Newsletters
News & Information for Technology Purchasers NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
This ad will display for the next 20 seconds. Please click for more information, or scroll down to pass the ad, or Close Ad.
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
APC Free White Paper
Optimize your network investment &
Enter to win a Samsung Galaxy Note

www.apc.com
Network Security
24/7/365 Network Uptime
Average Rating:
Rate this article:  
Twitter Beefs Up Encryption Against NSA Snooping
Twitter Beefs Up Encryption Against NSA Snooping

By Jennifer LeClaire
November 25, 2013 1:38PM

    Bookmark and Share
PFS largely protects intercepted communications against future encryption key disclosure. For example, the NSA intercepts communications between you and Twitter. It then could go to court and persuade Twitter to disclose its keys. If Twitter complied, the NSA could read the intercepted communications. But forward secrecy prevents the keys from working.
 



Following in the footsteps of Google and Facebook, Twitter is moving to implement "perfect forward secrecy," a cryptographic technique to keep data safe from prying eyes. Twitter announced it has enabled forward secrecy for traffic on Twitter.com, api.twitter.com, and mobile.twitter.com.

On top of the usual confidentiality and integrity properties of HTTPS, perfect forward secrecy adds a new property, according to Twitter's Jacob Hoffman-Andrews. If an adversary is currently recording all Twitter users' encrypted traffic, and they later crack or steal Twitter's private keys, they should not be able to use those keys to decrypt the recorded traffic, he said.

The New Normal

"Under traditional HTTPS, the client chooses a random session key, encrypts it using the server's public key, and sends it over the network," Hoffman-Andrews wrote in a blog post. "Someone in possession of the server's private key and some recorded traffic can decrypt the session key and use that to decrypt the entire session. In order to support forward secrecy, we've enabled the EC Diffie-Hellman cipher suites."

Under those cipher suites, the client and server manage to come up with a shared, random session key without ever sending the key across the network, he explained, even under encryption. Hoffman-Andrews said the details are explained at Wikipedia's article on Diffie-Hellman key exchange. The server's private key is only used to sign the key exchange, preventing man-in-the-middle attacks.

"At the end of the day, we are writing this not just to discuss an interesting piece of technology, but to present what we believe should be the new normal for Web service owners," said Hoffman-Andrews. "A year and a half ago, Twitter was first served completely over HTTPS. Since then, it has become clearer and clearer how important that step was to protecting our users' privacy."

Largely Symbolic Move

We asked Chester Wisniewski, a senior security adviser at Sophos, for his thoughts on Twitter's latest security move. Pointing to when Google began using HTTPS by default, he told us it often takes a bit of time for all the big players to come around and set the new standard for security and privacy online.

"Perfect forward secrecy is another one of these moments. It is great news to see high-profile organizations like Twitter adopt changes that will improve the privacy and security of its users. Will it make a difference? Probably not, but it does help establish this as a new baseline that all Web sites should comply with," Wisniewski said.

PFS largely protects intercepted communications against future encryption key disclosure. For example, the NSA intercepts communications between you and Twitter. Before PFS it could go to court and persuade Twitter to disclose its keys. If Twitter were to comply, Wisniewski said, the NSA could read the intercepted communications. PFS prevents that from working. Even if the private keys are intercepted or handed over, he continued, the messages remain protected.

"The reason it might not matter? Who is sending private messages over Twitter? It is a platform designed for blasting out messages, publicly, to anyone willing to listen," he concluded. "It would seem that this move is largely symbolic more than about preventing interception."
 

Tell Us What You Think
Comment:

Name:



APC has an established a reputation for solid products that virtually pay for themselves upon installation. Who has time to spend worrying about system downtime? APC makes it easy for you to focus on business growth instead of business downtime with reliable data center systems and IT solutions. Learn more here.


 Network Security
1.   Google Street View Unravels CAPTCHAs
2.   Teen Arrested for Heartbleed Hack
3.   IBM Adds Disaster Recovery to SoftLayer
4.   How To Beat the Heartbleed Bug
5.   OpenSSL Calls for More Support


advertisement
Don't Reset Passwords for Heartbleed?
Added caution needed to ensure security.
Average Rating:
Teen Arrested for Heartbleed Hack
Data stolen from Canadian tax agency.
Average Rating:
How To Beat the Heartbleed Bug
Big data analytics could be the key.
Average Rating:
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Google's Street View Software Unravels CAPTCHAs
The latest software Google uses for its Street View cars to read street numbers in images for Google Maps works so well that it also solves CAPTCHAs, those puzzles designed to defeat bots.
 
Canadian Teen Arrested for Heartbleed Hack
One week after the OpenSSL Heartbleed vulnerability was unveiled, Canadian authorities have made the first arrest -- a London, Ontario teenager -- connected to exploiting the security hole.
 
IBM Offers Security, Disaster Recovery as SoftLayer Service
New disaster recovery and security services for SoftLayer clients are being added by IBM. Big Blue said the new capabilities will speed cloud adoption by alleviating concern over business continuity.
 

Enterprise Hardware Spotlight
Vaio Fit 11A Battery Danger Forces Recall by Sony
Using a Sony Vaio Fit 11A laptop? It's time to send it back to Sony. In fact, Sony is encouraging people to stop using the laptop after several reports of its Panasonic battery overheating.
 
Continued Drop in Global PC Shipments Slows
Worldwide shipments of PCs fell during the first three months of the year, but the global slump in PC demand may be easing, with a considerable slowdown from last year's drops.
 
Google Glass Finds a Home in Medical Education, Practice
Google Glass may find its first markets in verticals in which hands-free access to data is a boon. Medicine is among the most prominent of those, as seen in a number of Glass experiments under way.
 

Mobile Technology Spotlight
Google Releases Chrome Remote Desktop App for Android
You're out on a sales call, and use your Android mobile device to grab a file you have back at the office on your desktop. That's a bit easier now with Google's Chrome Remote Desktop app for Android.
 
Amazon 3D Smartphone Pics Leaked
E-commerce giant Amazon is reportedly set to launch a smartphone after years of development. Photos of the phone, which may feature a unique 3D interface, were leaked by tech pub BGR.
 
Zebra Tech Buys Motorola Enterprise for $3.45B
Weeks after Lenovo bought Motorola Mobility’s assets from Google for $2.91 billion, Zebra Technologies is throwing down $3.45 billion for Motorola’s Enterprise business in an all-cash deal.
 

Navigation
NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | Data Storage | Small Business | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech
Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters | XML/RSS Feed

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.