Twitter says it wants others to follow in its footsteps, with measures to prevent snooping
Twitter has introduced its own form of ‘forward secrecy’, in a bid to protect users from so-called man-in-the-middle attacks where encryption is bypassed.
The improvements, which have been tested over the last month, should mean that even where Twitter’s private keys have been compromised, an attacker can not spy on users.
Twitter had already introduced HTTPS by default, but wanted to build on the use of SSL with better encryption methods.
Twitter encryption boost
“In order to support forward secrecy, we’ve enabled the EC Diffie-Hellman cipher suites. Under those cipher suites, the client and server manage to come up with a shared, random session key without ever sending the key across the network, even under encryption,” Twitter said in a blog post.
“The server’s private key is only used to sign the key exchange, preventing man-in-the-middle attacks.”
Twitter said it had opted for the Elliptic Curve Diffie-Hellman cipher suite as it had proven to cause a “negligible” increase in CPU usage, whilst providing greater security. It has used HTTP keepalives and session resumption to ensure most requests do not require a full handshake, thereby improving efficiency.
The micro-blogging company has also implemented TLS session tickets, where an abbreviated handshake is used for the encryption if a session ticket from a recent connection is still in use.
Twitter has deployed a smart key rotation system, involving the use of a string of key generator machines, with a leader generating a new session ticket key every 12 hours and killing old keys after 36 hours. Keys are stored in a RAM-based filesystem, tmpfs , to prevent them being written to long-term storage, making users of those keys more vulnerable if that storage were compromised.
Ticket keys are collected from a key generator machine via SSH, whilst timestamps are added to encryption files so servers know what to decrypt.
“At the end of the day, we are writing this not just to discuss an interesting piece of technology, but to present what we believe should be the new normal for web service owners,” Twitter added.
“If you are a webmaster, we encourage you to implement HTTPS for your site and make it the default. If you already offer HTTPS, ensure your implementation is hardened with HTTP Strict Transport Security, secure cookies, certificate pinning, and forward secrecy. The security gains have never been more important to implement.
“If you don’t run a website, demand that the sites you use implement HTTPS to help protect your privacy, and make sure you are using an up-to-date web browser so you are getting the latest security improvements.”
What do you know about Internet security? Find out with our quiz!