Slashdot Mirror

← Back to Stories (view on slashdot.org)

Twitter Joins the HTTPS By Default Party

Posted by CmdrTaco on from the encrypted-packets-are-better dept.

wiredmikey writes "Following a trend in allowing users to automatically utilize the secure HTTPS protocol when accessing Web based services, Twitter announced this week that it has added the option for users to force HTTPS connections by default when accessing Twitter.com. The reasons to utilize HTTPS when accessing any personal accounts aren't new, but an easy to use extension for FireFox called 'FireSheep,' released in October 2010, spiked concern, as it enables HTTP session hijacking for the masses."

21 of 95 comments (clear)

  1. Good by Tukz · · Score: 3, Informative

    I''d like to see all community sites do that.

    I got an addon that tries to force SSL where available, and it's surprising so many sites that doesn't have SSL enabled at all.

    --
    - Don't do what I do, it's probably not healthy nor safe. -
    1. Re:Good by FriendlyLurker · · Score: 2

      Simple tools like FireSheep are an awesome way to force websites to up their game on the encryption front and improve their security.

      I guess the addon you mention is EFF's "https-everywhere". Notice that the list of https sites the addon supports is growing pretty large. They will soon have to add the option "exclude these sites" rather than try and provide a massive list of included sites.

  2. What's the penalty for HTTPS? by Compaqt · · Score: 3, Interesting

    Back some years ago, there was talk about dedicated SSL hardware. What's the performance penalty for HTTPS anymore?

    Say you're a small startup running your "the next Twitter" app on a Xen or OpenVZ VPS instance.

    What's the hit for HTTPS?

    Any thoughts on HTTPS only for the login page, or for all pages?

    --
    I'm not a lawyer, but I play one on the Internet. Blog
    1. Re:What's the penalty for HTTPS? by buchner.johannes · · Score: 4, Informative

      Any thoughts on HTTPS only for the login page, or for all pages?

      You can just steal the session cookie after login, so just doing the login page is almost useless. It prevents the attacker from learning the password and re-entering the system, but a) he can change the password and b) there is no reason he wouldn't get the job done within one session.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    2. Re:What's the penalty for HTTPS? by hart · · Score: 4, Informative

      There's still a performance hit for SSL. Solutions for that include load balancers with dedicated hardware SSL support. As for what the performance hit is, try this: http://serverfault.com/questions/43692/how-much-of-a-performance-hit-for-https-vs-http-for-apache Re: HTTPS all vs. only on login page - as the recent Facebook session hijacking proved, it's the session cookies in cleartext that are the security problem - it doesn't sniff your password, it steals your session cookies to access your account. HTTPs should be on everything, IMHO. Cheers Leigh

    3. Re:What's the penalty for HTTPS? by Baloo+Uriza · · Score: 4, Informative

      Most sites expect you to enter the current password to be able to change it, even if you are logged in.

      --
      Furries make the internet go.
    4. Re:What's the penalty for HTTPS? by Cajun+Hell · · Score: 2

      Pretty much the only real penalty for https is browser shittiness. If your identity isn't certified by a recognized CA, all the major browsers incorrectly treat your site, relative to http, as having a higher (rather than lower) risk of .. something .. so they try to scare the user with vague error messages that, even if the messages were appropriate, mislead the user rather than inform. So the penalty is that you have to pay someone to sign you.

      As for the computations, it's 2011 so CPU is so close to "free" that it can hardly be measured. Your cellphone is a supercomputer, and anything that comes in a box too big for your pocket is a super-supercomputer, and anything that is sold as a "server" or comes in a rack form factor for data centers, is a super super-supercomputer. Encryption is free.

      --
      "Believe me!" -- Donald Trump
    5. Re:What's the penalty for HTTPS? by shish · · Score: 3, Insightful

      Speaking as someone in exactly the situation you describe -- running our current site on a small single-core VPS, over HTTP we can serve ~400 static files per second, limited by bandwidth. Using HTTPS, we can serve 10 static files per second, limited by CPU speed. For dynamic pages, the limits are more like 50/sec (limited by CPU) and 5/sec (limited by CPU -- page load times go up a lot as the database and processing are competing with the encryption)

      Current plan to deal with this, because we want to be HTTPS by default, is to offload static files to an HTTPS-enabled CDN, and have a front-end reverse proxy or several dedicated to SSL processing -- unless anyone has any better ideas?

      --
      I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
  3. HTTPS by default? Not exactly, Misleading headline by Anonymous Coward · · Score: 2, Informative

    Users are required to change this setting themselves, nothing default about it. It's simply an added option

    Now Gmail, this is HTTPS by default..
    also I read mobile.twitter.com will not even switch to HTTPS? wut.

    Smarten up slashdot and editors

  4. Re:HTTPS by default? Not exactly, Misleading headl by wiredmikey · · Score: 2

    You're right -- It's not SET to default, but users can set the service to use HTTPS by default.The actual title of the article is "Twitter Enables Option for HTTPS by Default" - Though I agree that the /. could have been more clear.

  5. Good start, but install HTTPS everywhere by Enry · · Score: 4, Interesting

    I don't like keeping track of what sites I can and can't use HTTPS on, so I installed HTTPS Everywhere on my browsers and get HTTPS access to a bunch of sites by default.

    BTW, when do we get HTTPS access to /.?

    1. Re:Good start, but install HTTPS everywhere by Even+on+Slashdot+FOE · · Score: 4, Funny

      When someone hacks CmdrTaco's account and posts something embarrassing using his name. I mean embarrassing enough we can tell it wasn't him, of course.

      This may be difficult, to be honest.

    2. Re:Good start, but install HTTPS everywhere by ftobin · · Score: 3, Informative

      Slashdot has HTTPS access if you are a paying subscriber.

  6. It is built in to Firefox 4 by Chrisq · · Score: 3, Informative

    It is built in to Firefox 4 so soon you won't need an extension.

    1. Re:It is built in to Firefox 4 by Haedrian · · Score: 2

      From what I am understanding of the article its there to stop:

      http://www.example..../
      [redirect to]
      https://..../

      Which could be grounds for a Man In The Middle Attack. It does not say anything about forcing people to use HTTPS, just that it will be done automatically instead of using a redirect. So it'll make sites which force HTTPS safer, but it won't force twitter to push https if you haven't asked for it.

    2. Re:It is built in to Firefox 4 by Chrisq · · Score: 3, Informative

      From what I am understanding of the article its there to stop:

      http://www.example..../ [redirect to] https://..../

      Which could be grounds for a Man In The Middle Attack. It does not say anything about forcing people to use HTTPS, just that it will be done automatically instead of using a redirect. So it'll make sites which force HTTPS safer, but it won't force twitter to push https if you haven't asked for it.

      There is a better explanation here. Basically after the header is received the browser will convert any http: requests to https:, therefore bypassing any redirect. Whether this will force you to use https depends on whether Twitter will set this header on their https sites only or on both http and https. Even if they do set it only on the https site it will force you to use https if you visit the https URL even once.

  7. Re:Bad idea! by CastrTroy · · Score: 3, Insightful

    Twitter isn't carrying important personal data

    Tell that to the people in Libya, China, North Korea (do they have internet?) and other places around the world where the government isn't so easy on people who oppose the regime.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  8. Why? by Mikkeles · · Score: 2

    So you can securely upload your private data for public dissemination?

    --
    Great minds think alike; fools seldom differ.
    1. Re:Why? by Haedrian · · Score: 2

      More like so you can be sure that someone using the same connection at your coffee shop won't post something in your name by sniffing your cookies.

  9. Re:Bad idea! by Haedrian · · Score: 2

    You can steal the session cookie from someone using twitter using an unsecured network (such as a public wifi) - and then spam the crap out of his feed, or change some settings or something.

    I'm pretty sure the ability to spoof someone else's twitter to say whatever you want is considered - "Important Personal Data".

    Login Credentials aren't needed if you're nicking the cookie - see also : "Firesheep" which is script-kiddie friendly.

  10. Re:HTTPS does cache by goofy183 · · Score: 2

    It is completely up to the site serving the resources. A quick look unsurprisingly shows twitter not being stupid about it and setting the correct headers to get the browser to cache resources served over HTTPS for as long as the browser can. Here are the response headers from getting their logo over HTTPS:

    Date Wed, 16 Mar 2011 14:52:00 GMT
    Content-Length 1159
    Content-Type image/png
    Etag "c53472495d431cceef1c715732db12c9"
    Expires Wed, 18 May 2033 03:33:20 GMT
    Last-Modified Tue, 15 Mar 2011 21:20:55 GMT

    Note that it provides both an Etag and a far-future Expires date.