Twitter Enables Perfect Forward Secrecy Across Sites To Protect User Data Against Future Decryption
Twitter Enables Perfect Forward Secrecy Across Sites To Protect User Data Against Future Decryption: Twitter has enabled Perfect Forward Secrecy across its mobile site, website and API feeds in order to protect against future cracking of the service’s encryption. The PFS method ensures that, if the encryption key Twitter uses is cracked in the future, all of the past data transported through the network does not become an open book right away.
“If an adversary is currently recording all Twitter users’ encrypted traffic, and they later crack or steal Twitter’s private keys, they should not be able to use those keys to decrypt the recorded traffic,” says Twitter’s Jacob Hoffman-Andrews. “As the Electronic Frontier Foundation points out, this type of protection is increasingly important on today’s Internet.”
This will augment the TLS and SSL protocols already used by Twitter to protect logins and transmission of data across its network. Twitter made its site fully HTTPS compliant in early 2011, though a login flaw uncovered late last year allowed passwords to be sent in plain text for some time from a sub-section of Twitter’s site. This is a simplification, but PFS basically ensures that if an agency is recording all of Twitter’s encrypted data it can’t crack one key and read it all. Instead, Twitter has implemented a solution that lets each client and server session generate its own encryption key, never sending that key over the networks. If an organization were to collect a bunch of Twitter data, it can’t break one lock and read it all, it must now break thousands or hundreds of thousands of additional keys to read any significant chunk of data.