Twitter is adding a security option that you should turn on immediately unless you think eavesdroppers could make more creative use of your account than you.
The San Francisco micro-blogging service now allows you to encrypt your use of the site — not just when you log in, as is already the case, but throughout. It’s often referred to as “always-on SSL,” (short for “Secure Sockets Layer,” the earliest level of encryption offered by financial sites) or “HTTPS” (after the prefix you’ll see in your browser instead of the usual “http”).
Without this protection, other users on the same network — for instance, those logged into the same public WiFi signal — can read your traffic and possibly steal your login using surveillance tools like Firesheep, released last year. With encryption, they only pick up gibberish.
A blog post by Twitter spokeswoman Carolyn Penner explains how to choose this option: Log into the site, click the Settings link in the menu below your username at the top right of the page, scroll down and click the checkbox next to “Always use HTTPS.” Then click the Save button to keep those changes (you may need to enter your password again). The post also notes that while Twitter’s official iPhone and iPad applications also encrypt your session, its mobile does not — there, you’ll still need to type in or bookmark https://mobile.twitter.com yourself.
Twitter’s programs for Android, BlackBerry and other non-Apple devices don’t yet benefit from this new option either, Penner wrote in an e-mail. “We’re working on it,” she said.
The move follows Facebook’s welcome addition of this option in January. It comes a few weeks too late for actor Ashton Kutcher, who had his Twitter account hijacked at a technology conference this month. The unknown hackers took a poke at the celebrity’s career by using his account to post a mocking tweet: “Ashton, you’ve been Punk’d. This account is not secure. Dude, where’s my SSL?”
I trust that if you use Twitter, your next click will be to enable this option. Then please come back here and talk about what other sites should offer this option outside of its standard use to shield logins and financial transactions.