Twitter said in a blog post that it had enabled ‘forward secrecy’ across all versions of its site in order to make sure huge swathes of data cannot be siphoned off and read, including private direct messages.
“We recently enabled forward secrecy for traffic
on twitter.com, api.twitter.com, and mobile.twitter.com. On top of the
usual confidentiality and integrity properties of HTTPS, forward secrecy
adds a new property,” the firm said.
“If an adversary is currently recording all
Twitter users’ encrypted traffic, and they later crack or steal
Twitter’s private keys, they should not be able to use those keys to
decrypt the recorded traffic.”
It has done this by using a security cipher
called EC Diffie-Hellman. This removes the need for an encryption key to
be sent between a client and a server as this can be intercepted by a
third party and used to unencrypt data.
“The client and server manage to come up with a
shared, random session key without ever sending the key across the
network, even under encryption,” Twitter explained. “The server’s
private key is only used to sign the key exchange, preventing
man-in-the-middle attacks.”
The firm called on other web services to follow
the implementation of forward secrecy as a vital step to protect online
users from criminals and government spies.
“Security is an ever-changing world. Our work on
deploying forward secrecy is just the latest way in which Twitter is
trying to defend and protect the user’s voice in that world,” it said.
Many technology giants are taking action against government spying in the wake of the PRISM scandal, with Yahoo announcing last week that it would encrypt all traffic being sent to and from its network following claims that traffic from its systems had been monitored by spy agencies.
No comments:
Post a Comment