Twitter turns on HTTPS to counter hackers

Twitter turns on HTTPS to counter hackers

Summary: The social-networking service is giving users the option of always encrypting their web sessions, to prevent cookie-sniffing and impersonation

TOPICS: Security

Twitter has turned on an encryption setting designed to thwart session-cookie hijacking and impersonation of users of the social-networking service.

People who view Twitter via the web can now do so using HTTPS by default, if they choose the setting in their account, the company said in a blog post on Tuesday. The technology, used in e-commerce and banking to protect web sessions, is based on the SSL/TLS web encryption protocol.

Twitter web page

Twitter is to offer users an HTTPS default connection when they access the social-networking site via the web. Photo credit: pixelbully

"Using HTTPS for your favourite internet services is particularly important when using them over unsecured Wi-Fi connections," the company said. Previously, people could browse Twitter using the encryption technology, but they had to log into a specific HTTPS version of the site.

To turn on the encryption for every session, Twitter users can go to 'Settings' and tick the 'Always use HTTPS' box. In introducing the security feature, Twitter is following a number of services, such as Facebook, which began offering an HTTPS option in January.

Initiating HTTPS makes it difficult for people to steal Twitter-session cookies to impersonate other people, security company Sophos said in a blog post on Wednesday.

Using HTTPS for your favourite internet services is particularly important when using them over unsecured Wi-Fi connections.

– Twitter

Twitter uses a cookie to identify the user in a particular session. If a user logs in via unencrypted Wi-Fi, hackers can sniff the cookie and use it to pretend to be the user — something they have done to Ashton Kutcher and a number of other celebrities, according to Sophos.

Hackers can use a Firefox browser plug-in called Firesheep to automatically intercept cookies sent over unsecured Wi-Fi, the security company added.

"The Firesheep problem is the biggest concern," Graham Cluley, senior technology consultant at Sophos, told ZDNet UK. "It's out in the hands of anybody, and it's very easy to hijack account sessions."

Cluley noted that Twitter has not enabled default HTTPS for mobile access, but that some third-party mobile Twitter apps have.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • HTTPS is a key part to securing any web application like Twitter, but it is only the tip of the iceberg. While it encrypts communications between the browser and server you are accessing, it does not, despite what many may think, prevent attacks against the application.

    Enabling HTTPS merely hides the attacks in an encrypted communication between the attacker and your system. What is needed is protection of the application not just the communication. Most IT professionals understand that the best approach to security is a layered one, but for the ordinary user, myths of HTTPS or SSL protecting them from all attacks despite the fact it can be can be spoofed or intercepted need debunking. Immediately. More thoughts on this are at
    F5 Networks EMEA