Whenever I ask security experts how I can be sure the website I want to visit is safe and hopefully malware-free, the most common response is to make sure the site is encrypted. Look for the green bar or the lock symbol, they tell me, and whenever possible, use the site's secure browsing capability.
But how many of us think to "opt in" to the HTTPS setting on a website? I always look for it when I am doing any financial transaction, and I make sure to use secure browsing whenever I'm on Facebook. However, for other sites, especially those where I am sharing information, I don't think to check.
That's why the recent news from Twitter is so welcome. The social media site has decided to make HTTPS the default after having been an opt-in site since last March. As eWeek explained:
Users who connect to unsecured WiFi networks, such as public hotspots in a coffee shop or a hotel lobby, run the risk of having their Web information intercepted by malicious attackers. If the website the user is accessing doesn't encrypt the connection with HTTPS, then anyone monitoring the connection can use readily available networking sniffing tools to read the contents of a session cookie or see the contents of the Website being transferred. Attackers who can see the session cookie can impersonate those users.
This provides an extra layer of security for all users, of course, but especially for those who use Twitter for business. It's one less step that security departments need to worry about. Graham Cluley of Sophos provided a good explanation on why Twitter's decision is such a good move:
Tools such as Firesheep have made it child's play in the past for anyone to access the Twitter or Facebook account of someone close by if they haven't taken the right precautions.
Cluley pointed out the example of someone taking over actor Ashton Kutcher's Twitter site when he was using an unprotected Wi-Fi hotspot. No business can afford the type of brand damage caused by someone hijacking or attacking a Twitter account.
So I second Cluley's response in that Twitter's move is a good one. Let's hope that other social media sites will soon follow suit and make secure browsing the default, rather than an opt-in option.