Slashdot Mirror

← Back to Stories (view on slashdot.org)

Twitter Implements Forward Secrecy For Connections

Posted by Unknown on from the nsa-sad-it-doesn't-know-what-you-ate-five-minutes-ago dept.

Fnord666 writes with this excerpt from Tech Crunch "Twitter has enabled Perfect Forward Secrecy across its mobile site, website and API feeds in order to protect against future cracking of the service's encryption. The PFS method ensures that, if the encryption key Twitter uses is cracked in the future, all of the past data transported through the network does not become an open book right away. 'If an adversary is currently recording all Twitter users' encrypted traffic, and they later crack or steal Twitter's private keys, they should not be able to use those keys to decrypt the recorded traffic,' says Twitter's Jacob Hoffman-Andrews. 'As the Electronic Frontier Foundation points out, this type of protection is increasingly important on today's Internet.'" Of course, they are also using Elliptic Curve ciphers.

7 of 38 comments (clear)

  1. Re:SSL? by thue · · Score: 4, Informative

    Perfect Forward Security is optional in SSL - you can run SSL without DH exchange. That is the whole point of the article.

  2. Isn't the data public anyway? by jones_supa · · Score: 2

    In boundaries of my imagination, the user account password is pretty much the only private data that Twitter stores.

  3. Re: Thank God! by weazzle · · Score: 2

    You might say the same of Facebook, Google+ or LinkedIn. But considering the number of services that allow these social behemoths to provide single sign support for their users, they are now some of the most critical services to secure correctly. When I reached I went log in order to post, I was presented with the option to login with Facebook, Google+ or Twitter.

  4. Re:I Don't Undertsand by cffrost · · Score: 5, Insightful

    Twitter is completely open to anyone. So, what's the point of encryption?

    In my opinion, it's "non-optimal" (at best), to forgo encryption because you deem some traffic of yours to be of low-value. What does that tell your potential adversaries about the nature of the traffic you do encrypt? Regarding the destination, (in this case Twitter), it's unlikely known to many potential adversaries if you're using Tor, I2P, etc., , which (along with TLS with PFS,) add another layer of defense-in-depth.

    Your thinking reminds me of people/businesses that own a shredder, but only use them to shred highly-sensitive documents — it makes the job of reconstructing shredded ("unshredding") documents faster, easier, and more fruitful.

    In regard to my own data and traffic, I don't ask, "does this need to be encrypted?" I ask, "can this be encrypted? The browser plugin "TrackMeNot" helps in a similar manner, by hiding whatever I may actually search for within ~1,440 phony queries per day. I also shred everything my cross-cut shredder will accept, and I pull the o' Enron trick of mixing in used coffee grounds as an impersonal "fuck you" to any who'd try to unshred my Pennysavers, envelopes, subscription cards, scratched discs, and most importantly, "etc."

    --
    Thank you, Edward Snowden.

    "Arguments from authority are worthless." —Carl Sagan
  5. PFS Determination+ by cffrost · · Score: 4, Informative

    I recommend Calomel SSL Validation to anyone who's interested in the security of their SSL/TLS connections. It adds a toolbar button, the color of which is determined by a weighted, composite score based on various connections security parameters: Bit-lengths, algos (e.g., AES > RC4), PFS, handshake/protocol, domain matching, etc. Clicking the button displays the complete break-down, including a percentage-score for overall connection security.

    There's also a Tools menu dialog that allows one to toggle >=128 bit, >=256 bit, PFS, and/or FIPS connections exclusively, among other security and interface tweaks.

    Along the same lines, I also recommend CipherFox, which has a configurable status-bar display of symmetric/asymmetric algos and their bit-lengths, and the hash function used in a secure connection. CipherFox also allows RC4 to be toggled, which is handy in conjunction Calomel.

    The above are all freeware that appear to be written and published by individuals lacking a nefarious corporate agenda.

    --
    Thank you, Edward Snowden.

    "Arguments from authority are worthless." —Carl Sagan
  6. Google does the same thing? by Midnight_Falcon · · Score: 2

    I just checked gmail.com with Calomel SSL Validation (thanks to cffrost's post ) and it appears gmail uses PFS as well. How come this wasn't news?

  7. Safe elliptic curves... by KonoWatakushi · · Score: 2

    While the NIST curves are suspect, slow, and problematic in a number of other ways, there are fast and safe elliptic curves.