Tuesday, March 15, 2011

Improving the security of Google APIs with SSL

We at Google go to great lengths to ensure every step is taken to protect our users’ data. As part of our ongoing effort to improve security everywhere, we will start requiring the use of SSL in many products. Requiring SSL improves security by encrypting data communications between users and Google, better protecting it from being intercepted by a malicious third party.

Some of these changes have already occurred. Many user-facing Google products now allow or require SSL, including encrypting Google web search, defaulting to SSL in Gmail, and requiring SSL in Google Docs. Next on our list is to improve SSL support for our developer facing APIs. For most APIs, our technical documentation, client libraries and code samples already use SSL. Many new APIs and versions will be SSL only. Further, the Google Maps API, which previously offered SSL only to Premier customers, is offering SSL to all developers starting today.

Additionally, beginning September 15, 2011, Google will require that all users of Google Documents List API, Google Spreadsheets API, and Google Sites API use SSL connections for all API requests. Specifically, this change will disallow all HTTP requests, responding with an HTTP 400 Bad Request response. API requests will only be accepted via HTTPS. For example, a request to http://docs.google.com/feeds/default/private/full will no longer pull a list of a user's documents. Instead, a request must be made to https://docs.google.com/feeds/default/private/full.

This change should be transparent if you're using the most recent version of the Google Data client libraries, since they already use SSL for all requests. If you're not using the latest version, then please upgrade as soon as possible. If you're not using our client libraries, then simply change any use of an HTTP URL to its corresponding HTTPS version in your code. Your existing OAuth and AuthSub tokens will continue to work using the HTTPS URLs, even if they were requested with a scope that uses an ‘http://’ scheme.

Although we’re initially requiring SSL for only a few APIs (those whose traffic was already mostly over SSL), we strongly recommend that you convert all your API clients as soon as possible to help protect your users’ data. Check the documentation for each API for more information about that API's SSL support, including the updated Google Documents List API documentation, Google Spreadsheets API documentation, and Google Sites API documentation.

If you have any questions or concerns about this change, please follow up in the forums of the API you are using.

7 comments:

  1. I'm not thrilled about having to remember all the various little places that I've used one of these APIs and having to go in and change my code. I feel less likely to use Google APIs if using them means that I have to frequently maintain my code.

    ReplyDelete
  2. @jacob: all software requires maintenance. leaving software alone and thinking it does not it just silly.

    I applaud Google at moving over to https and am glad that these security precautions are beginning to cover a larger portion of Goolge products.

    ReplyDelete
  3. Security is everywhere,user's security is google's security.wireless security camera

    ReplyDelete
  4. good stuff. the only thing that hurts is bouncing between SSL when App Engine can't use SSL (unless you use *.appspot.com). hope that changes soon.

    ReplyDelete
  5. It is Great to here that, we can access the Google Maps JavaScript API over HTTPS.This is useful for many websites which are running over HTTPS and using Google Maps JavaScript API.

    ReplyDelete
  6. Great, but regarding APIs which allow access from another system, I think you should consider optional client certificate based authentication because it is still userid/password based authentication even if all communications are encrypted. (OAuth and federated authentication with third party service is one of solution, but...)

    ReplyDelete
  7. Google Static maps too I assume. Just tried it but does not work yet.

    ReplyDelete