Twitter starts rolling out HTTPS by default – good news for security and Ashton Kutcher

Mr Demi MooreIn a step which will be welcomed by its security-conscious users, Twitter has announced that it is beginning to turn on HTTPS by default.

Why is this important? Just ask Ashton Kutcher.

Kutcher attended the brainbox TED Conference earlier this year, and connected to the unencrypted WiFi hotspot provided. A nearby hacker, possibly using a tool such as Firesheep, was able to jump onto Kutcher’s Twitter session and post pro-SSL graffiti in his name.

Ashton Kutcher twitter hacked

Unfortunately, if you log into Twitter over unencrypted WiFi – e.g. at a coffee shop or an airport lounge and you don’t have HTTPS enabled, then a hacker could sniff your session cookie. And anyone who can sniff your session cookie can pretend to be you.

That means they can post tweets as you or read your private direct messages. And you don’t want that.

Turning on full-time Twitter HTTPS keeps your session cookie encrypted throughout your login session. That’s definitely a good thing.

So it’s great to see the following official statement from Twitter.


Twitter Comms

We suggest using HTTPS for improved security. We're starting to turn this on by default for some users. More here: support.twitter.com/articles/48195…

Other websites which handle personal accounts are waking up to the issue of HTTPS/SSL encryption too.

Google has led the way on enforcing HTTPS usage, with products like Gmail, Google Docs and Google+ already making an SSL connection mandatory.

HTTPS is still optional on Facebook, but there are hopes that the social networking giant will enforce its use later this year once third-party apps play ball.

I would certainly recommend enabling HTTPS on both Facebook and Twitter. On Twitter you can set the option by visiting your account settings page.

HTTPS setting on Twitter

And if you’re on Facebook, watch this short video by Naked Security’s Chet Wisniewski which shows how to enable full SSL/HTTPS encryption.


(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)


An open letter to Facebook about safety and privacy

Facebook and padlockDear Facebook,

As you know, for some years we have been discussing with your security team our concerns about safety and privacy on Facebook.

Every day, victims report to us numerous incidents of crime and fraud on Facebook. They have been personally affected and are desperate for advice on how to deal with the consequences.

A frequent refrain from users who contact us is, ‘Why doesn’t Facebook do more to protect us?’

We have identified three simple steps you can take to better protect your users:

1) PRIVACY BY DEFAULT

No more sharing of information without your users’ express agreement (OPT-IN). Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on.

2) VETTED APP DEVELOPERS

It is far too easy to become a developer on Facebook. With over one million app developers already registered on the Facebook platform, it is hardly surprising that your service is riddled with rogue applications and viral scams. Only vetted and approved third-party developers should be allowed to publish apps on your platform.

3) HTTPS FOR EVERYTHING

We welcome you recently introducing an HTTPS option, but you left it turned off by default. Worse, you only commit to provide a secure connection “whenever possible”. Facebook should enforce a secure connection all the time, by default. Without this protection, your users are at risk of losing personal information to hackers.

Why wait until regulators force your hand on privacy? Act now for the greater good of all.

Your users tell us that these are issues they want resolved. So our question is simple: when do you plan to act?

Sincerely,

Naked Security