Twitter on Friday announced that it has added Perfect Forward Secrecy, which adds an extra layer of security to Web encryption to protect user data against prying eyes.
“If an adversary is currently recording all Twitter users’ encrypted traffic, and they later crack or steal Twitter’s private keys, they should not be able to use those keys to decrypt the recorded traffic,” Twitter’s Jacob Hoffman-Andrews wrote in a blog post.
Following leaks from former NSA contractor Edward Snowden on the vast surveillance programs conducted by us spy agencies, Internet firms have been making moves to strengthen security and privacy in order to better protect user data.
Hoffman-Andrews highlighted how the Electronic Frontier Foundation believes Forward secrecy is a key component in Web Privacy protection:
Under traditional HTTPS, the client chooses a random session key, encrypts it using the server’s public key, and sends it over the network. Someone in possession of the server’s private key and some recorded traffic can decrypt the session key and use that to decrypt the entire session. In order to support forward secrecy, we’ve enabled the EC Diffie-Hellman cipher suites. Under those cipher suites, the client and server manage to come up with a shared, random session key without ever sending the key across the network, even under encryption. The details of this remarkable and counterintuitive key exchange are explained at Wikipedia’s excellent article on Diffie-Hellman key exchange. The server’s private key is only used to sign the key exchange, preventing man-in-the-middle attacks.
There are two main categories of Diffie-Hellman key exchange. Traditional Diffie-Hellman (DHE) depends on the hardness of the Discrete Logarithm Problem and uses significantly more CPU than RSA, the most common key exchange used in SSL. Elliptic Curve Diffie-Hellman (ECDHE) is only a little more expensive than RSA for an equivalent security level. Vincent Bernat (@vince2_) benchmarked ECDHE at a 15% overhead relative to RSA over 2048-bit keys. DHE, by comparison, used 310% more CPU than RSA.
Paige Leidig, a VP at CipherCloud, told SecurityWeek that the move to add Forward Secrecy was a certainly a positive, but voiced concerned over the security of user data that is stored at rest.
“It’s great to see more cloud providers roll out more security features to protect users, Leidig said. “While Forward Secrecy and SSL 2048 will enhance security for data in flight, it still leaves data at rest in a vulnerable state. Protecting information in this latter state requires cloud encryption that preserves operations and that hands key management to the customer so that no third party can access the keys or data in clear text without the customer’s cooperation.”
Twitter follows Google and Facebook who have also added Perfect Forward Secrecy to protect users’ privacy.