We’re Disabling Weak SSL on January 4, 2010

by rich in on September 29, 2009

On January 4, 2010, the first Monday of the new year, we will be disabling weak SSL protocols. This change affects both API and browser users.

The protocols we are disabling are:

• SSLv2
• Ciphers with keylengths less than 128 bits in SSLv3 or TLSv1

We are disabling these protocols to enhance the security of our users' financial data as it is passed over the Internet. SSLv2 has several published vulnerabilities and should not be considered secure, and keys shorter than 128 bits are no longer considered sufficiently resistant to compromise. The Wikipedia article on TLS and SSL contains some background information on the vulnerablities in these protocols.

Analyzing the last month's worth of traffic suggests that this will affect a very small number of users. We have contacted all affected integrations with whom we have existing relationships. We will continue to monitor our logs to look for any other SSLv2 or short keylength users whom we have missed.

Modern browsers (Firefox 2+; IE 7+; Safari) disable these weak protocols by default.

If you have any questions or comments on our plan to disable these weak SSL protocols, please let us know at .(JavaScript must be enabled to view this email address).

0 comments

FreshBooks now supports OAuth

by Sunir in Integrations, Development on September 10, 2009

FreshBooks now supports OAuth to make it easier to build and manage its third-party addons.

Today, we're proud to announce that we now support OAuth, an increasingly popular open protocol for secure API authorization. OAuth is used by many cool services such as Google Docs, Netflix, and Twitter, and we're glad to join the club!

Over the past year, FreshBooks has grown a large collection of third-party add-ons. Supporting OAuth will make it easier for customers to manage third party add-ons' access to their FreshBooks data. Add-ons that support OAuth will no longer require customers to search for and then copy and paste their FreshBooks authentication token, which will be a huge relief to customers and third party integrations alike.

More importantly, instead of sharing one authentication token with all third-party add-ons, OAuth creates a separate relationship for each add-on uniquely, all behind the scenes. That means customers will be able to turn on and off access to each separate add-on without affecting any others. This gives customers important control over who has access to their data, and when.

We strongly recommend all third-party add-ons use OAuth for secure authorization since we may eventually require it for all future add-ons.

For more information about OAuth you can read the official OAuth documentation available at the OAuth.net site as well as the FreshBooks OAuth documentation. Also, stay tuned to the Developer Blog for all future updates about OAuth and the FreshBooks API.

2 comments

Please note, <link/>s have changed.

by Sunir in on August 25, 2009

For those who do not know, we provide links to resources in the API. You can get view, edit, and client view URIs to Invoices, Estimates, and Clients through either the .list or the .get methods. Just look for the <links/> element, for instance in Invoice.list.

We do not, however, guarantee that the format of these URIs will remain constant and indeed yesterday we changed the format to be more orthogonal and secure.

For most API users, the change will be transparent. As long as you are not storing or parsing the URIs, your code will continue to run correctly. If you have been storing the URIs, please note that we are rapidly deprecating the old format. End users who follow these URIs will be notified that the link is out of date. This may not suit your desired user experience--which is an understatement.

We truly apologize for any inconvenience. However, the new URI structure is greatly improved and we feel it is worth the short term pain. Please pardon our dust, as they say.

0 comments