- Jan 24, 2011
- 9,378
Good news on the social networking security front is that Twitter has finally got its act together to offer an Always use HTTPS option.
If you turn on this option, all of your personalised interaction with Twitter will be encrypted - not only while you are logging in, but also while you are posting tweets.
A lot of people fail to recognise the value of using HTTPS on Twitter. As long as your username and password are sent over HTTPS, so no-one can sniff them out of the ether, who cares if your tweets go over plain HTTP? After all, a tweet is meant to be public.
The problem is that once you have logged in, Twitter sends your browser a session cookie. This is a one-time secret. It is unique to your account and the current session.
Because your browser retransmits this session cookie in all future requests to the Twitter site, Twitter can see that it's you coming back for more. So you don't need to put in your username and password for every single tweet you send. You login once, and the session cookie identifies you for the rest of the current session.
Unfortunately, if you login to Twitter over unencrypted WiFi - e.g. at a coffee shop or an airport lounge - then anyone who can sniff your session cookie can pretend to be you. That means they can post tweets as you. And you don't want that. (It happened to Mr Demi Moore, a.k.a. Ashton Kutcher, recently, no doubt to his considerable embarrassment.)
More details - link
If you turn on this option, all of your personalised interaction with Twitter will be encrypted - not only while you are logging in, but also while you are posting tweets.
A lot of people fail to recognise the value of using HTTPS on Twitter. As long as your username and password are sent over HTTPS, so no-one can sniff them out of the ether, who cares if your tweets go over plain HTTP? After all, a tweet is meant to be public.
The problem is that once you have logged in, Twitter sends your browser a session cookie. This is a one-time secret. It is unique to your account and the current session.
Because your browser retransmits this session cookie in all future requests to the Twitter site, Twitter can see that it's you coming back for more. So you don't need to put in your username and password for every single tweet you send. You login once, and the session cookie identifies you for the rest of the current session.
Unfortunately, if you login to Twitter over unencrypted WiFi - e.g. at a coffee shop or an airport lounge - then anyone who can sniff your session cookie can pretend to be you. That means they can post tweets as you. And you don't want that. (It happened to Mr Demi Moore, a.k.a. Ashton Kutcher, recently, no doubt to his considerable embarrassment.)
More details - link
At least it looks like they are trying to improve upon it. Compared to Facebook, it kept telling me to switch back to normal HTTP. :grrrrrr:
