Twitter has finally gotten on board the SSL train and made HTTPS the default login option for all of its users who sign in through the Web interface. The company had made secure login an option for users last year but hadn’t made it the default mechanism.
On Monday, officials at Twitter said that they were making HTTPS the default option for all users who login through the service’s Web page.
“Now, HTTPS will be on by default for all users, whenever you sign in to Twitter.com. If you prefer not use it, you can turn it off on your Account Settings page. HTTPS is one of the best ways to keep your account safe and it will only get better as we continue to improve HTTPS support on our web and mobile clients,” the company said in a statement.
It’s not clear exactly how many of Twitter’s users come in through the Web site, rather than using one of the dozens of third-party clients such as Twhirl or Tweetdeck or others. Those clients simply use Twitter’s API and don’t typically send users’ credentials over SSL. The same is true for clients on mobile phones such as iPhones and Android devices, and that represents a big part of Twitter’s user base.
Still, making HTTPS the default option for Web users is a big step in the right direction for a company that with millions of users. The Twitter user base is a major target for phishers, spammers and other attackers and a large portion of the attacks on them involve trying to get users to log in through a fake URL. Given the propensity of users to reuse usernames and passwords on multiple sites and services, stealing a victim’s Twitter credentials can be a major coup for an attacker.
Now, with users knowing that HTTPS is the default option, they should be able to spot forged sites more easily if they don’t see the HTTPS indicator in their browser.