Twitter Offers Users A Default SSL Setting

New 'Always use HTTPS' setting the next step toward default HTTPS for everyone, Twitter says

Twitter took a step closer to providing full-blown SSL encryption for all connections to its site: The social network today announced that users now can manually set their accounts to HTTPS by default.

The move comes on the heels of a similar offering by Facebook, as well as intensified criticism over Twitter's lack of full-blown SSL support. "For some time, users have been able to use Twitter via HTTPS by going to We've made it simpler for users to do this by adding the option to always use HTTPS," the company said in a blog post this afternoon.

Twitter already had implemented SSL by default for the login process via the Web and on its Twitter for iPhone and iPad applications. Still, not all Twitter access is SSL-protected: To get SSL from a mobile device, users still have to visit "We are working on a solution that will share the 'Always use HTTPS' setting across and, so you don't have to think about which device you're using when you want to check Twitter. If you use a third-party application, you should check to see if that app offers HTTPS," Twitter said in its blog.

The lack of default HTTPS for both Facebook's and Twitter's sites has been under the spotlight recently, starting with the arrival of the Firesheep tool last fall that simplifies "sidejacking," or hijacking someone's HTML session cookies over a WiFi connection. WiFi is notoriously risky, and most websites today aren't SSL-encrypted, leaving users open to having their sessions sniffed and hijacked when they log onto sites, such as Twitter, from the WiFi at Starbucks. Firesheep basically makes this type of attack easy enough for any nontechnical person to do: The tool pops up a window, you click the "Start Capturing" button, and it finds and displays user accounts currently on insecure websites via the WiFi network.

Twitter says the HTTPS user option will help protect members using Twitter over unsecured connections, such as WiFi. "In the future, we hope to make HTTPS the default setting," the Twitter blog said.

But as with Facebook's HTTPS option, the social network is leaving it up to the user to secure his or her access to the site, an approach that security experts say is flawed in that it expects nontechnical consumers to take the initiative. Even so, security experts applauded the move by the social network and are urging Twitter users to enable the new SSL setting.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights