Twitter introduces full HTTPS session encryption

Twitter has followed Hotmail and Google by introducing an HTTPS option when accessing the micro-blogging site.

According to Twitter spokesperson Carolyn Penner, the option has been added via a user setting for HTTPS connectivity rather than via the https://twitter.com website.

Penner said: “To turn on HTTPS, go to your settings and check the box next to "Always use HTTPS", which is at the bottom of the page. This will improve the security of your account and better protect your information if you're using Twitter over an unsecured internet connection, like a public WiFi network, where someone may be able to eavesdrop on your site activity. In the future, we hope to make HTTPS the default setting.

“There are also a few instances where turning on HTTPS in your settings does not force HTTPS. For example, when accessing Twitter from your mobile browser, you need to go to https://mobile.twitter.com to use HTTPS for now. We are working on a solution that will share the “Always use HTTPS” setting across twitter.com and mobile.twitter.com, so you don't have to think about which device you're using when you want to check Twitter. If you use a third-party application, you should check to see if that app offers HTTPS.”

She confirmed that Twitter has already made HTTPS the default setting for the login process and for access on the official Twitter for iPhone and iPad mobile application.

Paul Ducklin, head of technology for Sophos Asia Pacific, said that this was good news, as once turned on all personalised interaction with Twitter will be encrypted, not only while you are logging in, but also while you are posting tweets.

He said: “A lot of people fail to recognise the value of using HTTPS on Twitter. As long as your username and password are sent over HTTPS, so no one can sniff them out of the ether, who cares if your tweets go over plain HTTP? After all, a tweet is meant to be public.

“The problem is that once you have logged in, Twitter sends your browser a session cookie. This is a one-time secret. It is unique to your account and the current session.

Because your browser retransmits this session cookie in all future requests to the Twitter site, Twitter can see that it's you coming back for more. So you don't need to put in your username and password for every single tweet you send. You login once, and the session cookie identifies you for the rest of the current session.

“Turning on full-time Twitter HTTPS keeps your session cookie encrypted throughout your login session. This is definitely what you want. Don't forget that it's not just experienced hackers who can sniff Twitter cookies and use them to impersonate you.”

Sign up to our newsletters