Twitter just enhanced its security a bit further today enabling Forward Secrecy for traffic on twitter.com , api.twitter.com and mobile.twitter.com. This makes it more difficult for intruders who try to intercept (or even successfully crack) twitter users’ encrypted traffic, as they wont be able to decrypt it even if they manage to crack or steal Twitter’s private keys.
Not so long ago, Twitter also enabled HTTPS (Hypertext Transfer Protocol Secure) for the users. However, Twitter’s official blog explains how inspite of using a secured session (HTTPS), an intruder may still be able to intercept the data, “Under traditional HTTPS, the client chooses a random session key, encrypts it using the server’s public key, and sends it over the network. Someone in possession of the server’s private key and some recorded traffic can decrypt the session key and use that to decrypt the entire session“. So basically, the security of the data depends on how secure the company’s private key is. Now, Forward Secrecy, also known as Perfect Forward Secrecy (PFS), lets each client and server session create their own encrypted keys, and unlike the traditional HTTPS, these keys are never sent across the network. So even if the hacker manages to get his hands on the company’s private keys, it cant be used to decrypt the sessions.
Twitter is not the first company to do so. Google had also implemented the Perfect Forward Secrecy about Two years ago and reports suggests that Facebook too is well on its plan to implement it. It no secret anymore that the security attacks by hackers is not the only reason why Twitter enabled PFS, it may also be to keep away government’s prying eyes. The move is meant to ensure the users’ that their privacy remains the company’s top priority. Twitter also provides a detailed description of how and why it uses the Elliptic Curve Diffie-Hellman (ECDHE) key exchange method. You may read more details about it on Twitter’s official blog.
In other news besides security, Twitter also updated its mobile apps (iOS and Android) improving the Search Filters and Direct Messaging features. Besides these updates, they have also been experimenting a lot lately over its web version. In one instance they changed the UI a little bit for very few users, but it was also quickly reverted to the original (current) version.
Photo Credit – Chinen Keiya/Flickr