Twitter Strengthens Service's Security
Twitter has implemented a security technology that makes it harder to spy on its users and called on other Internet firms to do the same.
The company recently enabled "forward secrecy" for traffic on twitter.com, api.twitter.com, and mobile.twitter.com. On top of the usual confidentiality and integrity properties of HTTPS, forward secrecy adds a new property. If an adversary is currently recording all Twitter users' encrypted traffic, and they later crack or steal Twitter's private keys, they should not be able to use those keys to decrypt the recorded traffic.
Under traditional HTTPS, the client chooses a random session key, encrypts it using the server's public key, and sends it over the network. Someone in possession of the server's private key and some recorded traffic can decrypt the session key and use that to decrypt the entire session. In order to support forward secrecy, Twitter enabled the EC Diffie-Hellman cipher suites. Under those cipher suites, the client and server manage to come up with a shared, random session key without ever sending the key across the network, even under encryption. The server's private key is only used to sign the key exchange, preventing man-in-the-middle attacks.
Twitter's move is the latest response from U.S. Internet firms following disclosures by former spy agency contractor Edward Snowden about widespread, classified U.S. government surveillance programs.
Under traditional HTTPS, the client chooses a random session key, encrypts it using the server's public key, and sends it over the network. Someone in possession of the server's private key and some recorded traffic can decrypt the session key and use that to decrypt the entire session. In order to support forward secrecy, Twitter enabled the EC Diffie-Hellman cipher suites. Under those cipher suites, the client and server manage to come up with a shared, random session key without ever sending the key across the network, even under encryption. The server's private key is only used to sign the key exchange, preventing man-in-the-middle attacks.
Twitter's move is the latest response from U.S. Internet firms following disclosures by former spy agency contractor Edward Snowden about widespread, classified U.S. government surveillance programs.