Forgot your password?
typodupeerror
Encryption Communications Social Networks Twitter

Twitter Turns On SSL Encryption For Some Users 36

Posted by timothy
from the 140-chars-of-nothin'-there dept.
JohnBert writes with this news from ComputerWorld, which reports that "Twitter is slowly turning on automatic encryption on its website, a move following other major providers of web-based services to thwart account hijacking over wireless networks. Twitter has offered an option for users to turn on SSL (Secure Sockets Layer) encryption, but said on Tuesday that it will turn the feature on by default for some users. It did not indicate when the option would be turned on by default for all users."
This discussion has been archived. No new comments can be posted.

Twitter Turns On SSL Encryption For Some Users

Comments Filter:
  • Anyone know how much every twitter user using ssl would slow down the service? twitter has always been a little slow (not surprising given how many requests they receive). This effort has got to introduce a huge scaling problem right?
    • How does this work? (Score:4, Informative)

      by impaledsunset (1337701) on Thursday August 25, 2011 @03:19PM (#37211560)

      How do you enable SSL for "some users"? It means you have to send your credentials over an unsecured link until your secure connection kicks in, which is insecure. Even trying http before trying https is considered unsecure -- even if the cookies are correctly set to require require SSL, you reveal what site are you connecting to, possibly what URL from the site you're trying to access, etc. Verifying which user it is *before* enabling SSL sounds like a very bad idea.

      Enable it for everyone, set the cookies to SSL only, make sure that all links are a permanent redirect to the SSL version, and encourage users to use https URLs when they send links, keep bookmarks or try to access twitter. Possibly issue a warning for a set of the possible URLs.

      • by blueg3 (192743) on Thursday August 25, 2011 @03:28PM (#37211684)

        The exchange of credentials has always been over HTTPS. It's just that the later communication redirects to HTTP (and includes your session cookie, which can be then used for sidejacking). Of course, it's easy to turn it on for "some users", since your credential exchange is over HTTPS, and after that, you know who the user is and can have the later communication be HTTP/S as appropriate.

        Having a login page (e.g., http://www.twitter.com/ [twitter.com]) transmitted over HTTP is unsafe, since it's hard to verify where the login data is actually being sent. That is, an attacker could modify the login page to send credentials to a third party with a legitimate certificate instead of to Twitter, and since the login page wasn't HTTPS-protected, you wouldn't detect this. But, that's another story.

        HTTPS for session communication -- what they're talking about here -- has been available as a feature for a while now. They're just changing what the default is for some users.

      • "some users" can mean "users who happened to connect to a particular server bank" rather than "users who had a flag set in their profile"

      • by Firehed (942385)

        The actual POST to the login page should always be going over https. And yes, it would be great if every website in the world was https all the time for anything requiring an active session, but there's no chance of that happening without at least the complete death of Windows XP (since no version of IE on XP supports SNI, and the millions of websites on shared hosting simply cannot use SSL without that because of IP reuse) or full IPv6 adoption. Still, I'd feel better knowing at the very least that my auth

    • I don't think that a "huge scaling problem" is necessarily implied -- Twitter is probably slow because it's querying your tweets out of its database, not because the front-end Web servers are CPU bound.

    • by Hatta (162192)

      Anyone know how much every twitter user using ssl would slow down the service?

      If Google's experience is any indicator, not much [imperialviolet.org]:

      In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for l

    • by GooberToo (74388)

      Actually, its well known the primary reason its slow is that its written in Ruby - or at least it used to be. [techcrunch.com]

  • I'm sure AT&T hates me for -not- using their free WiFi hotspots and continuing to suck data down over 3G... I just don't like wide open networks and so much stuff that you have to log in to still -not- using HTTPS.

    • by afidel (530433)
      Guess you weren't paying attention to the happenings at blackhat this year, your GSM/HSPA connection is NOT safe.
      • by dgatwood (11270)

        If it requires several thousand dollars in custom hardware, it's not likely to be happening in very many places. By contrast, any jackass with a standard issue laptop can snoop open Wi-Fi.

        So yeah, GSM might be sniffable, but it's still statistically a few orders of magnitude less likely to be sniffed than unencrypted Wi-Fi.

        • by yuhong (1378501)

          Not to mention they only apply to 2G connections, because 3G used strong 128-bit encryption from the beginning (GSM's A5/3 and GEA3 protocols uses the same encryption algorithm but with only 64-bit keys).

      • by kf4lhp (461232)

        Didn't say 3G was safe, only that open WiFi is a lot less safe. I'm clear on the news from Blackhat.

  • They are finally serving their "Tweet Button" widget via SSL. This has long been a thorn in my side.

    https://platform.twitter.com/widgets.js [twitter.com]

  • ...if Twitter's not been using SSL for authentication why has nobody called them out on it this whole time? After all, they're a major social network and they don't protect login credentials? WTF??
  • ... https://twitter.com/settings/account [twitter.com] when you're logged in. :)

  • As I said to them a while ago, I'd be more impressed if they allowed the use of protocol-relative URIs in links (so users can maintain their HTTPS browsing when following links to my site, which supports both protocols).
  • that it sure would be great for some customers in some countries to be free to extol the virtues of capitalist democracy without fear of censorship.
    conversely it sure would be great if American customers were free to extol personal information in a patriotastic manner to government agencies in a constant and warrantless manner.
  • At least the SSL they have is configured properly https://www.ssllabs.com/ssldb/analyze.html?d=twitter.com [ssllabs.com]

    Unlike some banks...
  • On a side note, if you want this functionality now, there is a firefox plugin called HTTPS Everywhere [eff.org]. It's a simple thing that pushes you onto SSL versions of sites (and now allows you to turn it off for individual sites quickly if it breaks something - as with google not allowing image searches over SSL).

The most exciting phrase to hear in science, the one that heralds new discoveries, is not "Eureka!" (I found it!) but "That's funny ..." -- Isaac Asimov

Working...