14 DAY TRIAL // Twitter has begun rolling out always-on HTTPS to users, however, the process will happen over an extended period of time and will start out with a limited number of users.
"We suggest using HTTPS for improved security. We're starting to turn this on by default for some users," the company announced through its official communications account.
HTTPS is a combination of the HTTP and SSL/TLS protocols that facilitates secure web communications and authentication.
HTTP connections are vulnerable, especially on open wireless networks, where users are exposed to attacks like ARP poisoning, DNS poisoning and session hijacking.
An attacker can force a victim's computer to believe that twitter.com points to a rogue IP address, but if the user connects over HTTPS the website must authenticate with a valid SSL certificate which is very hard to forge.
Furthermore, when using plain HTTP connections, session cookies are sent in unencrypted form with every request. This is required by websites to remember authenticated users.
But it also means that an attacker can use traffic sniffing tools to intercept the requests, extract the cookies, place them in their own browser and obtain access to the corresponding accounts.
This is known as a man-in-the-middle session hijacking attack and can be performed with easy-to-use and freely available tools.
During the past year, many popular web services have announced plans to move towards default full-session HTTPS. Twitter first introduced it on an opt-in basis via a setting on the profile page and now hopes to enable it for everyone.
Google was the first company to implement always-on HTTPS for many of its mainstream services like Gmail, Google Docs and others. Facebook is also moving in this direction and hopes to start deploying it this year after all third-party applications sign their code.