Twitter is responding to mounting pressure after some high profile account compromises by allowing customers to opt-in to always-on secure HTTPS SSL mode. Unfortunately, I doubt most people will go to the trouble of opting in by going to the security settings. Since HTTPS is virtually cost-free to operate continuously for websites that already support HTTPS, Twitter should just default to an always on HTTPS setting without the need for opt-in security. Facebook recently adopted a similar opt-in security strategy and the criticism applies to them as well.
The other big problem that Twitter hasn’t solved is that they still don’t use HTTPS for their sign-in page. I criticized Facebook for the same problem because users have no way of knowing if they’re on the real Twitter or Facebook sign-in page even if they look for it. It works if users manually type in HTTPS but hardly anyone does that. The way Facebook and Twitter are set up now, the typical user will ignore the new security features and still get their account hijacked just as easily as before.
[Cross-posted at Digital Society]
