HTTPS enabled by default – nice one Twitter!

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

TwitterTwitter wins the award for grooviest website of the day, because of the great move they have announced which will help protect the privacy of millions of users.

Twitter has announced that it has enabled HTTPS by default for all users, which is a particularly good thing if you access Twitter from a public WiFi hotspot, such as a coffee shop or hotel lobby.

If you log into Twitter over unencrypted WiFi – for instance, at an airport lounge or at a conference – and you don’t have HTTPS enabled, then a hacker could sniff your session cookie. And anyone who can sniff your session cookie can pretend to be you.

That means they can post tweets as you or read your private direct messages. And you don’t want that.

Sign up to our free newsletter.
Security news, advice, and tips.

Turning on full-time Twitter HTTPS keeps your session cookie encrypted throughout your login session. That’s definitely a good thing.

HTTPS on Twitter

And don’t imagine that “sniffing session cookies from unencrypted connections” is rocket science.

It isn’t.

Tools such as Firesheep have made it child’s play in the past for anyone to access the Twitter or Facebook account of someone close by if they haven’t taken the right precautions.

Just ask Ashton Kutcher.

Last year, Kutcher attended the brainbox TED Conference, and connected to the unencrypted WiFi hotspot provided. A nearby hacker was able to jump onto Kutcher’s Twitter session and post pro-SSL graffiti in his name.

Ashton Kutcher's hacked Twitter account

Twitter first announced that it was planning to roll out HTTPS by default last August, so it’s great to see the process finally completed.

Ashton, and many Twitter devotees like him, will now be better protected – without having to be told to change their settings.

So, it’s a case of “Well done Twitter”.

But what about the other big social networks?

With Google Plus, things are simple. It has always had HTTPS turned on. Nice one.

With Facebook, however, it’s a different story.

Although the social networking giant gave users the option to enable HTTPS/SSL a year ago, it is still disabled by default and even when enabled only claims it will be used “when possible”.

Facebook https setting - disabled by default

If you want to try using Facebook with HTTPS/SSL enabled read more, and watch the following video:

We look forward to the time when Facebook feels it’s ready to enable HTTPS/SSL by default, and use it throughout users’ time on the site.

In the meantime, Twitter wins our award for favourite social network of the day. :)


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.