Twitter adds SSL security

Worried about people grabbing your Twitter password out of the air? You should be. Twitter is finally addressing the problem.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

I was sitting in a local coffee shop recently and, since I was bored, I kicked on a Windows instance in VirtualBox on my Mint Linux-powered laptop so I could run Firesheep. Firesheep was, and is, a hacking program meant to frighten people into being serious about their Wi-Fi security. It didn't work. Most people, and Web sites, still don't secure even their logins. So, sure enough, out of twenty-one active Wi-Fi connections, I could look over the shoulder of twenty of them. This is just sad.

Still, some interactive Web sites are finally adding basic security. The Google sites support Transport Layer Security (TLS) and its ancestor Secure Sockets Layer (SSL) for protection, Facebook added encypted security early this year, and now Twitter is joining the list of sites that use SSL to secure its users' connections.

It's about time!

Now that I have that out of my system, here's how it works. Twitter is turning HTTPS, the Web's fundamental data transfer protocol with SSL enabled on by default with some accounts. To see, if you account is one of the lucky ones, go to your Twitter Accounts Preferences.

Once there, go down the display to the Always use HTTPS box and click it on. If you haven't logged in, you'll need to login for this choice to take.

From here on out, whenever you connect with Twitter, your connection will be listed as:


instead of


Depending on your browser, you may also see a change in color on part of your address bar. With Chrome 13 and Firefox 6, for example, the first part of the URL will be colored green.

On the "official" Twitter iPhone and iPad applications, your communications are always encrypted via HTTPS, regardless of whether you have checked Always use HTTPS on or off. If you visit mobile.twitter.com from your browser, though your communications will be encrypted only if you specifically log in via https://mobile.twitter.com/.

Yeah, they know that's kind of dumb too and they're working on getting it right. Last, but not least, if you're using a third-party application, like my own favorite Twitterfall, whether your Twitter connection is encrypted depends entirely on the application.

Twitterfall, alas, doesn't support SSL or TLS. I get around that problem by using my own Virtual Private Network (VPN). For most people, though, what you really want is just a nice, secure SSL or TLS connection, so good job Twitter! Now, how the rest of you Web sites that are all about user interaction stepping up to the place? Come on, don't be shy, adding SSL/TLS isn't that hard these days.

Related Stories:

Are your search engine queries being hijacked?

A VPN to call your own

We're a long, long way from securing the Web with SSL/TLS

Shearing Firesheep

Editorial standards