Slashdot Mirror

← Back to Stories (view on slashdot.org)

Twitter Joins the HTTPS By Default Party

Posted by CmdrTaco on from the encrypted-packets-are-better dept.

wiredmikey writes "Following a trend in allowing users to automatically utilize the secure HTTPS protocol when accessing Web based services, Twitter announced this week that it has added the option for users to force HTTPS connections by default when accessing Twitter.com. The reasons to utilize HTTPS when accessing any personal accounts aren't new, but an easy to use extension for FireFox called 'FireSheep,' released in October 2010, spiked concern, as it enables HTTP session hijacking for the masses."

5 of 95 comments (clear)

  1. Re:What's the penalty for HTTPS? by buchner.johannes · · Score: 4, Informative

    Any thoughts on HTTPS only for the login page, or for all pages?

    You can just steal the session cookie after login, so just doing the login page is almost useless. It prevents the attacker from learning the password and re-entering the system, but a) he can change the password and b) there is no reason he wouldn't get the job done within one session.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  2. Re:What's the penalty for HTTPS? by hart · · Score: 4, Informative

    There's still a performance hit for SSL. Solutions for that include load balancers with dedicated hardware SSL support. As for what the performance hit is, try this: http://serverfault.com/questions/43692/how-much-of-a-performance-hit-for-https-vs-http-for-apache Re: HTTPS all vs. only on login page - as the recent Facebook session hijacking proved, it's the session cookies in cleartext that are the security problem - it doesn't sniff your password, it steals your session cookies to access your account. HTTPs should be on everything, IMHO. Cheers Leigh

  3. Good start, but install HTTPS everywhere by Enry · · Score: 4, Interesting

    I don't like keeping track of what sites I can and can't use HTTPS on, so I installed HTTPS Everywhere on my browsers and get HTTPS access to a bunch of sites by default.

    BTW, when do we get HTTPS access to /.?

    1. Re:Good start, but install HTTPS everywhere by Even+on+Slashdot+FOE · · Score: 4, Funny

      When someone hacks CmdrTaco's account and posts something embarrassing using his name. I mean embarrassing enough we can tell it wasn't him, of course.

      This may be difficult, to be honest.

  4. Re:What's the penalty for HTTPS? by Baloo+Uriza · · Score: 4, Informative

    Most sites expect you to enter the current password to be able to change it, even if you are logged in.

    --
    Furries make the internet go.