Twitter enable HTTPS, so we can relax, right?
“We are all safe”, I hear journalists cry, “What took them so long?” First of all, let's examine what HTTPS actually is.
HTTPS is basically secure HTTP traffic, using SSL or secure sockets layer. Effectively, what this does is to encrypt communications between two points, these two points being your browser and the server.
Now, SSL or HTTPS are no bad thing but it really gets on my wick to hear people proclaim that it makes something secure. Let's be very, very clear about this: it does not make anything secure.
While it encrypts communications between your browser and the server you’re accessing, making sure that anything you are submitting to the site, such as personal information and passwords etc. cannot be sniffed in transit, it does not prevent attacks against the application.
In order to avoid unfairly singling out Twitter, the following should be taken as a generalised view: if an application is susceptible to an application layer attack, enabling HTTPS will only encrypt the attack between the attacker and the server, effectively hiding the attack from traditional detection mechanisms.
The reason I bring this up is that the misconception over what HTTPS does and does not bring in the way of security is something that I hear every day, and it still amazes me how much faith is put in SSL. Most IT professionals understand that the best approach to security is a layered one, that there is no magic bullet. But the ordinary user, hearing that SSL is a panacea, believing that SSL will protect them from all sorts of Internet evils, even though it can be spoofed, intercepted etc..that’s something that needs debunking.
As far as I am concerned HTTPS is a key part to securing any web application, but it is only the tip of the iceberg. If you only enable HTTPS, you basically hide the attacks in an encrypted communication between the attacker and your system. You need to look at the bigger picture and protect the application not just the communication.
As ever – it’s all about the application.