Twitter users are being urged to turn on the service’s new ‘always use https’ encryption setting to close a security loophole that made possible a spate of high-profile user account hijacks in recent times.
Although Twitter users are currently secure from the point they log in to the site, hacking tools such as the proof-of-concept ‘Firesheep’ Firefox add-on have exposed the ease with which session keys can be sniffed when users connect to social media sites using open public WiFi hotspots.
Armed with such a key, an attacker can effectively impersonate that user as if they had logged in using his or her credentials, leading to high-profile hacks such as a recent and successful one against celebrity Ashton Kutcher. The only defence until now has been to login to the site using https://twitter.com.
This sort of attack once required a degree of know-how, but Firesheep removes that barrier. Sniffing session keys is as simple as setting up at a hotspot and waiting for victims to access one of a range of popular sites, including Twitter, that do not secure access using https by default.
As of yesterday, Twitter users can protect themselves against the Firesheep scourge by selecting https encryption from in the settings panel without having to remember to use the correct site.
There are some limitations for mobile users who still have to access https by visiting a dedicated site, https://mobile.twitter.com/.
“We are working on a solution that will share the ‘always use https’ setting across twitter.com and mobile.twitter.com, so you don’t have to think about which device you’re using when you want to check Twitter,” notes the official blog.
Another limitation are the wide range of applications used to post tweets, which might or might not work with the new https setting.