Twitter Supports HTTPS Encryption to Bolster Security

 
 
By Fahmida Y. Rashid  |  Posted 2011-03-15
 
 
 

At long last, Twitter is rolling out HTTPS to provide a layer of security for users looking for a way reduce the chances that hackers will eavesdrop on their social networking.

Users now have the option to choose the application security setting to always use HTTPS when accessing Twitter.com, Carolyn Penner, a Twitter spokesperson, wrote in a blog post late afternoon on March 15. While users have had the option to use HTTPS by going to https://www.twitter.com, the company decided to make it simpler by just adding the option to always use the secure protocol, according Penner.

"We're taking an important step to make it easier to manage the security of your Twitter experience," wrote Penner.

HTTPS is the default setting for a "number of clients and activities," such as the official Twitter for iPhone and iPad mobile applications. Regardless of whether the user has the option enabled, the actual log-in process is done over HTTPS, according to Penner. The option forces the browser to maintain the HTTPS connection the entire time the user is on the site. "In the future, we hope to make HTTPS the default setting," she said.

The user setting for HTTPS is available as a checkbox at the bottom of the account settings page "Always use HTTPS." Once enabled, whenever the user accesses the Twitter Website, their connection will be encrypted, even if they are connecting over an unsecured Internet network, such as a public hot spot, Penner said.

The option does not currently apply for users accessing Twitter from a mobile browser, Penner said. Mobile users will need to go to https://mobile.twitter.com for the time being, but the company is working to roll out the security setting for mobile devices as well, according to Penner.

Third-party applications, such as HootSuite and TweetDeck, will be responsible for implementing and maintaining HTTPS for their applications, according to Twitter.

Twitter's latest security move comes after the Federal Trade Commission finalized the settlement with the microblogging site to establish a rigorous information security policy to protect user accounts.

One person who will likely applaud Twitter's move is U.S. Sen. Charles Schumer, who reportedly sent letters two weeks ago to Amazon, Twitter and several other popular Websites about switching to the more secure protocol. As users increasingly take advantage of open WiFi connections at bookstores and coffee shops, the sites need to secure log-in credentials and user credit card information, Schumer said.

For Firefox users, Twitter over HTTPS was already a reality as an "HTTPS Everywhere" Firefox extension. The extension rewrote all requests to a wide range of sites to using the HTTPS protocol.

"We wanted a way to ensure that every search our browsers sent was encrypted," said Peter Eckersley, senior technologist at the Electronic Frontier Foundation, who worked on the plug-in.

Twitter is following what other companies have done recently. Google made HTTPS the default for all Gmail in January 2010, and Facebook rolled out the option for users in February this year. While a lot of security experts would have liked to see HTTPS as the default on the social networking site, it was still better than nothing.

Rocket Fuel