HTTPS enabled by default – nice one Twitter!

HTTPS enabled by default - nice one Twitter!

TwitterTwitter wins the award for grooviest website of the day, because of the great move they have announced which will help protect the privacy of millions of users.

Twitter has announced that it has enabled HTTPS by default for all users, which is a particularly good thing if you access Twitter from a public WiFi hotspot, such as a coffee shop or hotel lobby.

If you log into Twitter over unencrypted WiFi – for instance, at an airport lounge or at a conference – and you don’t have HTTPS enabled, then a hacker could sniff your session cookie. And anyone who can sniff your session cookie can pretend to be you.

That means they can post tweets as you or read your private direct messages. And you don’t want that.

Turning on full-time Twitter HTTPS keeps your session cookie encrypted throughout your login session. That’s definitely a good thing.

HTTPS on Twitter

And don’t imagine that “sniffing session cookies from unencrypted connections” is rocket science.

It isn’t.

Tools such as Firesheep have made it child’s play in the past for anyone to access the Twitter or Facebook account of someone close by if they haven’t taken the right precautions.

Just ask Ashton Kutcher.

Last year, Kutcher attended the brainbox TED Conference, and connected to the unencrypted WiFi hotspot provided. A nearby hacker was able to jump onto Kutcher’s Twitter session and post pro-SSL graffiti in his name.

Ashton Kutcher's hacked Twitter account

Twitter first announced that it was planning to roll out HTTPS by default last August, so it’s great to see the process finally completed.

Ashton, and many Twitter devotees like him, will now be better protected – without having to be told to change their settings.

So, it’s a case of “Well done Twitter”.

But what about the other big social networks?

With Google Plus, things are simple. It has always had HTTPS turned on. Nice one.

With Facebook, however, it’s a different story.

Although the social networking giant gave users the option to enable HTTPS/SSL a year ago, it is still disabled by default and even when enabled only claims it will be used “when possible”.

Facebook https setting - disabled by default

If you want to try using Facebook with HTTPS/SSL enabled read more, and watch the following video:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)

We look forward to the time when Facebook feels it’s ready to enable HTTPS/SSL by default, and use it throughout users’ time on the site.

In the meantime, Twitter wins our award for favourite social network of the day. 🙂