HTTPS enabled by default - nice one Twitter!

Filed Under: Data loss, Facebook, Featured, Privacy, Social networks, Twitter

TwitterTwitter wins the award for grooviest website of the day, because of the great move they have announced which will help protect the privacy of millions of users.

Twitter has announced that it has enabled HTTPS by default for all users, which is a particularly good thing if you access Twitter from a public WiFi hotspot, such as a coffee shop or hotel lobby.

If you log into Twitter over unencrypted WiFi - for instance, at an airport lounge or at a conference - and you don't have HTTPS enabled, then a hacker could sniff your session cookie. And anyone who can sniff your session cookie can pretend to be you.

That means they can post tweets as you or read your private direct messages. And you don't want that.

Turning on full-time Twitter HTTPS keeps your session cookie encrypted throughout your login session. That's definitely a good thing.

HTTPS on Twitter

And don't imagine that "sniffing session cookies from unencrypted connections" is rocket science.

It isn't.

Tools such as Firesheep have made it child's play in the past for anyone to access the Twitter or Facebook account of someone close by if they haven't taken the right precautions.

Just ask Ashton Kutcher.

Last year, Kutcher attended the brainbox TED Conference, and connected to the unencrypted WiFi hotspot provided. A nearby hacker was able to jump onto Kutcher's Twitter session and post pro-SSL graffiti in his name.

Ashton Kutcher's hacked Twitter account

Twitter first announced that it was planning to roll out HTTPS by default last August, so it's great to see the process finally completed.

Ashton, and many Twitter devotees like him, will now be better protected - without having to be told to change their settings.

So, it's a case of "Well done Twitter".

But what about the other big social networks?

With Google Plus, things are simple. It has always had HTTPS turned on. Nice one.

With Facebook, however, it's a different story.

Although the social networking giant gave users the option to enable HTTPS/SSL a year ago, it is still disabled by default and even when enabled only claims it will be used "when possible".

Facebook https setting - disabled by default

If you want to try using Facebook with HTTPS/SSL enabled read more, and watch the following video:


(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)

We look forward to the time when Facebook feels it's ready to enable HTTPS/SSL by default, and use it throughout users' time on the site.

In the meantime, Twitter wins our award for favourite social network of the day. :)

, , , , ,

You might like

One Response to HTTPS enabled by default - nice one Twitter!

  1. Barb Frances · 980 days ago

    Thanks for the tip about using the Facebook security setting. I'll do it right away!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.