Twitter has announced it will begin to turn on HTTPS by default for all users. This is good news, as Web services need to start protecting their users from man-in-the-middle attacks.
Twitter rolled out HTTPS to its users earlier this year, but made it an optional setting. Users concerned about security had to enable HTTPS manually. This change, announced Aug. 23, would make Twitter one of the handful of sites that protect user accounts using HTTPS/SSL encryption.
Sites with SSL encryption have the URL begin with “HTTPS” in the browser’s address bar and some browsers display a padlock in the browser window. An encryption protocol used to protect communication between a client and a server, SSL ensures information transmitted over wireless networks are not intercepted.
Google already enforces HTTPS usage on many of its services, and SSL connections are mandatory for Gmail, Google Docs and Google+. While Facebook supports HTTPS, it’s optional and most third-party apps won’t run if the user has it enabled.
Many websites encrypt the user’s login and password at the login screen, and then switch back to normal connections. Sites may choose not to maintain SSL throughout a session over concerns that the interaction between the user and the Website could be occasionally slowed down.
Users logged into Twitter without HTTPS and over an unencrypted WiFi network, such as at a coffee shop or an airport lounge, are vulnerable to session hijackers with tools such as Firesheep to sniff the session cookie. A Web application developer named Eric Butler released Firesheep, a Firefox add-on that displays the content of cookies sent over unencrypted networks.
Anyone who can sniff the session cookie can pretend to the user, according to Graham Cluely, senior technology consultant at Sophos, wrote on the Naked Security blog.
If the site uses SSL, the cookie contents are encrypted and unavailable to the hijacker.
“Turning on full-time Twitter HTTPS keeps your session cookie encrypted throughout your login session,” Cluely said, adding, “That’s definitely a good thing.”
Actor Ashton Kutcher had his Twitter session hijacked when he connected to an unencrypted WiFi hotspot at the TED conference earlier this year. The hijacker was able to post a pro-SSL message on Kutcher’s feed.