Twitter starts rolling out HTTPS by default – good news for security and Ashton Kutcher

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Mr Demi MooreIn a step which will be welcomed by its security-conscious users, Twitter has announced that it is beginning to turn on HTTPS by default.

Why is this important? Just ask Ashton Kutcher.

Kutcher attended the brainbox TED Conference earlier this year, and connected to the unencrypted WiFi hotspot provided. A nearby hacker, possibly using a tool such as Firesheep, was able to jump onto Kutcher’s Twitter session and post pro-SSL graffiti in his name.

Ashton Kutcher twitter hacked

Unfortunately, if you log into Twitter over unencrypted WiFi – e.g. at a coffee shop or an airport lounge and you don’t have HTTPS enabled, then a hacker could sniff your session cookie. And anyone who can sniff your session cookie can pretend to be you.

That means they can post tweets as you or read your private direct messages. And you don’t want that.

Sign up to our free newsletter.
Security news, advice, and tips.

Turning on full-time Twitter HTTPS keeps your session cookie encrypted throughout your login session. That’s definitely a good thing.

So it’s great to see the following official statement from Twitter.

https://twitter.com/twitterglobalpr/status/106077860170706944

Other websites which handle personal accounts are waking up to the issue of HTTPS/SSL encryption too.

Google has led the way on enforcing HTTPS usage, with products like Gmail, Google Docs and Google+ already making an SSL connection mandatory.

HTTPS is still optional on Facebook, but there are hopes that the social networking giant will enforce its use later this year once third-party apps play ball.

I would certainly recommend enabling HTTPS on both Facebook and Twitter. On Twitter you can set the option by visiting your account settings page.

HTTPS setting on Twitter

And if you’re on Facebook, watch this short video by Naked Security’s Chet Wisniewski which shows how to enable full SSL/HTTPS encryption.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.