Introduction of ‘perfect forward secrecy’ ensures protection of encrypted data even if another party obtains decryption keys
A post on Twitter’s engineering blog encouraged other sites to ‘defend and protect the users’ voice’ by implementing HTTPS and forward secrecy. Photograph: Marcio Jose Sanchez/AP
Twitter has announced a significant increase in its data security as it moves to protect users from attacks by the “apex predators” of the internet.
An internal team of security engineers have spent several months implementing “perfect forward secrecy”, which adds an extra layer of security to widely used HTTPS encryption deployed by online banking, retailers and, increasingly, consumer web services.
Google, Facebook, Dropbox and Tumblr have all implemented forward secrecy already, and LinkedIn is understood to be introducing it in 2014.
Users may not immediately notice any difference, other than a barely perceptible time lag as they use the service across desktop, mobile and through third party services, but for Twitter the move asserts its credentials as a company fiercely protective of its users’ data.
That data includes not only messages that users choose to publish publicly, but also direct, private messages, protected tweets and data on what users say, who they comment on and who else they read. Collectively, large datasets, such as those of Twitter’s 218 million users, can be analysed to identify connections between people, locations and interests.
Announcing the new implementation, which has been running as a trial since 21 October, a detailed post on Twitter’s engineering blog encouraged other sites to “defend and protect the users’ voice” by implementing HTTPS and forward secrecy.
Documents released by Edward Snowden, a former contractor to the US National Security Agency, have shown that the agency and its affiliates are storing vast amounts of encrypted consumer data so that it can later attempt to decrypt it, either by accessing unencrypted data or by using specific court orders to force data owners to hand over the private SSL keys. But forward secrecy means that data would still be secure, even if the agency obtained the keys to the encrypted data.
First developed in 1992, perfect forward secrecy creates a new, disposable key for each exchange of information, which means the key for every individual session would have to be decrypted to access the data.
Twitter engineer Jacob Hoffman-Andrews said that implementation on Twitter was complex because of its scale, which meant that extra work was done to ensure the process did not slow the site. He wants to encourage smaller sites to introduce forward secrecy and said it could take as little as two weeks to implement. “We are trying to create a new norm for what it means to be a secure website,” he said. “It makes it harder for anyone attempting a large-scale cryptographic attack, but this is not just about the NSA. There’s more than one apex predator on the internet, including terrorists and groups outside of government – anyone well-funded could use the same techniques.”
Fellow engineer Jeff Hodges said Twitter’s policy of asserting its users’ right to privacy marked it out from other services, and that the Snowden revelations had a big impact inside the company. “It was a big surprise, and it inspired a lot of work,” he said. “There’s a gap to be bridged between what developers know to be the correct thing to do next, and that becoming policy at companies so that they invest the time to make it happen. But that process is percolating up.”
Chester Wisniewski, senior security advisor at software security firm Sophos, said that several mainstream consumer sites have moved to improve security of user data in the wake of the Snowden revelations, but doubted that the move was due to consumer demand.
“The people working on the next generation of web standards are considering making encryption of all web traffic the default,” he said. “Most of the movement towards improved security and privacy is long overdue. For a couple of years now, Google redesigned parts of its networks to offer HTTPS encryption for all of its services, and Yahoo! announced it will begin using [the secure protocol] HTTPS everywhere they can from 2014. The public pressure is welcomed by those of us who are concerned about the privacy of the average individual. It is simply unfortunate that it took a leak like this for companies to do the right thing.”