Twitter Adds New Layer of Security To Impede Government Surveillance
Twitter has upped its security, in the face of revelations about collection of internet traffic by governments. The security change makes Twitter the latest of several internet companies adding the extra layer of encryption to thwart attempts to eavesdrop on its users' communications.
Specifically, the security protocol added to Twitter's encryption scheme is called Perfect Forward Secrecy, and it represents an extra hurtle to decryption that governments and other organizations, which are vacuuming up encrypted communications on the internet, will have to cross in order to read the content of secured messages.
Until recently, most web encryption was done through Transport Layer Security or Secure Sprockets Layer (or S.S.L.) encryption protocols. These systems, which you might have seen confirmed by the HTTPS at the beginning of secure web connections, encrypt communications that include sensitive information like passwords and credit card numbers.
And it's a pretty secure system: even if hackers or other snooping organizations collect the encrypted traffic, they have to have an S.S.L. key to unlock that data from its encrypted state. Which means more hacking or spying to uncover those keys, or otherwise brute force attempts at decryption, which require powerful machines and a lot of time. And if the snooping party wants to systematically collect lots of encrypted communications for future decryption, it means mammoth amounts of digital storage, and all of the logistics that running such storage systems require.
Well, guess what? Since Edward Snowden leaked details about the National Security Agency's various cyber surveillance efforts, we know that the N.S.A. is collecting and storing huge amounts of internet traffic for later decryption. And, thanks to Wired's James Bamford (reporting more than a year before the Snowden leak), we know that the massive storage system exists in Bluffdale, Utah. And, though the N.S.A. has had trouble getting the logistics right to get up and running, we know that the Bluffdale data center is possibly capable of storing a yottabyte of data - or a septillion bytes of data, which is so much that "no one has yet coined a term for the next higher magnitude" according to Bamford.
And the N.S.A. isn't the only government agency vacuuming and storing vast amounts of internet traffic for later decryption - North Korea, Iran, and China are all storing huge amounts of encrypted data in the hopes of being able to unlock it later, according to the New York Times Bits blog.
How does Perfect Forward Secrecy - an added layer of encryption security that Google, Mozilla, Facebook, Yahoo, and others have announced their adoption of - keep these data hoarders from being able to unlock encrypted information if they get that precious S.S.L. key? Perfect Forward Secrecy makes each encrypted web session key unique and temporary. Once the connection is up, the key is disposed of.
This means that, even for organizations that collect huge amounts of encrypted communications and can get access to encryption keys, each individual communication would have to be unlocked by itself to read the contents. The Electronic Frontier Foundation has a great explainer that goes into detail about Perfect Forward Secrecy. Twitter announced on its blog on Friday that it has added the security property to its traffic on Twitter.com, api.twitter.com, and mobile.twitter.com.