Twitter turns on HTTPS to counter hackers

Summary:The social-networking service is giving users the option of always encrypting their web sessions, to prevent cookie-sniffing and impersonation

Twitter has turned on an encryption setting designed to thwart session-cookie hijacking and impersonation of users of the social-networking service.

People who view Twitter via the web can now do so using HTTPS by default, if they choose the setting in their account, the company said in a blog post on Tuesday. The technology, used in e-commerce and banking to protect web sessions, is based on the SSL/TLS web encryption protocol.

Twitter web page

Twitter is to offer users an HTTPS default connection when they access the social-networking site via the web. Photo credit: pixelbully

"Using HTTPS for your favourite internet services is particularly important when using them over unsecured Wi-Fi connections," the company said. Previously, people could browse Twitter using the encryption technology, but they had to log into a specific HTTPS version of the site.

To turn on the encryption for every session, Twitter users can go to 'Settings' and tick the 'Always use HTTPS' box. In introducing the security feature, Twitter is following a number of services, such as Facebook, which began offering an HTTPS option in January.

Initiating HTTPS makes it difficult for people to steal Twitter-session cookies to impersonate other people, security company Sophos said in a blog post on Wednesday.

Using HTTPS for your favourite internet services is particularly important when using them over unsecured Wi-Fi connections.

– Twitter

Twitter uses a cookie to identify the user in a particular session. If a user logs in via unencrypted Wi-Fi, hackers can sniff the cookie and use it to pretend to be the user — something they have done to Ashton Kutcher and a number of other celebrities, according to Sophos.

Hackers can use a Firefox browser plug-in called Firesheep to automatically intercept cookies sent over unsecured Wi-Fi, the security company added.

"The Firesheep problem is the biggest concern," Graham Cluley, senior technology consultant at Sophos, told ZDNet UK. "It's out in the hands of anybody, and it's very easy to hijack account sessions."

Cluley noted that Twitter has not enabled default HTTPS for mobile access, but that some third-party mobile Twitter apps have.


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.