Twitter Finally Bolsters Security, Enables HTTPS By Default

February 15, 2012 0

New York — In an attempt to thwart growing menace from hackers, popular micro-blogging outfit Twitter this week took another step towards securing its network by joining a short-list of major web brands that have turned on the secure browsing capability, HTTPS, by default.

In an earlier blog post, Twitter mentioned that previously it had offered HTTPS as an option in accessing twitter on the Web last year, though not yet by default.

But it said that from “Now, HTTPS will be active by default for all users, whenever you sign in to Twitter.com,” Twitter said in a blog post.

It further stated that “This default setting makes your Twitter experience more secure by safeguarding your information, and it is significantly helpful if you use Twitter over an unsecured Internet connection like a public wi-fi network,” it noted. HTTPS is one of the best ways to keep your account safe and it will only improve with time as we continue to enhance HTTPS support on our web and mobile clients, it said.

However, Twitter said that those who still prefer not adopt HTTPS can deactivate it via the Account Settings page.

Nevertheless, many organizations have for some time encrypted their login pages, but as soon as the users moved past that entry point, they become prone to eavesdropping or man-in-the-middle attacks. And thanks to rogue wireless hotspots and advancements in programs such as Firesheep, the threat has morphed into a major risk.

Security experts such as Graham Cluley, senior technology consultant at Sophos, praised Twitter’s decision.

Thus, “If you log into Twitter over unencrypted Wi-Fi–for instance, at an airport lounge or at a conference–and you do not have HTTPS enabled, then a hacker could sniff your session cookie,” he wrote in a blog post. “And anyone who can sniff your session cookie can pretend to be you. That means they can post tweets as you or read your private direct messages. And you do not want that to happen.”

Clearly a full transition to HTTPS is the more secure option. But some sites have been reticent because of cost and the chance that some content may render slower over an encrypted connection, thus annoying customers. The latest move comes about a week after LinkedIn made encryption an opt-in service on its site; it will roll out gradually in the next few weeks, LinkedIn said in a blog post.

Furthermore, in January 2011, Facebook introduced the option to encrypt your Facebook session at all times, as well as an streamlined account authentication process. Hotmail has a similar option. In 2010, Google announced that it would encrypt Gmail at all times, not just during sign-on, and make the process an opt-out feature rather than opt-in.