November 24, 2013
Twitter Rolls Out New Forward Secrecy Encryption Efforts
redOrbit Staff & Wire Reports - Your Universe Online
Twitter has added an extra layer of encryption to its service, making it more difficult for third-parties to spy on its users, and the popular micro-blogging network is calling on other Internet companies to do the same.
According to Reuters reporter Jim Finkle, the move is an attempt to “thwart spying by government intelligence agencies” by the social media website, which began completely scrambling data in 2011 using traditional HTTPS encryption.
On Friday, Twitter officials revealed that the company would be upping their encryption efforts by adding a layer of privacy known as "forward secrecy" for all traffic on twitter.com, api.twitter.com, and mobile.twitter.com.
High-tech companies initially started using forward secrecy to thwart hackers looking to exploit stolen or cracked session keys, but as Rachel King of ZD Net explained, the decryption-prevention method is now being used to help keep national security agencies at bay and “save face” with users.
“Under traditional HTTPS, the client chooses a random session key, encrypts it using the server’s public key, and sends it over the network. Someone in possession of the server’s private key and some recorded traffic can decrypt the session key and use that to decrypt the entire session,” Twitter’s Jacob Hoffman-Andrews said in a blog posting on Friday.
However, the website has now enabled what is known as the EC Diffie-Hellman cipher suites, under which the client and server co-devise a shared, random session key that is never sent across the network. The server’s private key is only accessed to sign the key exchange, preventing so-called man-in-the middle attacks, he added.
As King pointed out, Twitter “actually wasn't one of the nine original tech giants revealed back in June to be utilized as a source for the National Security Agency's now-controversial data mining program, PRISM. That is likely because virtually anyone can sign up for Twitter, and for an unlimited number of accounts, with information that doesn't necessarily need to be authentic.”
Nonetheless, with the move, the San Francisco-based social network joins the ranks of Google and Yahoo, both of whom have recently taken steps to help protect user information, according to Bloomberg Businessweek. Earlier this month, both companies announced that they would begin encrypting all of the information transmitted between their respective data centers, and each has reiterated that they do not allow the NSA to directly access their servers.
In announcing Twitter’s new forward secrecy efforts, Hoffman-Andrews said that this type of enhanced encryption “should be the new normal for web service owners… Security is an ever-changing world. Our work on deploying forward secrecy is just the latest way in which Twitter is trying to defend and protect the user’s voice in that world.”