TLS | Docs | Twitter Developer Platform
Connecting to Twitter API using TLS
TLS connections are required in order to access Twitter API endpoints. Communicating over TLS preserves user privacy and security by protecting information between the user and the Twitter API as it travels across the public Internet. Connections to the Twitter API require TLS version 1. 2.
Verification
Use an up-to-date root store
It’s important that your application or library use a trustworthy and up-to-date root store when verifying the Twitter certificate. Where possible, using the root store provided by your operating system may be the simplest approach here. Alternatively, the Mozilla (NSS) root store is well maintained in a public and transparent manner. Curl also provides a version of this store in PEM format.
Twitter currently issues the bulk of our certs from the DigiCert High Assurance EV Root CA, but this is not true for 100% of Twitter-related certificates and may not hold true forever, so trusting only the currently-used Digicert roots may lead to issues with your app in the future.
Check CRLs and the OCSP status¶
Many applications do not check the Certificate Revocation List for returned certificates or rely on the operating system to do so. Ensure that your application or TLS library is configured to force CRL and OCSP (Online Certificate Status Protocol) verification before accepting Twitter’s certificate.
CDNs
When showing Tweets that contain media, use the media_url_ attribute for the HTTPS URLs to use when showing images. In the future, all URLs served from API endpoints will provide HTTPS paths.
Provide an indication of security status
If possible, you should show an indication of the current status between your application and Twitter. Some web browsers indicate this by offering a Lock Icon, while others indicate the current connection state with descriptive messaging.
Twitter is updating its SSL certificates for api.twitter.com
The SSL Certificate for is currently signed against the Verisign G2 Root CA certificate. Verisign (recently acquired by Symantec) is no longer issuing new certificates against the G2 root (it expires in 2019. ) They are only currently issuing certificates against the Verisign G3 and G5 roots (for EV certificates).
As the certificate for is due to expire soon, we will be upgrading our servers with a new SSL Certificate that will be signed against the Verisign G3 root.
To ensure proper SSL certificate verification across all of Twitter’s services, your software should include all Verisign and Digicert Root Certificates in its CAFile or other respective keystore.
These are available from the respective vendors at:
Digicert —
Verisign —
For more guidelines on using SSL with the Twitter API, see our Guide to Connecting with SSL. If you’re continuing to have issues with the transition, you can join in on this discussion topic.
John AdamsTwitter Security
