Twitter turns on HTTPS by default to protect Wi-Fi users
Twitter has joined a short-list of major web brands that have turned on the secure browsing capability, HTTPS, by default.
The company -- which made opt-in HTTPS available to users for the first time last March -- said that effective immediately, the encrypted protocol to prevent the unauthorized hijacking of private sessions and data will be turned on by default for all users.
"This setting makes your Twitter experience more secure by protecting your information, and it's especially helpful if you use Twitter over an unsecured internet connection like a public Wi-Fi network," a Monday blog post said.
In January 2010, Google became one of the first major internet web communication companies to adopt HTTPS across its site, in this case Gmail. A turning point, though, came 10 months later, when a researcher unveiled a Firefox plug-in, known as Firesheep, that permits anyone to scan open Wi-Fi networks and hijack live sessions.
Many organizations have for some time encrypted their login pages, but once users moved past that entry point, they become susceptible to eavesdropping or man-in-the-middle attacks. And thanks to rogue wireless hotspots and advancements in programs such as Firesheep, the threat has morphed into a major risk.
Security experts such as Graham Cluley, senior technology consultant at Sophos, praised Twitter's decision.
"If you log into Twitter over unencrypted Wi-Fi -- for instance, at an airport lounge or at a conference -- and you don't have HTTPS enabled, then a hacker could sniff your session cookie," he wrote in a blog post. "And anyone who can sniff your session cookie can pretend to be you. That means they can post tweets as you or read your private direct messages. And you don't want that."
Clearly a full transition to HTTPS is the more secure option. But some sites have been reticent because of cost and the chance that some content may render slower over an encrypted connection, thus annoying customers.
In January 2011, Facebook unveiled HTTPS but still has not made it available by default.