESSID=123456789'
true


which matches the description on https://api.eurobilltracker.com/doc/api_logout.html and the description surely hasn't changed for a long time.

(*) the forum censors the PHPSESSID word, there should not be an underscore.
Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.

User avatar
Castanhola
Euro-Master
Euro-Master
Posts: 4861
Joined: Sat May 27, 2006 11:47 pm
Location: Coimbra, Portugal
Contact:

Re: EBT API changes?

Postby Castanhola » Wed Oct 04, 2017 2:50 pm

avij wrote:$ curl 'https://api.eurobilltracker.com/?m=logout&v=1&PHP_SESSID=123456789'
true

I use JSON Helper to sent commands to EBT API and to get the answer.
It works perfectly for years. But a few days ago I started to get no answer from the logout method, now I get only "".
I need to change my script...

Uns' Uwe
Euro-Newbie
Euro-Newbie
Posts: 35
Joined: Thu Jun 04, 2009 11:30 am
Location: Berlin, Germany
Contact:

Re: Notice to developers using the EBT API

Postby Uns' Uwe » Sun Oct 08, 2017 3:05 pm

avij wrote:I'm still hoping that these apps could be updated, but I have been unable to contact the developers so the prognosis is bad. Perhaps there's someone in here who would like to write a new Android app from scratch.


I've been using MassiliaDev's Android app for a couple of years, and I was surprised when I got the error message you posted. I, too, tried to contact him at his mail address given in the contacts section at Google Play. I guess, your mail bounced, and so did mine. Instead of writing a postcard (cool idea, BTW) I googled his name, hoping to find some alternative way to contact him electronically.

The second hit was...an obituary. :(

Given the fact that one of the other apps he had published on Google Play is tour guide app for Vallon-Pont-d'Arc, and that his funeral has taken place in Vallon-Pont-d'Arc, it seems very likely that it's the same Franck Gimond we've been looking for.

Deep sympathy to his family...


Return to “Feedback and Development”