Adam Green
Twitter API Consultant
adam@140dev.com
781-879-2960
@140dev

New SSL Certificates are not a problem for anyone using the 140dev code

by Adam Green on November 20, 2013

in Announcements,Phirehose,Twitter OAuth

Twitter posted a notice today about the need for new SSL certificates:

At the end of 2013, all Browsers and Certificate Authorities will no longer support 1024 bits RSA certificates to be compliant to National Institute of Standards and Technology (NIST) guidelines [1].

The SSL certificate currently used on api.twitter.com is signed with the older Verisign G2 root CA certificate.

Due to NIST guidelines, api.twitter.com will change to a new certificate on Dec 10th, 2013. The new certificate will be signed with VeriSign Class 3 Secure Server CA – G3, which has the 2048 bits key length needed to meet recommended security levels.

This means that all HTTP clients used by your application must trust the new root certificate, otherwise you won’t be able to connect in the API. To ensure proper SSL certificate verification across all of Twitter’s services, your software should include all Verisign Root Certificates in its CAFile or other respective keystore. The root certificates are available at the following link:
* Verisign (https://www.symantec.com/page.jsp?id=roots)

I have to admit here that I don’t really know what an SSL certificate is. I know that it is a file that allows SSL to work, but beyond that my perception of this announcement was like Bart Simpson’s dog:

Blah blah blah Dec 10th blah blah everything breaks blah blah.

What I could tell was that I might need to download something and warn everyone using my code to do the same. So I immediately sent queries to the authors of Phirehose and tmhOAuth, the two libraries upon which all my Twitter code depends. The responses were that we are all good, and I could just ignore this cryptic, yet frightening warning.

Fenn Bailey, author of Phirehose, replied:

Phirehose has no visibility of SSL itself but simply uses PHP (and your OS’s) SSL layer. Basically, if PHP will work with these new certificates, Phirehose will.

And Matt Harris, author of tmhOAuth, said:

If you use the included cacert.pem you’ll be using the same SSL CA roots that Mozilla uses as of Sat Dec 29 20:03:40 2012 (the latest version) — so things should be fine.

Hooray! Everything is good. Nothing to worry about. If you were as mystified as me by the SSL certificate announcement, you can relax.

On a personal level, this lack of understanding of the layers beneath the code that I produce is like the perception of other scientific disciplines when I was in college. I was an organic chemistry major, and we used to laugh at the molecular biology majors, because they didn’t have good enough memories to hack Organic Chem. The physical chemists used to laugh at us, because we couldn’t handle the math to understand Pchem. The physicists laughed at the physical chemists, because they couldn’t base all their work on Quantum Theory. Who knows what the mathematicians thought of the physicists.

Modern Web development has so many moving parts and layers in its software stack that you just have to trust that the guys building the parts your code rests on know what they are doing. I just wish that the Twitter folks understood that many of their 3rd party devs are not CS majors, and yet we are able to build lots of cool apps.

Leave a Comment

Previous post:

Next post: