Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Twitter Boosts Web Encryption with ‘Forward Secrecy’

Twitter on Friday announced  that it has added Perfect Forward Secrecy, which adds an extra layer of security to Web encryption to protect user data against prying eyes. 

Twitter on Friday announced  that it has added Perfect Forward Secrecy, which adds an extra layer of security to Web encryption to protect user data against prying eyes. 

“If an adversary is currently recording all Twitter users’ encrypted traffic, and they later crack or steal Twitter’s private keys, they should not be able to use those keys to decrypt the recorded traffic,” Twitter’s Jacob Hoffman-Andrews wrote in a blog post.

Following leaks from former NSA contractor Edward Snowden on the vast surveillance programs conducted by us spy agencies, Internet firms have been making moves to strengthen security and privacy in order to better protect user data.

Hoffman-Andrews highlighted how the Electronic Frontier Foundation believes Forward secrecy is a key component in Web Privacy protection:

Under traditional HTTPS, the client chooses a random session key, encrypts it using the server’s public key, and sends it over the network. Someone in possession of the server’s private key and some recorded traffic can decrypt the session key and use that to decrypt the entire session. In order to support forward secrecy, we’ve enabled the EC Diffie-Hellman cipher suites. Under those cipher suites, the client and server manage to come up with a shared, random session key without ever sending the key across the network, even under encryption. The details of this remarkable and counterintuitive key exchange are explained at Wikipedia’s excellent article on Diffie-Hellman key exchange. The server’s private key is only used to sign the key exchange, preventing man-in-the-middle attacks.


There are two main categories of Diffie-Hellman key exchange. Traditional Diffie-Hellman (DHE) depends on the hardness of the Discrete Logarithm Problem and uses significantly more CPU than RSA, the most common key exchange used in SSL. Elliptic Curve Diffie-Hellman (ECDHE) is only a little more expensive than RSA for an equivalent security level. Vincent Bernat (@vince2_) benchmarked ECDHE at a 15% overhead relative to RSA over 2048-bit keys. DHE, by comparison, used 310% more CPU than RSA.

Paige Leidig, a VP at CipherCloud, told SecurityWeek that the move to add Forward Secrecy was a certainly a positive, but voiced concerned over the security of user data that is stored at rest.

“It’s great to see more cloud providers roll out more security features to protect users, Leidig said. “While Forward Secrecy and SSL 2048 will enhance security for data in flight, it still leaves data at rest in a vulnerable state. Protecting information in this latter state requires cloud encryption that preserves operations and that hands key management to the customer so that no third party can access the keys or data in clear text without the customer’s cooperation.”

Advertisement. Scroll to continue reading.

Twitter follows Google and Facebook who have also added Perfect Forward Secrecy to protect users’ privacy.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.