Twitter has introduced ‘forward secrecy' for its twitter.com, api.twitter.com and mobile.twitter.com services.
Electronic Frontier Foundation senior staff technologist Seth Schoen explained forward secrecy and why it was not widespread despite its importance.
“Encryption systems that lack forward secrecy have a single secret key that's used over and over again to set up the encryption,” Schoen said.
“That key is effectively a master key for all of the communications that use it. Anyone who learns it can unscramble all of them, past or future.”
Schoen said attackers could decrypt all recorded encrypted data going in and out of a Twitter's servers for yearsshould they find the secret key.
“There are encryption techniques that don't have this property, where there is effectively no single master key, and even the parties to a communication lose the ability to decrypt it after the communication is over,” Schoen said, explaining this is made possible due to a cryptographic key exchange known as Diffie-Hellman. “These techniques are said to have forward secrecy.”
The HTTPS listed in front of a URL in a web browser indicates that the website communicates with other internet services by using Transport Layer Security (TLS) encryption, Schoen said, explaining that some modes of TLS allow for forward secrecy.
However, forward secrecy is highly computationally intensive accouting for its lack of adoption over the past decade.
“Many people have become particularly concerned about forward secrecy on the Internet because of the government's position in the Lavabit case,” Schoen said.
“There, the government claims that it can use a search warrant to seize a webmail company's secret encryption keys. If this is so, and the keys were used in a non-forward secret mode, the government could then use the keys to go back and decrypt any encrypted messages that it intercepted on the wire at any time in the past.”
Google became one of the first big internet companies to implement forward secrecy in 2011, and since then several other companies have followed, including Dropbox, Facebook and Tumblr, according to an EFF graph that charts best encryption practices.
Twitter's Jacob Hoffman-Andrews blogged extensively about the initiative, explaining that the microblogging company hopes forward secrecy becomes the new norm for web service owners.
A Twitter representative did not respond to a request for comment.