Incident Response, TDR, Threat Management

Twitter launches forward secrecy, makes decryption nearly impossible

Twitter already uses HTTPS to provide its customers with security, but on Friday the microblogging company upped its encryption defenses by introducing ‘forward secrecy' for its twitter.com, api.twitter.com and mobile.twitter.com services.

But what is forward secrecy and, if it so important, why doesn't everyone use it?

“Encryption systems that lack forward secrecy have a single secret key that's used over and over again to set up the encryption,” Seth Schoen, senior staff technologist with Electronic Frontier Foundation (EFF), told SCMagazine.com on Monday. “That key is effectively a master key for all of the communications that use it. Anyone who learns it can unscramble all of them, past or future.”

Using Twitter as an example, Schoen said that if someone were to record all encrypted data going in and out of a Twitter's servers for years, and then they were to discover the secret key, then that person would be able to decrypt all of the collected information.

“There are encryption techniques that don't have this property, where there is effectively no single master key, and even the parties to a communication lose the ability to decrypt it after the communication is over,” Schoen said, explaining this is made possible due to a cryptographic key exchange known as Diffie-Hellman. “These techniques are said to have forward secrecy.” 

The HTTPS listed in front of a URL in a web browser indicates that the website communicates with other internet services by using Transport Layer Security (TLS) encryption, Schoen said, explaining that some modes of TLS allow for forward secrecy.

However, the reason why all HTTPS ready websites have not enabled forward secrecy – it has been available for about a decade and has picked up steam in the past few years – is because it is very computationally intensive, Schoen said, adding this means the server has to do more mathematics for each incoming connection.

“Many people have become particularly concerned about forward secrecy on the Internet because of the government's position in the Lavabit case,” Schoen said. “There, the government claims that it can use a search warrant to seize a webmail company's secret encryption keys. If this is so, and the keys were used in a non-forward secret mode, the government could then use the keys to go back and decrypt any encrypted messages that it intercepted on the wire at any time in the past.”

Google became one of the first big internet companies to implement forward secrecy in 2011, and since then several other companies have followed, including Dropbox, Facebook and Tumblr, according to an EFF graph that charts best encryption practices.

Twitter's Jacob Hoffman-Andrews blogged extensively about the initiative, explaining that the microblogging company hopes forward secrecy becomes the new norm for web service owners. A Twitter representative did not respond to a SCMagazine.com request for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.