In a step which will be welcomed by its security-conscious users, Twitter has announced that it is beginning to turn on HTTPS by default.
Why is this important? Just ask Ashton Kutcher.
Kutcher attended the brainbox TED Conference earlier this year, and connected to the unencrypted WiFi hotspot provided. A nearby hacker, possibly using a tool such as Firesheep, was able to jump onto Kutcher’s Twitter session and post pro-SSL graffiti in his name.
Unfortunately, if you log into Twitter over unencrypted WiFi – e.g. at a coffee shop or an airport lounge and you don’t have HTTPS enabled, then a hacker could sniff your session cookie. And anyone who can sniff your session cookie can pretend to be you.
That means they can post tweets as you or read your private direct messages. And you don’t want that.
Turning on full-time Twitter HTTPS keeps your session cookie encrypted throughout your login session. That’s definitely a good thing.
So it’s great to see the following official statement from Twitter.
http://twitter.com/#!/twitterglobalpr/status/106077860170706944
Other websites which handle personal accounts are waking up to the issue of HTTPS/SSL encryption too.
Google has led the way on enforcing HTTPS usage, with products like Gmail, Google Docs and Google+ already making an SSL connection mandatory.
HTTPS is still optional on Facebook, but there are hopes that the social networking giant will enforce its use later this year once third-party apps play ball.
I would certainly recommend enabling HTTPS on both Facebook and Twitter. On Twitter you can set the option by visiting your account settings page.
And if you’re on Facebook, watch this short video by Naked Security’s Chet Wisniewski which shows how to enable full SSL/HTTPS encryption.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)
It just about says it all about Facebook's security settings really, that whilst you can show us how to turn on https on Twitter with a small, single screen shot, you have to provide a video nearly two minutes long to show us how to do it on Facebook… 😉
Huh? 3/4 of that video is just explaining why you should do it. The instructions are simple, account->account settings -> security settings->secure browsing.
I wonder if the connection is still secure for those who use third-party apps on their mobile phones like TweetCaster or TweetDeck… or even HootSuite? Would love to see a follow-up article on this. Good info, thanks!
The option to enable security is slightly different for me. The security is on a seperate tab on the left hand nav bar under account settings (see http://i56.tinypic.com/2rxw8za.jpg)
After looking at a security RT by somebody not from Sophos I got an idea. The string [1] that really made think was "Please spread the word". Support is an official twitter account… Can't they put a security tweet, such as the one above, as the first tweet in all user's timelines. That's a bit of a hack [2] though, maybe in a pretty wrapping between the tweet tabs and the "What's Happening" text field. If some celeb with little security knowledge looked at this they would want to know what HTTPS is.
1 – On a side note, it is probably best if I use text instead of string in say… an English paper… but I'm so used to using " to designate strings. In fact, not having a closing " (YES!!!) gives me jitters.
2 – Sorry about using this definition here. Means an unpleasant and ugly workaround.