In association with heise online

16 March 2011, 10:47

Twitter adds "Always use HTTPS" option

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Twitter Logo The Twitter micro-blogging service has added a new setting that allows users to always use HTTPS when accessing, sending secure data transmissions via SSL, not only during log-in, but also for its other pages. This means that even cookies are now transmitted in encrypted form and can no longer be read and exploited for fraudulent activities by attackers using such tools as the Firesheep extension for Firefox.

According to Twitter's Carolyn Penner, prior to the new option, HTTPS was previously only used by default when logging into Twitter to protect users' passwords, and on the official Twitter for iPhone and iPad mobile app. However, Penner notes that: "There are also a few instances where turning on HTTPS in your settings does not force HTTPS. For example, when accessing Twitter from your mobile browser, you need to go to to use HTTPS for now," adding that, "We are working on a solution that will share the 'Always use HTTPS' setting across and, so you don’t have to think about which device you’re using when you want to check Twitter." It's worth noting that third-party apps may or may not use an always-on HTTPS connection – Echofon, for example, allows users to enable SSL for all requests under its advanced settings.

Zoom The new "Always use HTTPS" option can be found on the page.
Users can enable the new "Always use HTTPS" option via their account settings page by checking the appropriate box towards the bottom of the page. While users could previously connect to Twitter using HTTPS, this could only be done manually by typing in The new option, once enabled, does this automatically.

In late January, the Facebook social networking site began offering the option of completely encrypted communication. Upon further inspection it was discovered that Facebook's HTTPS workaround was rather crude; if users clicked a link to a Facebook app, the site would ask them if they wanted to switch to a standard HTTP connection as the content they wanted to display could not be displayed using HTTPS. Once users clicked continue, the site completely disabled the HTTPS option under account settings in the background without indicating to users that it would do so.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit