informa
/
News

Google Mandates SSL For Developer APIs

API requests for Google Documents List, Google Spreadsheets, and Google Sites will be required to use secure sockets layer connections.
Top 15 Google Apps For Business
Slideshow: Top 15 Google Apps For Business
(click image for larger view and for full slideshow)
Google this week announced that it will soon begin requiring secure sockets layer (SSL) encryption to use more of its products, and in particular for the APIs that developers call to access Google's products and services.

Starting on September 15, "Google will require that all users of Google Documents List API, Google Spreadsheets API, and Google Sites API use SSL connections for all API requests," said Adam Feldman, who's part of the Google developer team, in a blog post. In other words, all calls will have to be made to an HTTPS address. Any HTTP requests will be rejected.

"We strongly recommend that you convert all your API clients as soon as possible to help protect your users' data," said Feldman. That's because using SSL prevents attackers from being able to intercept Google users' communications with the site.

Wireless eavesdropping has long been possible using off-the-shelf tools. But last year's release of Firesheep -- a free tool to automatically intercept people's communications with sites such as Google, Facebook, and Twitter, when browsed via unsecured WiFi connections -- brought widespread attention to the problem.

Most Google APIs already support SSL, and the Google Maps API this week began offering SSL to all developers. Previously, that feature was reserved for premium customers. Expect future APIs to be SSL-only. From a user standpoint, meanwhile, Gmail already defaults to SSL, Google Docs requires it, and Google now encrypts Web searches.

Google's new SSL requirements continue to place it well ahead on the encryption adoption curve. Starting in January 2010, for example, Google made HTTPS the default for accessing Gmail. For comparison, Facebook didn't begin rolling out HTTPS until January 2011.

Also this week, Twitter announced that it's added a persistent HTTPS feature to its site. The feature is available as the "Always use HTTPS" setting at the bottom of a user's settings page. Previously, users needed to browse to https://twitter.com to use SSL. Mobile users, however, must still log in using https://mobile.twitter.com to use SSL.

For now, HTTPS remains an optional feature for Twitter users, and isn't yet available via all third-party Twitter applications. "In the future, we hope to make HTTPS the default setting, " said Carolyn Penner, who handles communications for Twitter, in a blog post.