In a step which will be welcomed by its security-conscious users, Twitter has announced that it is beginning to turn on HTTPS by default.
Why is this important? Just ask Ashton Kutcher.
Kutcher attended the brainbox TED Conference earlier this year, and connected to the unencrypted WiFi hotspot provided. A nearby hacker, possibly using a tool such as Firesheep, was able to jump onto Kutcher’s Twitter session and post pro-SSL graffiti in his name.
Unfortunately, if you log into Twitter over unencrypted WiFi – e.g. at a coffee shop or an airport lounge and you don’t have HTTPS enabled, then a hacker could sniff your session cookie. And anyone who can sniff your session cookie can pretend to be you.
That means they can post tweets as you or read your private direct messages. And you don’t want that.
Turning on full-time Twitter HTTPS keeps your session cookie encrypted throughout your login session. That’s definitely a good thing.
So it’s great to see the following official statement from Twitter.
We suggest using HTTPS for improved security. We're starting to turn this on by default for some users. More here: support.twitter.com/articles/48195.
Other websites which handle personal accounts are waking up to the issue of HTTPS/SSL encryption too.
Google has led the way on enforcing HTTPS usage, with products like Gmail, Google Docs and Google+ already making an SSL connection mandatory.
HTTPS is still optional on Facebook, but there are hopes that the social networking giant will enforce its use later this year once third-party apps play ball.
I would certainly recommend enabling HTTPS on both Facebook and Twitter. On Twitter you can set the option by visiting your account settings page.
And if you’re on Facebook, watch this short video by Naked Security’s Chet Wisniewski which shows how to enable full SSL/HTTPS encryption.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)
Leave a reply