Next steps for t.co, after HTTPS-only for new links


#1

Continuing the discussion from Moving t.co to HTTPS only for new links:

This is an outstanding move, and thank you very much for making it. This is the sort of precedent that will help others make the same move.

Some questions about next steps:

  • You estimate a 10% reduction in referrer traffic for linked-to sites. Will you post some data of what the reductions actually turn out to be afterwards?
  • Will Twitter institute 301 redirects to HTTPS for all past/present/future HTTP t.co links?
  • And/or, will Twitter add an HSTS policy for t.co that ensures HSTS-supporting browsers will upgrade old HTTP links without needing to make an insecure connection at all? (And if so, will Twitter implement HSTS preloading for t.co?)

Thank you very much again for being a leader on this, and for leaning on Referrer Policy!


#2

Thanks for the follow-up, @konklone. Great questions.

On the first question, we can’t easily provide that data ourselves as it will obviously be reflected on target sites. The point here is that this should be a temporary change that balances out as users update their browsers - this is not a hard-and-fast numerical change.

Twitter already does 200 or 301 redirects for t.co link, based on factors unrelated to the protocol - so the https migration won’t have any impact on the status code from visiting a t.co link.

No plans at this time to add an HSTS policy.

Hope that clarifies! Thanks for your attention and interest, we are excited to make this change and help to improve the security of the web in this small way! :smile:


#3

Can you please specify the exact time when this change will be made live on twitter platform and backend API


#4

Hi @niall and @andypiper, congrats on shipping the HTTPS switch for t.co! I’ve been seeing it in action for weeks now, and it’s personally just made me a lot more comfortable clicking links out of Twitter, especially on my phone.

In your original announcement, you estimated a 10% drop in referrer information, due to user agents that don’t respect Referrer Policy. I’m curious if you can share what the actual numbers are, now that you’ve had this in production for a little while. It’ll be a very helpful point of data for other service providers and link shorteners that are considering the same move.

I’ll also just reiterate my request for an HSTS header for t.co, along with HSTS preloading, assuming that Twitter’s seeing the transition go smoothly and doesn’t have plans to revert t.co to HTTP support.

Thanks for all your work securing Twitter for its users!


#5

One other small thing - the official t.co documentation page is out of date regarding HTTPS behavior and link lengths:

https://dev.twitter.com/overview/t.co