HTTPS enabled by default - nice one Twitter!

by Graham Cluley on February 14, 2012 | Leave a comment

Filed Under: Data loss, Featured, Privacy, Social networks

TwitterTwitter wins the award for grooviest website of the day, because of the great move they have announced which will help protect the privacy of millions of users.

Twitter has announced that it has enabled HTTPS by default for all users, which is a particularly good thing if you access Twitter from a public WiFi hotspot, such as a coffee shop or hotel lobby.

If you log into Twitter over unencrypted WiFi - for instance, at an airport lounge or at a conference - and you don't have HTTPS enabled, then a hacker could sniff your session cookie. And anyone who can sniff your session cookie can pretend to be you.

That means they can post tweets as you or read your private direct messages. And you don't want that.

Turning on full-time Twitter HTTPS keeps your session cookie encrypted throughout your login session. That's definitely a good thing.

HTTPS on Twitter

And don't imagine that "sniffing session cookies from unencrypted connections" is rocket science.

It isn't.

Tools such as Firesheep have made it child's play in the past for anyone to access the Twitter or Facebook account of someone close by if they haven't taken the right precautions.

Just ask Ashton Kutcher.

Last year, Kutcher attended the brainbox TED Conference, and connected to the unencrypted WiFi hotspot provided. A nearby hacker was able to jump onto Kutcher's Twitter session and post pro-SSL graffiti in his name.

Ashton Kutcher's hacked Twitter account

Twitter first announced that it was planning to roll out HTTPS by default last August, so it's great to see the process finally completed.

Ashton, and many Twitter devotees like him, will now be better protected - without having to be told to change their settings.

So, it's a case of "Well done Twitter".

But what about the other big social networks?

With Google Plus, things are simple. It has always had HTTPS turned on. Nice one.

With Facebook, however, it's a different story.

Although the social networking giant gave users the option to enable HTTPS/SSL a year ago, it is still disabled by default and even when enabled only claims it will be used "when possible".

Facebook https setting - disabled by default

If you want to try using Facebook with HTTPS/SSL enabled read more, and watch the following video:


(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)

We look forward to the time when Facebook feels it's ready to enable HTTPS/SSL by default, and use it throughout users' time on the site.

In the meantime, Twitter wins our award for favourite social network of the day. :)

Tags: , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

About the author

Graham Cluley is senior technology consultant at Sophos. The readers of Computer Weekly voted him security blogger of the year in 2009 and 2010, and he pipped Stephen Fry to the title of "Twitter user of the year" too. Which was nice. He was also named "Best Security Blogger" by the readers of SC Magazine in 2011. You can subscribe to Graham's updates on Facebook, follow him on Twitter and circle him on Google Plus for regular updates.