It appears that Ashton Kutcher has become a high profile victim of Twitter’s negligence when someone at the TED conference hijacked Kutcher’s Twitter account using tools like Firesheep. The Twitter PR account @TwitterGlobalPR twitted that Kutcher should have enabled SSL by typing HTTPS in front of twitter.com, but that deflects from the fact that it’s Twitter’s responsibility to keep their users safe. I and other security experts have warned for years that online services need to enable HTTPS SSL security by default and without requiring the user to manually turn it on.
A few months ago, I issued an online security report card that flunked a few online services like Facebook and Twitter. Facebook added a persistent SSL option that users have to manually enable while Twitter wants users to manually type in HTTPS or install some other tool to enforce that setting automatically, but either solution leaves the vast majority of users wide open since they don’t know about the setting. Last weekend, we had Senator Chuck Schumer join in the fight to make security a default setting when he sent letters to these negligent online services. Ashton Kutcher is just another victim of bad online security but perhaps his pain and publicity can get Twitter and Facebook to do what they should have done a long time ago.
[Cross-posted at Digital Society]