Twitter has added Perfect Forward Secrecy to its arsenal of tools to keep private user data from falling into the wrong hands. The new protocol is being added to the HTTPS encryption that is already in place on Twitter and many other sites (including most legitimate sites that collect financial data).
The Forward Secret protocol, according to a Twitter blog post, protects data after the fact. “ If an adversary is currently recording all Twitter users’ encrypted traffic, and they later crack or steal Twitter’s private keys, they should not be able to use those keys to decrypt the recorded traffic,” wrote Twitter’s Jacob Hoffman-Andrews.
Twitter said that the new encryption technology “caused negligible increase in CPU usage” and should have noticeable impact on performance, at least for Twitter users in the U.S.
Although the blog post didn’t mention the NSA or Edward Snowden, it is increasingly common for Silicon Valley companies to be shoring up privacy and security in the wake of the alleged NSA spying. Twitter is presenting this move as what it calls “a new normal for web service owners,” calling on all site operators to at least implement HTTPS if not something even stronger like Perfect Forward Security.
As the Electronic Frontier Foundation pointed out, with HTTPS, if data is being collected “an eavesdropper who gets the secret key at any time in the future—even years later—can use it to decrypt all of the stored data! That means that the encrypted data, once stored, is only as secure as the secret key, which may be vulnerable to compromised server security or disclosure by the service provider.”
HTTPS refers to the security layer, known as Secure Socket Layer (SSL) that used to be the standard for encryption. It’s still used but it’s not as secure as Forward Secrurity because, as the New York Times points out, if a hacker or government got its hands on an SSL key at any point, it could go back and decrypt past communications. Perfect Forward Security does not allow anyone to go back and decrypt communications even if they later get access to the key.
Other web companies, including Google Facebook and Yahoo have recently stepped up their security, in the aftermath of the NSA revelations.
Of course, encryption can — at best — only protect you against data that you keep private. Don’t expect any privacy when it comes to your public Tweets now or in the future.