Twitter turns on HTTPS by default to protect Wi-Fi users

Share this article:

Twitter has joined a short-list of major web brands that have turned on the secure browsing capability, HTTPS, by default.

The company -- which made opt-in HTTPS available to users for the first time last March -- said that effective immediately, the encrypted protocol to prevent the unauthorized hijacking of private sessions and data will be turned on by default for all users.

"This setting makes your Twitter experience more secure by protecting your information, and it's especially helpful if you use Twitter over an unsecured internet connection like a public Wi-Fi network," a Monday blog post said.

In January 2010, Google became one of the first major internet web communication companies to adopt HTTPS across its site, in this case Gmail. A turning point, though, came 10 months later, when a researcher unveiled a Firefox plug-in, known as Firesheep, that permits anyone to scan open Wi-Fi networks and hijack live sessions.

Many organizations have for some time encrypted their login pages, but once users moved past that entry point, they become susceptible to eavesdropping or man-in-the-middle attacks. And thanks to rogue wireless hotspots and advancements in programs such as Firesheep, the threat has morphed into a major risk.

Security experts such as Graham Cluley, senior technology consultant at Sophos, praised Twitter's decision.

"If you log into Twitter over unencrypted Wi-Fi -- for instance, at an airport lounge or at a conference -- and you don't have HTTPS enabled, then a hacker could sniff your session cookie," he wrote in a blog post. "And anyone who can sniff your session cookie can pretend to be you. That means they can post tweets as you or read your private direct messages. And you don't want that."

Clearly a full transition to HTTPS is the more secure option. But some sites have been reticent because of cost and the chance that some content may render slower over an encrypted connection, thus annoying customers.

In January 2011, Facebook unveiled HTTPS but still has not made it available by default.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.