Twitter Adds Enhanced EncryptionExperts Weigh In on the Impact of the Move
Twitter's announcement that it's adding "forward secrecy" encryption to its sites should serve as a reminder that organizations need to continually assess the risks to their organization, experts say.
By using forward secrecy, if an adversary is recording Twitter users' encrypted traffic and later on they're able to crack or steal Twitter's private keys, they should not be able to use those keys to decrypt the recorded traffic, the company explains in the blog.
"Forward secrecy is just the latest way in which Twitter is trying to defend and protect the user's voice," the company says.
Analyzing Security Enhancement
The news that Twitter is enhancing its security shows the company is taking appropriate steps to handle the cyberthreats it continually faces, experts say.
"In general, the concept and practice of forward secrecy encryption will indeed better protect information sent via Twitter in the manner described on their posting," says Scot Ganow, a privacy and security attorney at Faruki Ireland & Cox.
"However, such encryption is only as good as the administrators of the systems supporting it and only as one of many layers of security to safeguard information," he adds.
The timing is significant, given the recent disclosures that the National Security Agency is monitoring the private information of Internet users, says Hoyt Kesterson, senior security architect at Terra Verde Services, a risk management services and solutions provider [see: How Did Snowden Breach NSA Systems?].
"Everyone's become aware that the NSA is recording everything, keeping everything and trying to break in," Kesterson says. "Now people are saying, 'How do I know they won't get in anyway?'"
The enhanced security shouldn't have much of an impact on Twitter users' normal, day-to-day use, Ganow says, as long as users are connected to a system or network that's supporting the new ciphers.
The announcement that Twitter is beefing up security could also be seen as a response to recent breaches, Ganow says.
"As the company acknowledges in its posting, their need for security enhancement has evolved over the years, directly in line with the popularity of their services and the number of people using it as a preferred and alternative communication tool to other methods, such as phone calls, e-mail and texting," Ganow says.
"I would think this evolution also is in response to well-publicized hacking of accounts and credentials to post false tweets, such as those about the White House and president earlier this year," he says [see: Social Media Needs 2-Factor Authentication].
In its blog, Twitter encourages online providers to take a layered security approach across their services and platforms.
"If you are a webmaster, we encourage you to implement HTTPS for your site and make it the default," the blog says. "If you already offer HTTPS, ensure your implementation is hardened with HTTP Strict Transport Security, secure cookies, certificate pinning and forward secrecy."
Ganow sees the addition of forward secrecy as just one of many layers needed to safeguard information.
"There is no silver bullet for security, so the effectiveness of 'forward secrecy' will only go so far as, and will be limited by, the skill and diligence of the people implementing the encryption," he says.
"Secondly, it must be implemented alongside other layers of protection, including HTTPS, unique IDs, strong passwords and other methods to safeguard access to information, whether in motion or at rest."