Twitter Implements Forward Secrecy; Says It 'Should Be The New Normal'
from the protecting-your-privacy dept
There's been a lot of talk recently about getting more web companies to look at using forward secrecy to make HTTPS connections even more secure. That link from Parker Higgins at EFF explains the basics. It appears that folks at Twitter were paying attention, as they've now announced how they've implemented forward secrecy to better protect privacy. In practical terms, this means that if someone (hello NSA peoples!) is recording all encrypted traffic today, and then are later able to crack or steal Twitter's private encryption keys, they shouldn't be able to go back and decrypt the stored data. That's as opposed to the way many now implement security, in which if the key gets out, it's basically game over for privacy on previously encrypted files.The Twitter blog post on this actually goes into a fairly detailed discussion about the technology choices they made, and the trade-offs involved. It's pretty clear this wasn't just written by a PR person. That said, security researcher Nicholas Weaver notes some potential issues with Twitter's transport encryption choices, noting that there are some indications that RC4 is no longer secure, even when used in TLS. Hopefully further changes can make it even more secure.
That said, the Twitter blog post makes a key point towards the end, about how greater and greater security, especially against the ability of an entity like the NSA, needs to be "the new normal."
At the end of the day, we are writing this not just to discuss an interesting piece of technology, but to present what we believe should be the new normal for web service owners. A year and a half ago, Twitter was first served completely over HTTPS. Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.
If you are a webmaster, we encourage you to implement HTTPS for your site and make it the default. If you already offer HTTPS, ensure your implementation is hardened with HTTP Strict Transport Security, secure cookies, certificate pinning, and Forward Secrecy. The security gains have never been more important to implement.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, forward secrecy, https, privacy, rc4, security, tls
Companies: twitter
Reader Comments
Subscribe: RSS
View by: Time | Thread
Here's the payload: "secure cookies, certificate pinning"
And a communication service in which presumably one wants the messages widely read is contrary to encryption! To me: sense no makes.
Cerf - who is Google's chief internet preacher - added: "Privacy may be an anomaly."
http://www.theregister.co.uk/2013/11/20/vint_cerf_privacy_may_be_an_anomaly_online/
11:54:17 [m-917-8]
[ link to this | view in chronology ]
Re: Here's the payload: "secure cookies, certificate pinning"
[ link to this | view in chronology ]
Re: Re: Here's the payload: "secure cookies, certificate pinning"
[ link to this | view in chronology ]
Re: Here's the payload: "secure cookies, certificate pinning"
[ link to this | view in chronology ]
Re: Here's the payload: "secure cookies, certificate pinning"
You have to work extra hard to so totally misunderstand things. I mean, you didn't just misunderstand something, you took it to a new level of blatant wrongness.
[ link to this | view in chronology ]
Re: Here's the payload: "secure cookies, certificate pinning"
The certificate pinning, may or may not be used for tracking by one entity but it reduces the tracking by others meaning instead of everyone being able to track you only that one entity you contacted will be able to do it.
So please enlighten us all, how is this bad at all? I be surprised if you actually can backup your big mouth there.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
2%
[ link to this | view in chronology ]
to prevent passive wiretapping
Although writers publish everything, the encryption protects the readers against wiretapping by 3rd parties. This forces them to use active MitM attacks. See http://www.snowdenandthefuture.info/ why reading anonymous is important.
Only twitter learns what readers are interested in. To protect against that, readers need to read without all cookies, supercookies, Etag-headers, caching headers and guard all other browser fingerprinting attacks. Or use Tor.
Still an improvement.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]