Skip to main content

Twitter enables 'Perfect Forward Secrecy' to protect user data

Perfect forward secrecy. If you've even heard of it, you've probably scratched your head a little bit and wondered, "What's that?"

Well, as it just so happens, Twitter has officially deployed this fancy kind of security. In short, perfect forward secrecy takes the privacy and safety provided by Secure Sockets Layer-based connections (SSL) and kicks it up a notch, helping to ensure that those who break through the encryption have less of a means to see what you've been up to.

In other words, it's a thumb of a nose to government eavesdroppers at the National Security Agency. Twitter didn't explicitly mention that bit in its blog announcement, but it did link to an article from the Electronic Frontier Foundation (EFF) that called out the NSA by name for its "upstream," long-term data storage capabilities.

"Every Web server that uses HTTPS has its own secret key that it uses to encrypt data that it sends to users," wrote EFF activist Parker Higgins . "Specifically, it uses that secret key to generate a new 'session key' that only the server and the browser know. Without that secret key, the traffic travelling back and forth between the user and the server is incomprehensible, to the NSA and to any other eavesdroppers."

"But imagine that some of that incomprehensible data is being recorded anyway—as leaked NSA documents confirm the agency is doing," he continued. "An eavesdropper who gets the secret key at any time in the future—even years later—can use it to decrypt all of the stored data! That means that the encrypted data, once stored, is only as secure as the secret key, which may be vulnerable to compromised server security or disclosure by the service provider."

The fun of perfect forward secrecy is that the aforementioned session keys are generated individually for each web session. Were someone to acquire said key, it would only really be useful to decrypt a single session of Twitter access. One could still decrypt a tonne of past communications, but it would require access to the corresponding tonne of keys, not just one SSL key.

This additional security measure does come with a wee bit of a performance cost, but the brief, 150-milliseocnd delay for Twitter users in the US doesn't seem to be that tough of a trade-off for those keen on keeping their private data exchanges with Twitter just that — as private as possible.

Twitter officially flipped the switch on perfect forward secrecy on October 21, but elected to wait to officially inform users until it was sure that no bugs or issues manifested themselves as part of the process.