Slashdot Mirror

← Back to Stories (view on slashdot.org)

Twitter Turns On SSL Encryption For Some Users

Posted by timothy on from the 140-chars-of-nothin'-there dept.

JohnBert writes with this news from ComputerWorld, which reports that "Twitter is slowly turning on automatic encryption on its website, a move following other major providers of web-based services to thwart account hijacking over wireless networks. Twitter has offered an option for users to turn on SSL (Secure Sockets Layer) encryption, but said on Tuesday that it will turn the feature on by default for some users. It did not indicate when the option would be turned on by default for all users."

2 of 36 comments (clear)

  1. How does this work? by impaledsunset · · Score: 3, Informative

    How do you enable SSL for "some users"? It means you have to send your credentials over an unsecured link until your secure connection kicks in, which is insecure. Even trying http before trying https is considered unsecure -- even if the cookies are correctly set to require require SSL, you reveal what site are you connecting to, possibly what URL from the site you're trying to access, etc. Verifying which user it is *before* enabling SSL sounds like a very bad idea.

    Enable it for everyone, set the cookies to SSL only, make sure that all links are a permanent redirect to the SSL version, and encourage users to use https URLs when they send links, keep bookmarks or try to access twitter. Possibly issue a warning for a set of the possible URLs.

    1. Re:How does this work? by blueg3 · · Score: 3, Informative

      The exchange of credentials has always been over HTTPS. It's just that the later communication redirects to HTTP (and includes your session cookie, which can be then used for sidejacking). Of course, it's easy to turn it on for "some users", since your credential exchange is over HTTPS, and after that, you know who the user is and can have the later communication be HTTP/S as appropriate.

      Having a login page (e.g., http://www.twitter.com/) transmitted over HTTP is unsafe, since it's hard to verify where the login data is actually being sent. That is, an attacker could modify the login page to send credentials to a third party with a legitimate certificate instead of to Twitter, and since the login page wasn't HTTPS-protected, you wouldn't detect this. But, that's another story.

      HTTPS for session communication -- what they're talking about here -- has been available as a feature for a while now. They're just changing what the default is for some users.