I don’t normally log in to Twitter directly – I almost always use clients – but today I did, and I noticed something which shocked me – Twitter is sending login details over an unsecured HTTP connection! I have no idea if Twitter’s always done this, or if they are experiencing some kind of bug today, but either way, this is a serious issue.
Were I to be using public WiFi or any other un-trusted network it would be trivial for someone to get both my username and password and take over my Twitter account. Worse still – if I were to use the same credentials elsewhere like so many people do – all those other accounts could be taken over too. This is just not acceptable in 2009.
I just refused to believe Twitter could do something so horribly irresponsible – so before publishing this post I double-checked. I started at the Twitter home page and clicked “login”. This took me to a login page at http://twitter.com/login – clearly an unsecured page. Although having the login page itself unsecured has issues, it would still be possible for the form to submit the details you enter into this unsecured page to Twitter over a secured connection – so I had a quick look at the source to see where the form does submits to. Below is the relevant form definition:
<form action="/sessions" class="signin" method="post">
This is a relative URL – so it submits to http://twitter.com/sessions – i.e. an unsecured URL.
Just to be ABSOLUTELY sure of what I’m saying, I did a simple test, I sniffed my own network traffic searching for all traffic to or from port 443 – the port for secure web connections. The command I used was:
sudo tcpdump -i en0 port 443
Before testing Twitter’s login page I tested my filter by securely logging in to GMail – this generated hundreds of packets to or from port 443 – as it should. Having verified my filter I ran it again while going through the Twitter login process (using incorrect login details obviously). My browser dutifully sent the username and password to Twitter, Twitter dutifully accepted those details (but didn’t log me in since the details were made up) – all as expected. Unfortunately – there was not a single packet detected heading to or from port 443. In other words – the login details were not sent over a secured connection!
The lack of encryption is an obvious problem – but there are two another less obvious but equally important problems too. HTTPS is not just for encrypting communications – it also serves to guarantee the integrity of the communication as well as to authenticate the end-point. When I visit a website over a secure connection that secure connection provides me with three things:
- Encryption – ensuring that what gets sent cannot be read by anyone intercepting the communication
- Authentication – an SSL cert used for HTTPS is bound to a domain name – if the cert checks out I can be confident that I really am communicating with the web server that I think I’m communicating with
- Integrity – ensuring that the data sent cannot be changed en-route. I.e. that I know that what I receive is really what the server sent, and that the server will really receive what I send.
The second point here is a really important one. We live in an age where phishing is rife. There are many ways to trick your computer into thinking that www.twitter.com has a different IP address than it really does – in other words – your URL bar could read www.twitter.com – but you may be on a bad guy’s server. With a secured connection your browser should cry foul and show a certificate error – hence alerting you to the fact that you were about to give your username and password to some attacker impersonating Twitter.
For all these reasons – secured connections are very important for my safety and the safety of all my fellow twitterers. Unsecured logins should be impossible! All attempts to log in over an unsecured connection should result in an automatic redirect to a secure login page which submits the login details over HTTPS.
There is a small silver lining though – you can FORCE Twitter to log you in securely by going directly to the URL https://twitter.com/login rather than clicking on the login button on Twitter’s home page. If you use Twitter’s Web Interface – BOOKMARK THIS NOW – and ALWAYS log in using this URL!