Right. Much has indeed been written about Twitters security or lack thereof in just the past couple of months. In taking in what others have to say, though, I cant help but think its being unfairly attacked.
Lets take a fair and objective view of some of the issues, and see what, if anything, a user can do to reduce her risk.
Twitter, the wildly popular micro-blogging web site, has roared onto the scene in an amazingly short time, even by Internet standards. Twitter users can post short (140-character) messages known as tweets to all their followers. Pretty much anyone can follow anyone elses tweets on Twitter, although there are some minimal privacy settings and such for those who want to limit the scope of where their tweets go and who can see them.
Its through this simple matrix of followers and writers that communities of like-minded people have joined one another in reading and posting their tweets.
But several articles and blog entries have been published declaring Twitter to be insecure. A common theme among the naysayers has been Twitters use of TinyURL, a site/service that encodes long URLsweve all seen themto be just a few characters long. No doubt this is used so that people can post tweets with URLs and still fit within the 140-character tweet limit.
The problem with TinyURL and similar encoding mechanisms is that the end user really doesnt know whats in the original URL itself. Thus, a tweet could be pointing the reader to a hostile site containing maliciously formed data that could quite conceivably attack the readers browser.
All of this is true, of course, but so what? The truth is that any URL we click on or enter into our browsers manually can take us to sites that contain malicious data. Granted, some sites are going to seem more trustworthy than others: a respected news outlet is likely to be more trustworthy than (say) www.click-here-to-infect-your-computer.comwhich, by the way, I think is not a registered domain.
Even still, I again ask the question: so what? There is an inherent risk in pointing your browser to any web site. Weve discussed here numerous ways of shoring up your browser so that youre less likely to have your system compromised, even if you visit a site containing malicious data. All of these things are entirely relevant in the context of Twitter, of course.
Another common complaint is that theres no verification of a Twitter users identity, so someone could trivially pose as (say) a celebrity and the public would be none the wiser. This too is quite true, but its nothing new with Twitter.
Anyone still remember the old kremvax April Fools joke from 1984? Spoofing an identity was as true then as it is now. In the absence of a trustworthy cryptographic signature, digital identity must not be trusted.
Now, to be fair, there have been a few published coding vulnerabilities on Twitter, including some cross-site scripting problems, clickjacking problems, etc. But from what I can tell as an outsider (and a Twitter user), the folks at Twitter have fixed these problems on the server as theyve been reported. I dont have data on how rapidly theyve been fixed, but they do appear to be addressing them.
All of these security and privacy concerns are valid, but theyre by no means new or unique to Twitter. No, it seems to me that Twitter is being unfairly attacked for whatever reasons. Ive heard many folks complain about Twitters 140-character tweet limit, saying that nothing of value can be communicated in such a small message, therefore Twitter must be without merit.
I wont get into a debate of whether one can say something valuable on 140 characters or not, but suffice to say that Ive seen many 140-character tweets that were of value to me. But lets get past that and consider some positive recommendations on how to safely use twitter, assuming that you also want to hear what some of your colleagues want to say in 140 characters.
Dont click on encoded URLs if you at all doubt them. If they point to something you feel you do want to read, direct message or email the tweets author and ask for the full citation, and then decide whether it deserves your trust.
Harden your browser anyway, just like Ive suggested here many times.
Follow people who post things youre genuinely interested in. Follow people you trust. Verify their Twitter identities via a trustworthy channel like, for instance, an encrypted or cryptographically signed email.
Avoid twits. There is a lot of noise on twitter. Life is too short for that blather. Shut it off.
If youre concerned about the privacy of what you post, set your own account to protect my posts, which restricts your tweets to only your followers. Approve (or disapprove) your followers. Block followers you dont know or otherwise dont want reading your tweets.
Avoid posting URLs, or post really short URLs so that your tweets dont automatically invoke TinyURL. If you want to point to a URL, tell your followers to direct message you to request the full URL.
These, of course, are just some basic precautions you could take if you wanted to use Twitter in a reasonably safe way. Above all, though, treat it for what it isa means of posting short bursts of information to people. If you want your own tweets to be valuable to others, be concise. Very concise.
Oh, and in case youre interested, my Twitter name is krvw.