Twitter starts rolling out HTTPS by default - good news for security and Ashton Kutcher

Filed Under: Data loss, Privacy, Social networks, Twitter

Mr Demi MooreIn a step which will be welcomed by its security-conscious users, Twitter has announced that it is beginning to turn on HTTPS by default.

Why is this important? Just ask Ashton Kutcher.

Kutcher attended the brainbox TED Conference earlier this year, and connected to the unencrypted WiFi hotspot provided. A nearby hacker, possibly using a tool such as Firesheep, was able to jump onto Kutcher's Twitter session and post pro-SSL graffiti in his name.

Ashton Kutcher twitter hacked

Unfortunately, if you log into Twitter over unencrypted WiFi - e.g. at a coffee shop or an airport lounge and you don't have HTTPS enabled, then a hacker could sniff your session cookie. And anyone who can sniff your session cookie can pretend to be you.

That means they can post tweets as you or read your private direct messages. And you don't want that.

Turning on full-time Twitter HTTPS keeps your session cookie encrypted throughout your login session. That's definitely a good thing.

So it's great to see the following official statement from Twitter.

Other websites which handle personal accounts are waking up to the issue of HTTPS/SSL encryption too.

Google has led the way on enforcing HTTPS usage, with products like Gmail, Google Docs and Google+ already making an SSL connection mandatory.

HTTPS is still optional on Facebook, but there are hopes that the social networking giant will enforce its use later this year once third-party apps play ball.

I would certainly recommend enabling HTTPS on both Facebook and Twitter. On Twitter you can set the option by visiting your account settings page.

HTTPS setting on Twitter

And if you're on Facebook, watch this short video by Naked Security's Chet Wisniewski which shows how to enable full SSL/HTTPS encryption.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)

, , , , , ,

You might like

5 Responses to Twitter starts rolling out HTTPS by default - good news for security and Ashton Kutcher

  1. Julia · 1504 days ago

    It just about says it all about Facebook's security settings really, that whilst you can show us how to turn on https on Twitter with a small, single screen shot, you have to provide a video nearly two minutes long to show us how to do it on Facebook... ;-)

    • Yuliy · 1488 days ago

      Huh? 3/4 of that video is just explaining why you should do it. The instructions are simple, account->account settings -> security settings->secure browsing.

  2. I wonder if the connection is still secure for those who use third-party apps on their mobile phones like TweetCaster or TweetDeck... or even HootSuite? Would love to see a follow-up article on this. Good info, thanks!

  3. The option to enable security is slightly different for me. The security is on a seperate tab on the left hand nav bar under account settings (see

  4. After looking at a security RT by somebody not from Sophos I got an idea. The string [1] that really made think was "Please spread the word". Support is an official twitter account... Can't they put a security tweet, such as the one above, as the first tweet in all user's timelines. That's a bit of a hack [2] though, maybe in a pretty wrapping between the tweet tabs and the "What's Happening" text field. If some celeb with little security knowledge looked at this they would want to know what HTTPS is.

    1 - On a side note, it is probably best if I use text instead of string in say... an English paper... but I'm so used to using " to designate strings. In fact, not having a closing " (YES!!!) gives me jitters.

    2 - Sorry about using this definition here. Means an unpleasant and ugly workaround.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley