Microblogging site Twitter is combating cyber snooping by making it harder for hackers to decrypt its encrypted data even if the hackers manage to get their hands on Twitter’s private keys.
Twitter said it is using a method called perfect forward secrecy on top of its usual confidentiality measures and traditional HTTPS encryption.
“Under traditional HTTPS, the client chooses a random session key, encrypts it using the server’s public key and sends it over the network,” a blog post by Twitter engineer, Jacob Hoffman-Andrew said. “Someone in possession of the server’s private key and some recorded traffic can decrypt the session key and use that to decrypt the entire session.”
He said Twitter is using the EC Diffie-Hellman cipher suites, a method of exchanging cryptographic keys, to support forward secrecy. With this method, Hoffman-Andrew said, the server’s key is only used to sign the key exchange and therefore prevents a man-in-the-middle-attack.
Although Twitter did not mention the United States National Security Agency, some media outlets said the move could be meant to prevent the NSA from collecting data from Twitter’s network.
“If an adversary is currently recording all Twitter users’ encryption traffic, and they later crack or steal Twitter’s private keys, they should not be able to use those keys to decrypt the recorded traffic,” he said.
Parker Higgins, an activist with the digital rights group Electronic Frontier Foundation, said that perfect forward secrecy is becoming a very important Web security method.
“Sites that use perfect forward secrecy can provide better security to users in cases where the encrypted data is being monitored and recorded by a third party,” he wrote in a blog. “That particular threat may have once seemed unlikely, but we now know that the NSA does exactly this kind of long-term storage of at least some encrypted communication as they flow through telecommunications hubs, in a collection effort it calls upstream.”
