Friday, 7 October 2011

Twitter Starts Turning on HTTPS by Default



Twitter has begun setting users to use HTTPS for all connections by default. Twitter PR announced this in a tweet recently which linked to a support document which explains more.

HTTPS, also known as SSL, authenticates the web site and encrypts all communications between the client and server. When used with plain-text HTTP, traffic from sites like Twitter can be monitored, even modified, by other users on the network. This has always been true and known, but the problem gained currency with the release last year of the Firesheep tool which made the process, known as 'sidejacking', easy.
 


The simplest, and best solution to the problem is for sites to use HTTPS at all times. Google has been especially aggressive with this, having moved GMail to all HTTPS some time ago. Other sites, including Facebook and Twitter, have been moving slowly and gradually.

With both Twitter and Facebook (and many other sites) there is a per-account setting to tell the service always to use HTTPS with the user. This is the setting which Twitter has begun to enable by default for some users. If the user connects and authenticates with HTTP the service can then switch them over. A conscientious user can close even that hole by connecting always to, for example, https://www.twitter.com/.

Eventually Twitter will enable the setting for all users, at which point the setting itself becomes meaningless. They may as well just redirect all HTTP connections to the HTTPS site, or use the new HSTS standard which tells compliant browsers that the site only accepts HTTPS.

0 comments:

Post a Comment