

Twitter is vulnerable to Firesheep even when you connect via HTTPS - PawelDecowski

For a session to be secure <i>all</i> requests that carry the cookie need to be over HTTPS.<p>When going to https://twitter.com/ I noticed that (among dozens of others) it requests URL http://twitter.com/scribe?[...] (note HTTP, not HTTPS) which includes the session cookie.<p>Hence, it's sent plain-text, even if you go to https://twitter.com/
======
devmonk
If using FF, check out: HTTPS Everywhere ( <https://www.eff.org/https-
everywhere> ) or Force TLS ( <https://addons.mozilla.org/en-
US/firefox/addon/12714/> )

For Chrome, note that EFF says: "...There is a Chrome extension called KB SSL
Enforcer which attempts to take that approach, but it does not appear to be
implemented securely; when we tested it, it seemed to always use http before
https, which means that your surfing habits and authentication cookies are not
protected (this may be a limitation of the Chrome Extensions framework)."

If using OS X, check out: <http://github.com/nicksieger/sheepsafe>

Could also try using Comodo TrustConnect:
<http://www.comodo.com/trustconnect/>

But note for the latter that they keep logs of traffic:

"Q: I'm a cyber criminal myself and I'd like to use this service to do all of
my dirty work: breaking into others' personal information, stealing credit
cards, sending SPAM and breaking other laws. Will you tell?

A: Yes we will. We have logs of all system connections and will provide them
to the proper authorities upon request. We're trying to eliminate the web of
people like you, not help you do your dirty work."

