Social media giant Twitter has announced new security measures designed to make it impossible for security agencies and cyber criminals to snoop on its users.
Following the raft of high-profile security scares in the media recently, Twitter has joined the likes of Google and Facebook in adding an additional layer of security, dubbed ‘Perfect Forward Secrecy‘, which adds further encryption to data sent by the site’s 200 million or so users.
In a recent blog post the social site said,
“On top of the usual confidentiality and integrity properties of HTTPS, forward secrecy adds a new property. If an adversary is currently recording all Twitter users’ encrypted traffic, and they later crack or steal Twitter’s private keys, they should not be able to use those keys to decrypt the recorded traffic.”
Twitter also noted that they didn’t see perfect forward secrecy as a gimmick but rather as a new standard that the whole world wide web should consider implementing:
“We are writing this not just to discuss an interesting piece of technology, but to present what we believe should be the new normal for web service owners. A year and a half ago, Twitter was first served completely over HTTPS. Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.”
Jim Killock, director of the Open Rights Group (ORG), said it was a “policy move” driven by revelations about mass surveillance by British eavesdropping agency GCHQ as well as the US National Security Agency. He said,
“Companies have now realised precisely how vulnerable their information is on the internet. It’s no longer a theoretical risk. We know it’s been going on now.
This is about asking users to trust the companies involved and to also force the legal authorities to approach companies directly rather than attempting to seize the data in transit.”
Twitter have enabled support for perfect forward secrecy by implementing a security cipher suite known as EC Diffie-Hellman. These cipher suites remove the need for an encryption key to be sent between a client and a server, an action that could lead to the key being intercepted by a third party and then used to unencrypt the data. Twitter explained the situation thus:
“Under those cipher suites, the client and server manage to come up with a shared, random session key without ever sending the key across the network, even under encryption. The server’s private key is only used to sign the key exchange, preventing man-in-the-middle attacks.”
The Diffie-Hellman method that Twitter are now implementing was originally published by Whitfield Diffie and Martin Hellman in 1976, though GCHQ had also implemented the same cipher a few years earlier but kept it classified.
Dr. Ian Brown, associate director of Oxford university’s Cyber Security Centre said that perfect forward secrecy “effectively reinforces the rule of law about interception” and described the Diffie-Hellman cipher as “effectively impossible [to crack]”.
Brown suggested that this would mean government agencies would be unable to eavesdrop on communications when they were searching for information, leaving them back in the position of having to approach companies with a warrant in order to gain access to certain messages or other data.