As with many tech companies, Twitter has been caught up in the government spying fallout, and has taken steps to protect its users’ data, the latest of which was an announcement on the company’s blog this evening: forward secrecy. With forward secrecy, Twitter has essentially enabled a contingency plan against the possibility of some agency recording encrypted traffic and at some point in the future decrypting it with Twitter’s private keys.
For those who are intimately interested in Twitter’s security efforts, the microblogging website has extensively detailed its forward secrecy efforts, stating that CPU usage was a valid concern. To keep the load lower, the company went with the Elliptic Curve Diffie-Hellman cipher suites over traditional Diffie-Hellman, which it says would have resulted in “significantly more CPU” usage.
Under this, both server and client generate a random shared key for the session that is not transmitted over the network, encrypted or otherwise. The private keys, then, are only used to sign for this, keeping one’s hand out of the other’s jar, so to speak, and disrupting whatever man-in-the-middle attacks might be attempted. From there, the service had to deal with some TLS session tickets issues, and ultimately the new security measure was brought to life.
Says Twitter, this announcement is to, in part, bring to light what it feels should be “the new normal” for websites. The microblogging service is encouraging other services to implement HTTPS as a default, and for Web users to demand that the services they use do so. After all, says the service, “Security is an ever-changing world.”
SOURCE: Twitter Blog