Slashdot Mirror

← Back to Stories (view on slashdot.org)

Twitter Implements Forward Secrecy For Connections

Posted by Unknown on from the nsa-sad-it-doesn't-know-what-you-ate-five-minutes-ago dept.

Fnord666 writes with this excerpt from Tech Crunch "Twitter has enabled Perfect Forward Secrecy across its mobile site, website and API feeds in order to protect against future cracking of the service's encryption. The PFS method ensures that, if the encryption key Twitter uses is cracked in the future, all of the past data transported through the network does not become an open book right away. 'If an adversary is currently recording all Twitter users' encrypted traffic, and they later crack or steal Twitter's private keys, they should not be able to use those keys to decrypt the recorded traffic,' says Twitter's Jacob Hoffman-Andrews. 'As the Electronic Frontier Foundation points out, this type of protection is increasingly important on today's Internet.'" Of course, they are also using Elliptic Curve ciphers.

38 comments

  1. SSL? by BitZtream · · Score: 1

    So they switch to SSL? Thats kind of the point of the DH exchange in SSL. Stealing the key later still doesn't get you access to the data since the DH exchange ensures that neither side ever transmits enough information to derive the key.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    1. Re:SSL? by DavidClarkeHR · · Score: 1

      So they switch to SSL? Thats kind of the point of the DH exchange in SSL. Stealing the key later still doesn't get you access to the data since the DH exchange ensures that neither side ever transmits enough information to derive the key.

      Because twitter security is important.

      ... particularly to big companies and brands. Maybe this will help them monetize their service?

      --
      - Nec Impar Pluribus, or so I'm told.
    2. Re:SSL? by thue · · Score: 4, Informative

      Perfect Forward Security is optional in SSL - you can run SSL without DH exchange. That is the whole point of the article.

    3. Re:SSL? by BitZtream · · Score: 1

      I got the first post, do you seriously think I read the article? Be happy it was at least in the right ballpark topic wise!

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  2. Thank God! by Anonymous Coward · · Score: 0

    My account was hacked and the hacker made a FOOL out of me!

    I would tweet, "I just went to the bathroom."

    And the hacker would post, "And took a HUGE #shit".

    Can you believe it!

    It's a good thing because with all these insightful and important posts on Twitter, the last thing we need are hackers and security agents destroying the value of Twitter! And it also destroys the further value of the Internet!

    1. Re:Thank God! by MRe_nl · · Score: 1

      "I just went to the bathroom".

      @JFK
      #YOLO #suicide-vest # Allahu Akbar

      --
      "Kill 'em all and let Root sort 'em out"
    2. Re: Thank God! by weazzle · · Score: 2

      You might say the same of Facebook, Google+ or LinkedIn. But considering the number of services that allow these social behemoths to provide single sign support for their users, they are now some of the most critical services to secure correctly. When I reached I went log in order to post, I was presented with the option to login with Facebook, Google+ or Twitter.

  3. I Don't Undertsand by Anonymous Coward · · Score: 0

    Twitter is completely open to anyone. So, what's the point of encryption? Similarly, what's the point of warrants and subpoenas for account information?

    It's all there in the open for anyone to read.

    1. Re:I Don't Undertsand by amiller2571 · · Score: 1

      It is not completely open, you can set you tweets to private and only approved people can view them.

    2. Re:I Don't Undertsand by Sqr(twg) · · Score: 1

      If the NSA can break the encryption they will be able to recover your login credentials. Then they can send false tweets to your friends saying "Help, I'm in Nigeria and my wallet was stolen. Can you wire me $1000?" or "Vote for Jeb Bush in 2016!"

    3. Re:I Don't Undertsand by cffrost · · Score: 5, Insightful

      Twitter is completely open to anyone. So, what's the point of encryption?

      In my opinion, it's "non-optimal" (at best), to forgo encryption because you deem some traffic of yours to be of low-value. What does that tell your potential adversaries about the nature of the traffic you do encrypt? Regarding the destination, (in this case Twitter), it's unlikely known to many potential adversaries if you're using Tor, I2P, etc., , which (along with TLS with PFS,) add another layer of defense-in-depth.

      Your thinking reminds me of people/businesses that own a shredder, but only use them to shred highly-sensitive documents — it makes the job of reconstructing shredded ("unshredding") documents faster, easier, and more fruitful.

      In regard to my own data and traffic, I don't ask, "does this need to be encrypted?" I ask, "can this be encrypted? The browser plugin "TrackMeNot" helps in a similar manner, by hiding whatever I may actually search for within ~1,440 phony queries per day. I also shred everything my cross-cut shredder will accept, and I pull the o' Enron trick of mixing in used coffee grounds as an impersonal "fuck you" to any who'd try to unshred my Pennysavers, envelopes, subscription cards, scratched discs, and most importantly, "etc."

      --
      Thank you, Edward Snowden.

      "Arguments from authority are worthless." —Carl Sagan
    4. Re:I Don't Undertsand by FatLittleMonkey · · Score: 1

      Social network accounts (twitter/facebook/google/blogger) are used to automate login to other sites. If you don't want anyone other that the giant social network and their monetised advertising networks tracking you across 3rd party sites, you need to lock down the traffic between twitter/etc, you, and the 3rd party sites.

      --
      Science is all about firing a drunk pig out of a cannon just to see what happens.
    5. Re:I Don't Undertsand by wiredlogic · · Score: 1

      Keep thinking that. This only applies to systems Twitter controls. If you tweet through SMS you're still vulnerable.

      --
      I am becoming gerund, destroyer of verbs.
    6. Re: I Don't Undertsand by amiller2571 · · Score: 1

      Well that sucks, but good to know.

    7. Re:I Don't Undertsand by ozbon · · Score: 1

      As well as coffee grounds, I find that cat-shit makes a very useful "anti-unshredding" device.

      --
      I say we take off and nuke it from orbit. It's the only way to be sure...
    8. Re:I Don't Undertsand by Anonymous Coward · · Score: 0

      My work's office shredder supplies a hamster cage.

  4. Isn't the data public anyway? by jones_supa · · Score: 2

    In boundaries of my imagination, the user account password is pretty much the only private data that Twitter stores.

    1. Re:Isn't the data public anyway? by Anonymous Coward · · Score: 1

      "In boundaries of my imagination, the user account password is pretty much the only private data that Twitter stores."

      Twitter messages are public but users can also send private messages.
      Source: http://en.wikipedia.org/wiki/Twitter#Privacy_and_security

      Also, it's possible to "protect" tweets. The Twitter account will say:
      "Only confirmed followers have access to @username's Tweets and complete profile. Click the "Follow" button to send a follow request."
      Source: https://support.twitter.com/articles/14016-about-public-and-protected-tweets

      You could've Google'd that. I did. Took me 2 minutes to search and write this reply.

    2. Re:Isn't the data public anyway? by Anonymous Coward · · Score: 0

      In boundaries of my imagination, the user account password is pretty much the only private data that Twitter stores.

      The more data that is encrypted, the less that government agencies can simply slurp up for later analysis. It's not so much about the content, it's the fact that yet another service has made web surfing encrypted.

      More encryption (even of "unimportant" bits) means the reduced effectiveness of dragnet tactics. It helps to force governments to go back to targeted surveillance—or at the very least going to the server, which would (hopefully) require some kind of paper trail, a bunch of lawyers, and generally a whole bunch more witnesses.

    3. Re:Isn't the data public anyway? by thue · · Score: 1

      If NSA has a complete record of which tweets you read, then the NSA already knows a lot about you.

  5. like tweeting in secret? by Anonymous Coward · · Score: 0

    only the persons you prefer can read your twits

    1. Re:like tweeting in secret? by AHuxley · · Score: 1

      It depends on who is working for who and who is funding what.
      NGO, color revolution, 'spring' uprisings, human rights stories in select countries are great.
      Talking about peace, drone strikes, protests, contractors, press rights, law reform could gain traction in other countries. No Western gov really wants to see that kind of real time interaction form in their countries on web 2.0.
      So you do all you can to protect the "freedom" protesters with good crypto in select distant areas but ensure the NSA and GCHQ always have the keys.
      If your protesting a gov selected for a color revolution enjoy top quality encryption.
      If your protesting a gov funding a color revolution: No encryption for you.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:like tweeting in secret? by Desler · · Score: 1

      But isn't the point of Twatter so that you can share with the world that #ijusttookadump?

  6. pointless PR by Anonymous Coward · · Score: 0

    why bother when all it takes is a NSA letter for them to do whatever is required of them ? its not like they have a choice

    unless they and their servers/business registration leave USA this is nothing but a PR attempt (much like MS and their outlook.com) , until you stop the NSA and the USA stalker culture this is a worthless gesture and does nothing to "secure" anything

    1. Re:pointless PR by sumdumass · · Score: 1

      Maybe the NSA and US government agencies isn't exactly who the user is afraid of monitoring their accounts. Maybe in areas like Syria where a simple tween of one faction or the other's troop advancement can mean something more serious then the US government knowing your panties are red today or whatever else you are tweeting. Maybe in Egypt or Iran, it is dangerous for the tweeter too. There are lots of entities you might not want to know what is in your tweets when they are marked private. Some could be good reasons and some less so and the reasons don't have to involve the US at all.

  7. That new Slashdot interface by Anonymous Coward · · Score: 0

    That new Slashdot interface is a monstrosity. Also it's slow as fuck. Who needs 2.0 and cloud anyways ? Bring the fun back you insensitive clod !

  8. NSA by Anonymous Coward · · Score: 0

    GO FUCK OFF THE PLANET NOW

  9. Hey Thanks! by Anonymous Coward · · Score: 0

    Hey thanks for spending your time to Google and post the results of research that I don't give enough of a fuck about to ever bother with. It increases my understanding without taxing me with any sort of effort at all. That's just how I like it.

    Why don't you Google something important for me this time?

    TTFN

  10. PFS Determination+ by cffrost · · Score: 4, Informative

    I recommend Calomel SSL Validation to anyone who's interested in the security of their SSL/TLS connections. It adds a toolbar button, the color of which is determined by a weighted, composite score based on various connections security parameters: Bit-lengths, algos (e.g., AES > RC4), PFS, handshake/protocol, domain matching, etc. Clicking the button displays the complete break-down, including a percentage-score for overall connection security.

    There's also a Tools menu dialog that allows one to toggle >=128 bit, >=256 bit, PFS, and/or FIPS connections exclusively, among other security and interface tweaks.

    Along the same lines, I also recommend CipherFox, which has a configurable status-bar display of symmetric/asymmetric algos and their bit-lengths, and the hash function used in a secure connection. CipherFox also allows RC4 to be toggled, which is handy in conjunction Calomel.

    The above are all freeware that appear to be written and published by individuals lacking a nefarious corporate agenda.

    --
    Thank you, Edward Snowden.

    "Arguments from authority are worthless." —Carl Sagan
  11. Google does the same thing? by Midnight_Falcon · · Score: 2

    I just checked gmail.com with Calomel SSL Validation (thanks to cffrost's post ) and it appears gmail uses PFS as well. How come this wasn't news?

    1. Re:Google does the same thing? by lxs · · Score: 1

      What's the value in having perfect forward security on the connection when they mine and share your data anyway?

    2. Re:Google does the same thing? by Anonymous Coward · · Score: 0

      What's the value in having perfect forward security on the connection when they mine and share your data anyway?

      It's a security buzzword that lots of higher eschelon folks have been seeing bandied about in the tech press (slashdot headlines, etc), and therefore those folks either (a) think it will somehow make twitter and other services a fundamentally more secure form of communications, or (b) think that it will convince a large number of lower eschelon folks to believe (a). Thus allowing the revolution of technology to get past the Snowden revelation phase, back to the throngs of miseducated into false sense of security phase. Which is what the current systems of control depend on. Yes, the foundation of our society seems to be built on technological ignorance of the masses. (The Snowden revelations are to this generation what the Church hearings were to the prior generation. I.e. the public being briefly exposed to the shear simplicity of the criminal fourth ammendment violating dragnets. But the upper eschelon folks needn't worry. The spin machines have been hard at work getting the public to think that the core insecurities have somehow been fixed (e.g. this article)

    3. Re:Google does the same thing? by auric_dude · · Score: 1

      Does Mozilla Lightbeam https://www.mozilla.org/en-US/lightbeam/ throw any light on their and other's data mining efforts?

    4. Re:Google does the same thing? by Ceriel+Nosforit · · Score: 1

      We agreed to Google doing that when signing up. No one has agreed to share their data with the NSA.

      --
      All rites reversed 2010
  12. What's the point of encrypting twitter messages? by Anonymous Coward · · Score: 0

    Isn't the whole point of Twitter to post nearly meaningless snippets of text that you want everyone to see?

    Encryption seems pointless for Twitter so this seems more like a PR move than anything meaningful.

  13. Safe elliptic curves... by KonoWatakushi · · Score: 2

    While the NIST curves are suspect, slow, and problematic in a number of other ways, there are fast and safe elliptic curves.

    1. Re:Safe elliptic curves... by Anonymous Coward · · Score: 0

      You don't want to know which one Tor switched to internally just after all this was announced...

  14. Elliptic curve by manu0601 · · Score: 1

    There are two ciphers family that will provide PFS: DHE (Diffie-Hellman Exchage) and ECDHE (Elliptic Curve DHE). Having PFS enabled for all modern browsers is just about the server offering both families with appropriate priorities, so that clients pick a PFS enabled cipher. Qualys SSL server test is a good tool for checking for an appropriate configuration, although it could make clearer that you cannot both have PFS for modern browsers, and protect against BEAST server-side.

    Note that the Elliptic Curve used in ECDHE is not the one that was claimed to be compromised by NSA. We have no information suggesting ECHDE is at risk