“Twitter is insecure. Twitter is the root of all evil.”
Right. Much has indeed been written about Twitter’s security – or lack thereof– in just the past couple of months. In taking in what others have to say, though, I can’t help but think it’s being unfairly attacked.
Let’s take a fair and objective view of some of the issues, and see what, if anything, a user can do to reduce her risk.
Twitter, the wildly popular micro-blogging web site, has roared onto the scene in an amazingly short time, even by Internet standards. Twitter users can post short (140-character) messages known as “tweets” to all their followers. Pretty much anyone can follow anyone else’s tweets on Twitter, although there are some minimal privacy settings and such for those who want to limit the scope of where their tweets go and who can see them.
It’s through this simple matrix of followers and writers that communities of like-minded people have joined one another in reading and posting their tweets.
But several articles and blog entries have been published declaring Twitter to be insecure. A common theme among the naysayers has been Twitter’s use of TinyURL, a site/service that encodes long URLs—we’ve all seen them—to be just a few characters long. No doubt this is used so that people can post tweets with URLs and still fit within the 140-character tweet limit.
The problem with TinyURL and similar encoding mechanisms is that the end user really doesn’t know what’s in the original URL itself. Thus, a tweet could be pointing the reader to a hostile site containing maliciously formed data that could quite conceivably attack the reader’s browser.
All of this is true, of course, but so what? The truth is that any URL we click on or enter into our browsers manually can take us to sites that contain malicious data. Granted, some sites are going to seem more trustworthy than others: a respected news outlet is likely to be more trustworthy than (say) www.click-here-to-infect-your-computer.com—which, by the way, I think is not a registered domain.
Even still, I again ask the question: so what? There is an inherent risk in pointing your browser to any web site. We’ve discussed here
numerous ways of shoring up your browser so that you’re less likely to have your system compromised, even if you visit a site containing malicious data. All of these things are entirely relevant in the context of Twitter, of course.
Another common complaint is that there’s no verification of a Twitter user’s identity, so someone could trivially pose as (say) a celebrity and the public would be none the wiser. This too is quite true, but it’s nothing new with Twitter.
Anyone still remember the old “kremvax” April Fools’ joke from 1984? Spoofing an identity was as true then as it is now. In the absence of a trustworthy cryptographic signature, digital identity must not be trusted.
Now, to be fair, there have been a few published coding vulnerabilities on Twitter, including some cross-site scripting problems, “clickjacking” problems, etc. But from what I can tell as an outsider (and a Twitter user), the folks at Twitter have fixed these problems on the server as they’ve been reported. I don’t have data on how rapidly they’ve been fixed, but they do appear to be addressing them.
All of these security and privacy concerns are valid, but they’re by no means new or unique to Twitter. No, it seems to me that Twitter is being unfairly attacked for whatever reasons. I’ve heard many folks complain about Twitter’s 140-character tweet limit, saying that nothing of value can be communicated in such a small message, therefore Twitter must be without merit.
I won’t get into a debate of whether one can say something valuable on 140 characters or not, but suffice to say that I’ve seen many 140-character tweets that were of value to me. But let’s get past that and consider some positive recommendations on how to safely use twitter, assuming that you also want to hear what some of your colleagues want to say in 140 characters.
• Don’t click on encoded URLs if you at all doubt them. If they point to something you feel you do want to read, direct message or email the tweet’s author and ask for the full citation, and then decide whether it deserves your trust.
• Harden your browser anyway, just like I’ve suggested here many times.
• Follow people who post things you’re genuinely interested in. Follow people you trust. Verify their Twitter identities via a trustworthy channel like, for instance, an encrypted or cryptographically signed email.
• Avoid twits. There is a lot of noise on twitter. Life is too short for that blather. Shut it off.
• If you’re concerned about the privacy of what you post, set your own account to “protect my posts,” which restricts your tweets to only your followers. Approve (or disapprove) your followers. Block followers you don’t know or otherwise don’t want reading your tweets.
• Avoid posting URLs, or post really short URLs so that your tweets don’t automatically invoke TinyURL. If you want to point to a URL, tell your followers to direct message you to request the full URL.
These, of course, are just some basic precautions you could take if you wanted to use Twitter in a reasonably safe way. Above all, though, treat it for what it is—a means of posting short bursts of information to people. If you want your own tweets to be valuable to others, be concise. Very concise.
Oh, and in case you’re interested, my Twitter name is “krvw.”