Twitter turns on HTTPS by default to protect Wi-Fi users

Share this article:

Twitter has joined a short-list of major web brands that have turned on the secure browsing capability, HTTPS, by default.

The company -- which made opt-in HTTPS available to users for the first time last March -- said that effective immediately, the encrypted protocol to prevent the unauthorized hijacking of private sessions and data will be turned on by default for all users.

"This setting makes your Twitter experience more secure by protecting your information, and it's especially helpful if you use Twitter over an unsecured internet connection like a public Wi-Fi network," a Monday blog post said.

In January 2010, Google became one of the first major internet web communication companies to adopt HTTPS across its site, in this case Gmail. A turning point, though, came 10 months later, when a researcher unveiled a Firefox plug-in, known as Firesheep, that permits anyone to scan open Wi-Fi networks and hijack live sessions.

Many organizations have for some time encrypted their login pages, but once users moved past that entry point, they become susceptible to eavesdropping or man-in-the-middle attacks. And thanks to rogue wireless hotspots and advancements in programs such as Firesheep, the threat has morphed into a major risk.

Security experts such as Graham Cluley, senior technology consultant at Sophos, praised Twitter's decision.

"If you log into Twitter over unencrypted Wi-Fi -- for instance, at an airport lounge or at a conference -- and you don't have HTTPS enabled, then a hacker could sniff your session cookie," he wrote in a blog post. "And anyone who can sniff your session cookie can pretend to be you. That means they can post tweets as you or read your private direct messages. And you don't want that."

Clearly a full transition to HTTPS is the more secure option. But some sites have been reticent because of cost and the chance that some content may render slower over an encrypted connection, thus annoying customers.

In January 2011, Facebook unveiled HTTPS but still has not made it available by default.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.