Twitter finally unveils HTTPS 'sidejacking' security

Twitter has finally provided a way to stop sidejacking attacks on user’s accounts with the addition of constant HTTPS encryption on the site.

Following the appearance of Firesheep on Firefox browsers, there has been an increase in hijacking of profiles while the account holder is online.

Sidejacking is when an imposter hijacks your Twitter session while sitting somewhere alongside you, according to insecurity outfit Sophos

“Every time you use unencrypted WiFi, for example in a coffee shop or an airport lounge, any one of the other users sitting round about could be sidejacking you.  If you’re a Twitter user, it’s a no-brainer, you want this new option.  Turn it on today,” said Paul Ducklin, Head of Technology at security analysts Sophos

The new feature means that once logged on, all interactions with Twitter are totally encrypted with HTTPS, a secure HTTP which stops other users of a network from identifiying and using another person’s account.

Such an attack recently got a lot of press when perpetrated on Ashton Kutcher, who recently got himself ‘Punk’d’ as he would say.

The problem stems from the release of Firesheep back in October which allowed anyone armed with limited knowledge to latch onto profiles.

“It was incredibly easy to for anyone on an unencrypted WiFi network to hack into a profile once Firesheep was released, so anyone logged in at a café or at a conference would be open to being sidejacked,” Sophos’s Senior Technology Consultant, Graham Cluley, told TechEye.

“While it was possible to do this before, Firesheep essentially made it the technology accessible to the masses, in a very user friendly way.”

“This could be done in a lighthearted way, like the recent case with Ashton Kutcher, but it could obviously also be malicious and have serious consequences.”

With Firesheep appearing some months ago it seems that Twitter has been somewhat slow in reacting. Facebook put HTTPS measures in place a couple of months ago.

It appears that the reason Twitter has taken so long to react to the threat is that due to creating a fully functioning security measure that can successfully be rolled out on a large scale, according to Cluley: “There was an attempt to implement security measures in the past by Twitter, though this seems to have been a test as it was disabled shortly afterwards.”

Now that the security measures are finally up and running, the HTTPS protection should be adequate to stop further cases of sidejacking, once it is turned on of course.

According to Cluley this was an area where Facebook has actually fallen short, as though it does offer protection this is removed upon allowing access to a third party game or the like, and not subsequently turned on again automatically.

Twitter should not encounter such problems, with the only difficulties remaining being compatibility with Twitter clients.

“While all the major Twitter clients are likely to support this, there may be some which do not which may cause some problems, though in general this will make sidejacking much more difficult,” Cluley said.

According to Cluley this could also be the reason why HTTPS is not automatically turned on for users.

To actually enable HTTPS go to the Twitter ‘Settings’ page, turn on ‘Always use HTTPS’ and then save.