informa
News

Twitter Offers Users A Default SSL Setting

New 'Always use HTTPS' setting the next step toward default HTTPS for everyone, Twitter says
Twitter took a step closer to providing full-blown SSL encryption for all connections to its site: The social network today announced that users now can manually set their accounts to HTTPS by default.

The move comes on the heels of a similar offering by Facebook, as well as intensified criticism over Twitter's lack of full-blown SSL support. "For some time, users have been able to use Twitter via HTTPS by going to https://twitter.com. We've made it simpler for users to do this by adding the option to always use HTTPS," the company said in a blog post this afternoon.

Twitter already had implemented SSL by default for the login process via the Web and on its Twitter for iPhone and iPad applications. Still, not all Twitter access is SSL-protected: To get SSL from a mobile device, users still have to visit https://mobile.twitter.com. "We are working on a solution that will share the 'Always use HTTPS' setting across twitter.com and mobile.twitter.com, so you don't have to think about which device you're using when you want to check Twitter. If you use a third-party application, you should check to see if that app offers HTTPS," Twitter said in its blog.

The lack of default HTTPS for both Facebook's and Twitter's sites has been under the spotlight recently, starting with the arrival of the Firesheep tool last fall that simplifies "sidejacking," or hijacking someone's HTML session cookies over a WiFi connection. WiFi is notoriously risky, and most websites today aren't SSL-encrypted, leaving users open to having their sessions sniffed and hijacked when they log onto sites, such as Twitter, from the WiFi at Starbucks. Firesheep basically makes this type of attack easy enough for any nontechnical person to do: The tool pops up a window, you click the "Start Capturing" button, and it finds and displays user accounts currently on insecure websites via the WiFi network.

Twitter says the HTTPS user option will help protect members using Twitter over unsecured connections, such as WiFi. "In the future, we hope to make HTTPS the default setting," the Twitter blog said.

But as with Facebook's HTTPS option, the social network is leaving it up to the user to secure his or her access to the site, an approach that security experts say is flawed in that it expects nontechnical consumers to take the initiative. Even so, security experts applauded the move by the social network and are urging Twitter users to enable the new SSL setting.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: