Twitter adds new security layer to foil online snooping

23 Nov 2013

Twitter announced toughening of traffic encryption at the globally popular one-to-many messaging service to foil online snooping.

Twitter is following the lead by Google and Facebook, with the addition of a layer of security called Perfect Forward Secrecy to protect data that users would like to keep away from prying eyes.

"On top of the usual confidentiality and integrity properties of HTTPS, Forward Secrecy adds a new property," Twitter explained in a blog post yesterday.

"If an adversary is currently recording all Twitter users' encrypted traffic, and they later crack or steal Twitter's private keys, they should not be able to use those keys to decrypt the recorded traffic."

According to the San Francisco-based company, the non-profit Electronic Frontier Foundation was among online rights champions who advocated for the kind of added protection on personal internet traffic.

"We are writing this not just to discuss an interesting piece of technology, but to present what we believe should be the new normal for web service owners," Twitter said of the announcement.

"A year and a half ago, Twitter was first served completely over HTTPS," the company added. "Since then, it has become clearer and clearer how important that step was to protecting our users' privacy.

The online messaging service, started scrambling communications in 2011 using traditional HTTPS encryption.

The micro-blogging site's move comes as the latest response from US internet firms following disclosures by former spy agency contractor Edward Snowden about widespread, classified US government surveillance programmes.

Facebook Inc, Google Inc, Microsoft Corp and Yahoo Inc had publicly complained that they were not allowed by the government to disclose data collection efforts. A number of companies had adopted new privacy technologies to better secure user data.

According to Dan Kaminksy, a well-known internet security expert, forward secrecy prevented attackers from exploiting one potential weakness in HTTPS, which was that large quantities of data could unscrambled if spies were able to steal a single private "key" used to encrypt all the data.

The technique adopted by Twitter, repeatedly creates individual keys with the opening of new communications sessions to make it impossible to use a master key to decrypt them, he added.