Skip to main content

Twitter adds opt-in always-on HTTPS option

Twitter is finally giving its users the option of protecting their use of the site via always-on encryption, following in the footsteps of social networking giant Facebook to protect privacy and block Firesheep-like attacks.

The need for always-on encryption for sites that rely on simple cookie credentials once a user has logged in was highlighted late last year by the release of the Firesheep add-on for Firefox, which allowed users on a shared network connection - such as a Wi-Fi hotspot in a pub of coffee shop - to hijack social networking sessions and access private content illegitimately.

The techniques used by Firesheep were easily thwarted by accessing such sites via an encrypted HTTPS connection, which prevents those sharing your connection from easily sniffing the credentials stored in the cookie. Sadly, the vast majority of sites still fail to offer an always-on HTTPS connection, using encryption when entering passwords but dropping back to an unencrypted HTTP connection afterward.

Facebook led the charge in January this year following some high-profile account hijackings, adding an opt-in HTTPS facility to its site. The company is now joined by Twitter, which has taken the same route to improved security.

To enable the functionality, users are advised to access their Account Settings page and check the option at the bottom of the page - but there's a catch: the company warns that certain usage scenarios will result in the option being ignored, including access the Twitter Mobile site from a smartphone.

"We are working on a solution that will share the 'Always use HTTPS' setting across and, so you don’t have to think about which device you’re using when you want to check Twitter," Twitter's Carolyn Penner explained - but for now, users are advised to bookmark to ensure their security when using the service on mobile devices.

The trend towards always-on encryption is a positive one, with an increasing number of sites allowing its users to encrypt their entire sessions rather than just password entry - but it's a shame that the functionality is typically hidden away in the settings, rather than enabled by default.