Twitter has implemented perfect forward secrecy on traffic to its website, in order to prevent communications from easily being captured and decrypted en masse. The new measure is one that clearly takes aim at the bulk data collection being done by the NSA.
While Twitter didn’t mention the NSA or other government agencies directly, it’s clear that the move was made as a direct response to the revelations that the NSA has been leeching data in bulk for years. Twitter isn’t alone with this endeavor, as Google implemented such a feature last year. For most firms, including Google, Yahoo, Twitter, Facebook, and Microsoft, it’s one thing to comply with a court order for data; it’s another thing entirely to find that the government has been harvesting it for years without your knowledge.
“Under traditional HTTPS, the client chooses a random session key, encrypts it using the server’s public key, and sends it over the network. Someone in possession of the server’s private key and some recorded traffic can decrypt the session key and use that to decrypt the entire session,” Twitter explained in a blog post.
With perfect forward secrecy, those in possession of encrypted data are prevented from easily decrypting it, even if they managed to obtain the secret key. This is because as each new communication session is established, perfect forward secrecy generates a new individual key to protect it. Thus, there is no master key to decrypt the encrypted sessions.
“Sites that use perfect forward secrecy can provide better security to users in cases where the encrypted data is being monitored and recorded by a third party. That particular threat may have once seemed unlikely, but we now know that the NSA does exactly this kind of long-term storage of at least some encrypted communications as they flow through telecommunications hubs,” the Electronic Frontier Foundation (EFF) explains in a document on the topic.
Over the summer, as the NSA’s questionable collection efforts were exposed by Edward Snowden. Since then, many of the Internet’s largest firms have fought to have the full scope of the data collection efforts they’re forced to comply with made publically available. To date, the government still maintains a gag order on full disclosure. So, while it’s only a stop-gap, perfect forward secrecy is the next best thing to strengthen the protections around data being harvested with little to no oversight.