Twitter Goes SSL
As a follow-up to my previous post about Facebook implementing SSL, in the last few days Twitter has followed suit and implemented SSL on Twitter.com. Enabling HTTPS is as easy as going to your account settings page, scrolling down to the bottom, and checking the “Always use HTTPS” option. This will only be enforced when you’re actually using Twitter.com (not when using a third party application such as Hootsuite; though I still highly recommend Hootsuite), but it’s still a very good practice even for those random times that you click a link to twitter.com to view someone’s profile. This also does not apply to mobile.twitter.com if you’re using the native Twitter website on your smartphone, but speculation is that HTTPS will soon be extended to that arm of the Twitterverse, and if you’ve already enabled it in your account profile it should automatically take effect if/when the developers over at Twitter implement it.
While you’re in your profile enabling the shiny new HTTPS feature, it’s a great idea to review the various applications and third parties that you’ve given access to your profile. Any Twitter client (ie: Hootsuite, Tweetdeck, Twitter for Facebook), or any website that’s integrated with your Twitter account (ie: Foursquare, LinkedIn, or About.me) was at some point granted access to your account by you. Many of us (myself included) are guilty of activating applications just to see what they are, and forget to go back in and revoke the access to it once we’ve stopped using it. This potentially opens your account up to unnecessary/unwanted activity, so it’s a best practice to frequently review the applications that are connected to your account and remove those you no longer need. Simply click the Connections tab in your account settings, and revoke access to any applications you’re no longer using.
Facebook Goes SSL
Good news for you frequent users of Facebook out there. Effective today (January 26, 2011), you’ll now have the option of enabling HTTPS secure browsing on your Facebook account. Conveniently, Facebook is happy to opt you in automatically when it comes to information sharing, but the “Secure Browsing” option is one you’ll have to go in and enable yourself. Secure Browsing will force Facebook to communicate over an HTTPS protocol whenever possible, but it’s important to note that not all applications and features will support HTTPS. Unless you just can’t live without your game that doesn’t support HTTPS I’d highly recommend you enable this option. Facebook is rolling out this option slowly, but it should appear as a valid option in your account settings shortly. For more information, read the official Facebook blog announcement.
Aside from the SSL announcement, there are several other fairly new security tools that have been largely overlooked. The one-time password feature allows you to obtain a one-time unique password that expires 20 minutes after issue, for use at internet kiosks, hotels, airports, etc. This password, requested via a simple SMS text message will only work once, and auto-expires if unused. In addition, the “Recent Activity” section of your account security page lists recent sessions your account has had on the Facebook network. This will provide a date/time, relative location, and type of device used to access the account, along with the ability to forcefully terminate the activity of any active session. Interestingly enough, I have yet to see sessions from the Facebook Android app displayed under “Recent Activity” so it’s possible that this feature hasn’t been rolled out to mobile devices. This functionality can help to monitor access to your account and help to detect unauthorized sessions on your account. More information about the one-time passwords and session monitoring can be found here.