Twitter offers encryption to beat hackers
Published 18/03/2011 | 10:03
Twitter is offering users better protection from hackers with a new option to always use an encrypted connection to access its microblogging service.
The measure is particulary designed to defend those who access Twitter via unsecured public Wi-Fi networks, which can make it easy for hackers to steal their passwords.
If activated, the new option in users' account settings means that whenever they log on, their browser will connect to Twitter's servers via HTTPS, an encrypted version of the basic web protocol. Virtually anyone trying to spy on the traffic will see only packets of completely unintelligible data.
"This will improve the security of your account and better protect your information if you’re using Twitter over an unsecured Internet connection, like a public WiFi network, where someone may be able to eavesdrop on your site activity," said Twitter spokeswoman Carolyn Penner.
"In the future, we hope to make HTTPS the default setting," she added.
Twitter already offered a HTTPS service, but it was not offered as a simple option in user account settings. Rather, those who wanted to encrypt their connection were required to type "HTTPS" in their browser address bar.
The firm's move to broaden use of HTTPS is part of a broader trend across the web industry. Last year, Google launched an encrypted version of its primary search engine, and in January Facebook began implementing a HTTPS option in its user account settings.
The secure protocol was originally developed by Netscape in 1994, but until recently it was not broadly adopted for non-financial web applications. This was mainly because extra computing power required by websites to encrypt and decrypt data incurs higher costs than the basic HTTP protocol. Over time the costs have fallen while the threat from hackers has risen, however.
The problem was highlighted last year by the release of Firesheep, an extension for the Firefox browser that made stealing social networking passwords from other users on an open Wifi network startlingly simple.
Firesheep attackers are foiled by HTTPS, but it is not completely secure. The two ends of a secure web connection "trust" each other because of a digital certificate issued by a third party security firms, and determined and well resourced hackers can steal and forge these certificates.
Stolen digital certificates formed part of the Stuxnet virus attack on Iran's nuclear programme last year, which is widely believed to have been a joint operation by US and Israeli secret services.