Twitter Joins the HTTPS By Default Party 95
wiredmikey writes "Following a trend in allowing users to automatically utilize the secure HTTPS protocol when accessing Web based services, Twitter announced this week that it has added the option for users to force HTTPS connections by default when accessing Twitter.com.
The reasons to utilize HTTPS when accessing any personal accounts aren't new, but an easy to use extension for FireFox called 'FireSheep,' released in October 2010, spiked concern, as it enables HTTP session hijacking for the masses."
Good (Score:4, Informative)
I''d like to see all community sites do that.
I got an addon that tries to force SSL where available, and it's surprising so many sites that doesn't have SSL enabled at all.
HTTPS by default? Not exactly, Misleading headline (Score:2, Informative)
Users are required to change this setting themselves, nothing default about it. It's simply an added option
Now Gmail, this is HTTPS by default..
also I read mobile.twitter.com will not even switch to HTTPS? wut.
Smarten up slashdot and editors
Re:What's the penalty for HTTPS? (Score:5, Informative)
Any thoughts on HTTPS only for the login page, or for all pages?
You can just steal the session cookie after login, so just doing the login page is almost useless. It prevents the attacker from learning the password and re-entering the system, but a) he can change the password and b) there is no reason he wouldn't get the job done within one session.
Re:What's the penalty for HTTPS? (Score:4, Informative)
Re:What's the penalty for HTTPS? (Score:4, Informative)
It is built in to Firefox 4 (Score:4, Informative)
Re:Good start, but install HTTPS everywhere (Score:4, Informative)
Slashdot has HTTPS access if you are a paying subscriber.
Re:It is built in to Firefox 4 (Score:4, Informative)
From what I am understanding of the article its there to stop:
http://www.example..../ [www.example....] [redirect to] https://..../ [....]
Which could be grounds for a Man In The Middle Attack. It does not say anything about forcing people to use HTTPS, just that it will be done automatically instead of using a redirect. So it'll make sites which force HTTPS safer, but it won't force twitter to push https if you haven't asked for it.
There is a better explanation here [wikipedia.org]. Basically after the header is received the browser will convert any http: requests to https [slashdot.org]:, therefore bypassing any redirect. Whether this will force you to use https depends on whether Twitter will set this header on their https sites only or on both http and https. Even if they do set it only on the https site it will force you to use https if you visit the https URL even once.