Twitter has enabled Perfect Forward Secrecy across its mobile site, website and API feeds in order to protect against future cracking of the service’s encryption. The PFS method ensures that, if the encryption key Twitter uses is cracked in the future, all of the past data transported through the network does not become an open book right away.
“If an adversary is currently recording all Twitter users’ encrypted traffic, and they later crack or steal Twitter’s private keys, they should not be able to use those keys to decrypt the recorded traffic,” says Twitter’s Jacob Hoffman-Andrews. “As the Electronic Frontier Foundation points out, this type of protection is increasingly important on today’s Internet.”
This will augment the TLS and SSL protocols already used by Twitter to protect logins and transmission of data across its network. Twitter made its site fully HTTPS compliant in early 2011, though a login flaw uncovered late last year allowed passwords to be sent in plain text for some time from a sub-section of Twitter’s site. This is a simplification, but PFS basically ensures that if an agency is recording all of Twitter’s encrypted data it can’t crack one key and read it all. Instead, Twitter has implemented a solution that lets each client and server session generate its own encryption key, never sending that key over the networks. If an organization were to collect a bunch of Twitter data, it can’t break one lock and read it all, it must now break thousands or hundreds of thousands of additional keys to read any significant chunk of data.
The organization most likely to be collecting enormous amounts of Twitter data for later decryption? The National Security Agency, who was recently revealed to have several major data gathering programs already in play. The revelations, which came via the Washington Post and whistleblower Edward Snowden, detailed a complex and robust system of collection tools that allow the NSA and other government agencies to access unencrypted data and to collect encrypted traffic in the hopes that they can decrypt that data in the future and add it to their searchable data stockpile.
The site, according to an interview with The New York Times, will encounter a bit of a speed hit to make this work, to the tune of around 150ms on initial connection. But the differential should be worth it to enable extra security. Google implemented PFS two years ago and reports earlier this year say that Facebook will follow suit. You can read more about Twitter’s implementation of PFS on its blog here.