Twitter has turned on an encryption setting designed to thwart session-cookie hijacking and impersonation of users of the social-networking service.
People who view Twitter via the web can now do so using HTTPS by default, if they choose the setting in their account, the company said in a blog post on Tuesday. The technology, used in e-commerce and banking to protect web sessions, is based on the SSL/TLS web encryption protocol.
Twitter is to offer users an HTTPS default connection when they access the social-networking site via the web. Photo credit: pixelbully
"Using HTTPS for your favourite internet services is particularly important when using them over unsecured Wi-Fi connections," the company said. Previously, people could browse Twitter using the encryption technology, but they had to log into a specific HTTPS version of the site.
To turn on the encryption for every session, Twitter users can go to 'Settings' and tick the 'Always use HTTPS' box. In introducing the security feature, Twitter is following a number of services, such as Facebook, which began offering an HTTPS option in January.
Initiating HTTPS makes it difficult for people to steal Twitter-session cookies to impersonate other people, security company Sophos said in a blog post on Wednesday.
Using HTTPS for your favourite internet services is particularly important when using them over unsecured Wi-Fi connections.
Twitter uses a cookie to identify the user in a particular session. If a user logs in via unencrypted Wi-Fi, hackers can sniff the cookie and use it to pretend to be the user — something they have done to Ashton Kutcher and a number of other celebrities, according to Sophos.
Hackers can use a Firefox browser plug-in called Firesheep to automatically intercept cookies sent over unsecured Wi-Fi, the security company added.
"The Firesheep problem is the biggest concern," Graham Cluley, senior technology consultant at Sophos, told ZDNet UK. "It's out in the hands of anybody, and it's very easy to hijack account sessions."
Cluley noted that Twitter has not enabled default HTTPS for mobile access, but that some third-party mobile Twitter apps have.
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Talkback
This post has been removed by a moderator.
HTTPS is a key part to securing any web application like Twitter, but it is only the tip of the iceberg. While it encrypts communications between the browser and server you are accessing, it does not, despite what many may think, prevent attacks against the application.
Enabling HTTPS merely hides the attacks in an encrypted communication between the attacker and your system. What is needed is protection of the application not just the communication. Most IT professionals understand that the best approach to security is a layered one, but for the ordinary user, myths of HTTPS or SSL protecting them from all attacks despite the fact it can be can be spoofed or intercepted need debunking. Immediately. More thoughts on this are at http://devcentral.f5.com/weblogs/gnewe/archive/2011/04/12/twitter-enable-https-so-we-can-relax-right.aspx.