Twitter toughens security against government snooping

Are you secure?

Twitter has implemented new technology to stop its users from being spied upon by government agencies, it said. The firm also called upon other technology firms to do likewise. The microblogging service began encrypting communications using HTTPS in 2011 and said it had now rolled out an advanced level of protection for HTTPS called "forward secrecy". In a blog post, Twitter security engineer Jacob Hoffman-Andrews said that since the use of HTTPS encryption, it has "become clearer and clearer how important that step was to protecting our users' privacy". The move is in response to disclosures by former NSA contractor Edward Snowden about the widespread snooping carried out by the US government. "As part of our continuing effort to keep our users' information as secure as possible, we're happy to announce that we recently enabled forward secrecy for traffic on twitter.com, api.twitter.com, and mobile.twitter.com," said Hoffman-Andrews. "On top of the usual confidentiality and integrity properties of HTTPS, forward secrecy adds a new property. If an adversary is currently recording all Twitter users' encrypted traffic, and they later crack or steal Twitter's private keys, they should not be able to use those keys to decrypt the recorded traffic," he added. Forward secrecy involves the use of Elliptic Curve Diffie-Hellman encryption (ECDHE). This does not require an encryption key to be sent out between the client and server as this key could be intercepted by a third party and used to decrypt data. "The client and server manage to come up with a shared, random session key without ever sending the key across the network, even under encryption," said Hoffman-Andrews. Hoffman-Andrews urged other website to implement HTTPS and make it the default setting. "If you already offer HTTPS, ensure your implementation is hardened with HTTP Strict Transport Security, secure cookies, certificate pinning, and forward secrecy. The security gains have never been more important to implement." "If you don't run a website, demand that the sites you use implement HTTPS to help protect your privacy, and make sure you are using an up-to-date web browser so you are getting the latest security improvements," he added.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.