Security is of paramount importance in applications. APIs are the cornerstone of most applications today and ensuring that the data flowing through the API calls is secure cannot be overemphasized. Secure Sockets Layer (SSL) has been available to us for years now and Google has made the first moves in using SSL across its suite of products with a plan to rolling out SSL for most of its developer APIs in the latter part of the year.
Adam Feldman from the Developer Team announced the incorporation of SSL into Google Products and gave a roadmap on which products/APIs of Google are next on incorporating SSL support. Several products like Gmail and Google Docs have already made the transition to mandating SSL. Even Google Maps API is offering SSL to all developers. Several Developer APIs are next and that newer versions of APIs or completely new APIs will be SSL only.
The blog further states that “Beginning September 15, 2011, Google will require that all users of Google Documents List API, Google Spreadsheets API, and Google Sites API use SSL connections for all API requests.” Plain HTTP calls with be disallowed and will result in a 400 Bad Request response. So this is something that developers should note immediately and plan out. The good news is that it should be transparent if you are using the Google Data Client libraries or move to a newer version of the client API that supports SSL. If not, you will need to scan your code for all usages of “http:” and replace them with the http(s) scheme.
Another related post worth reading from Google is Best Practices for User Authentication to ensure that you understand the options available for authenticating any Google user account. This is important so that you understand the 3 forms of authentication available to all Google APIs and the impact that it could have if you are doing programmatic account access in your application that uses the Google APIs.
Going the SSL route has its plus points for sure. But a good question to ask is that if SSL is widely acknowledged as the solution to a lot of data security then why are we all not on SSL yet? Scott Gilberson at wired.com covers a balancing viewpoint in his aptly titled piece HTTPS is more secure, so why isn’t the Web using it?