Twitter has enhanced its encryption as tech companies react to disclosures of snooping by the National Security Agency. The company has enabled forward secrecy on its home page, Api.twitter.com and Mobile.twitter.com.
Twitter outlined its strategy of “forward secrecy,” in a Nov. 22 blog post by Jacob Hoffman-Andrews, a security engineer at the company.
Implement https on Web sites, but strengthen Web security beyond https as well. Store keys in RAM-based file systems called tmpfs, without configured swap partitions.
Forward secrecy is a decryption-prevention method that enhances security beyond the https method. Keys are placed in temporary file storage (tmpfs), a RAM-based file system, with no swap partitions configured.
“Under traditional HTTPS, the client chooses a random session key, encrypts it using the server’s public key, and sends it over the network,” Hoffman-Andrews wrote. “Someone in possession of the server’s private key and some recorded traffic can decrypt the session key and use that to decrypt the entire session.”
Forward secrecy involves use of EC Diffie-Helman cipher suites. Cypher suites are a combination of authentication, encryption and message authentication code (MAC) algorithms that allow IT staff to manage settings for a network connection using Transport Layer Security (TLS)/ Secure Sockets Layer (SSL) protocol.
“Under those cipher suites, the client and server manage to come up with a shared, random session key without ever sending the key across the network, even under encryption,” Hoffman-Andrews said.
By enabling and prioritizing cipher suites, Web sites should experience only a “negligible” increase in CPU usage, Hoffman said.
The Electronic Frontier Foundation, a nonprofit that advocates for consumer privacy in the digital world, expressed support for forward secrecy in an Aug. 28 post by Parker Higgins, an activist at the organization.
“It may not be as obvious a step as simply enabling HTTPS, but turning on perfect forward secrecy is an important improvement that protects users,” Higgins wrote. “More sites should enable it, and more users should demand it of the sites they trust with their private data.”
Many tech companies are taking steps to bolster security following the revelations of NSA snooping. On Nov. 18 Yahoo CEO Marissa Meyer announced that the company would encrypt its internal traffic following the NSA leaks.