Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Twitter Implements Forward Secrecy For Connections

Unknown Lamer posted about a year ago | from the nsa-sad-it-doesn't-know-what-you-ate-five-minutes-ago dept.

Twitter 38

Fnord666 writes with this excerpt from Tech Crunch "Twitter has enabled Perfect Forward Secrecy across its mobile site, website and API feeds in order to protect against future cracking of the service's encryption. The PFS method ensures that, if the encryption key Twitter uses is cracked in the future, all of the past data transported through the network does not become an open book right away. 'If an adversary is currently recording all Twitter users' encrypted traffic, and they later crack or steal Twitter's private keys, they should not be able to use those keys to decrypt the recorded traffic,' says Twitter's Jacob Hoffman-Andrews. 'As the Electronic Frontier Foundation points out, this type of protection is increasingly important on today's Internet.'" Of course, they are also using Elliptic Curve ciphers.

Sorry! There are no comments related to the filter you selected.

SSL? (1)

BitZtream (692029) | about a year ago | (#45506633)

So they switch to SSL? Thats kind of the point of the DH exchange in SSL. Stealing the key later still doesn't get you access to the data since the DH exchange ensures that neither side ever transmits enough information to derive the key.

Re:SSL? (1)

DavidClarkeHR (2769805) | about a year ago | (#45506677)

So they switch to SSL? Thats kind of the point of the DH exchange in SSL. Stealing the key later still doesn't get you access to the data since the DH exchange ensures that neither side ever transmits enough information to derive the key.

Because twitter security is important.

... particularly to big companies and brands. Maybe this will help them monetize their service?

Re:SSL? (4, Informative)

thue (121682) | about a year ago | (#45506717)

Perfect Forward Security is optional in SSL - you can run SSL without DH exchange. That is the whole point of the article.

Re:SSL? (1)

BitZtream (692029) | about 10 months ago | (#45510507)

I got the first post, do you seriously think I read the article? Be happy it was at least in the right ballpark topic wise!

Thank God! (0)

Anonymous Coward | about a year ago | (#45506643)

My account was hacked and the hacker made a FOOL out of me!

I would tweet, "I just went to the bathroom."

And the hacker would post, "And took a HUGE #shit".

Can you believe it!

It's a good thing because with all these insightful and important posts on Twitter, the last thing we need are hackers and security agents destroying the value of Twitter! And it also destroys the further value of the Internet!

Re:Thank God! (1)

MRe_nl (306212) | about a year ago | (#45506739)

"I just went to the bathroom".

@JFK
#YOLO #suicide-vest # Allahu Akbar

Re: Thank God! (2)

weazzle (1084967) | about a year ago | (#45506749)

You might say the same of Facebook, Google+ or LinkedIn. But considering the number of services that allow these social behemoths to provide single sign support for their users, they are now some of the most critical services to secure correctly. When I reached I went log in order to post, I was presented with the option to login with Facebook, Google+ or Twitter.

I Don't Undertsand (0)

Anonymous Coward | about a year ago | (#45506713)

Twitter is completely open to anyone. So, what's the point of encryption? Similarly, what's the point of warrants and subpoenas for account information?

It's all there in the open for anyone to read.

Re:I Don't Undertsand (1)

amiller2571 (2571883) | about a year ago | (#45506721)

It is not completely open, you can set you tweets to private and only approved people can view them.

Re:I Don't Undertsand (1)

wiredlogic (135348) | about 10 months ago | (#45508467)

Keep thinking that. This only applies to systems Twitter controls. If you tweet through SMS you're still vulnerable.

Re: I Don't Undertsand (1)

amiller2571 (2571883) | about 10 months ago | (#45508533)

Well that sucks, but good to know.

Re:I Don't Undertsand (1)

Sqr(twg) (2126054) | about a year ago | (#45506773)

If the NSA can break the encryption they will be able to recover your login credentials. Then they can send false tweets to your friends saying "Help, I'm in Nigeria and my wallet was stolen. Can you wire me $1000?" or "Vote for Jeb Bush in 2016!"

Re:I Don't Undertsand (5, Insightful)

cffrost (885375) | about a year ago | (#45506983)

Twitter is completely open to anyone. So, what's the point of encryption?

In my opinion, it's "non-optimal" (at best), to forgo encryption because you deem some traffic of yours to be of low-value. What does that tell your potential adversaries about the nature of the traffic you do encrypt? Regarding the destination, (in this case Twitter), it's unlikely known to many potential adversaries if you're using Tor, I2P, etc., , which (along with TLS with PFS,) add another layer of defense-in-depth.

Your thinking reminds me of people/businesses that own a shredder, but only use them to shred highly-sensitive documents — it makes the job of reconstructing shredded ("unshredding") documents faster, easier, and more fruitful.

In regard to my own data and traffic, I don't ask, "does this need to be encrypted?" I ask, "can this be encrypted? The browser plugin "TrackMeNot" helps in a similar manner, by hiding whatever I may actually search for within ~1,440 phony queries per day. I also shred everything my cross-cut shredder will accept, and I pull the o' Enron trick of mixing in used coffee grounds as an impersonal "fuck you" to any who'd try to unshred my Pennysavers, envelopes, subscription cards, scratched discs, and most importantly, "etc."

Re:I Don't Undertsand (1)

ozbon (99708) | about a year ago | (#45513405)

As well as coffee grounds, I find that cat-shit makes a very useful "anti-unshredding" device.

Re:I Don't Undertsand (0)

Anonymous Coward | about a year ago | (#45576443)

My work's office shredder supplies a hamster cage.

Re:I Don't Undertsand (1)

FatLittleMonkey (1341387) | about 10 months ago | (#45507791)

Social network accounts (twitter/facebook/google/blogger) are used to automate login to other sites. If you don't want anyone other that the giant social network and their monetised advertising networks tracking you across 3rd party sites, you need to lock down the traffic between twitter/etc, you, and the 3rd party sites.

Isn't the data public anyway? (2)

jones_supa (887896) | about a year ago | (#45506719)

In boundaries of my imagination, the user account password is pretty much the only private data that Twitter stores.

Re:Isn't the data public anyway? (1)

Anonymous Coward | about a year ago | (#45506753)

"In boundaries of my imagination, the user account password is pretty much the only private data that Twitter stores."

Twitter messages are public but users can also send private messages.
Source: http://en.wikipedia.org/wiki/Twitter#Privacy_and_security [wikipedia.org]

Also, it's possible to "protect" tweets. The Twitter account will say:
"Only confirmed followers have access to @username's Tweets and complete profile. Click the "Follow" button to send a follow request."
Source: https://support.twitter.com/articles/14016-about-public-and-protected-tweets [twitter.com]

You could've Google'd that. I did. Took me 2 minutes to search and write this reply.

Hey Thanks! (0)

Anonymous Coward | about a year ago | (#45506943)

Hey thanks for spending your time to Google and post the results of research that I don't give enough of a fuck about to ever bother with. It increases my understanding without taxing me with any sort of effort at all. That's just how I like it.

Why don't you Google something important for me this time?

TTFN

Re:Isn't the data public anyway? (0)

Anonymous Coward | about a year ago | (#45506841)

In boundaries of my imagination, the user account password is pretty much the only private data that Twitter stores.

The more data that is encrypted, the less that government agencies can simply slurp up for later analysis. It's not so much about the content, it's the fact that yet another service has made web surfing encrypted.

More encryption (even of "unimportant" bits) means the reduced effectiveness of dragnet tactics. It helps to force governments to go back to targeted surveillance—or at the very least going to the server, which would (hopefully) require some kind of paper trail, a bunch of lawyers, and generally a whole bunch more witnesses.

Re:Isn't the data public anyway? (1)

thue (121682) | about 10 months ago | (#45508715)

If NSA has a complete record of which tweets you read, then the NSA already knows a lot about you.

like tweeting in secret? (0)

Anonymous Coward | about a year ago | (#45506725)

only the persons you prefer can read your twits

Re:like tweeting in secret? (1)

AHuxley (892839) | about a year ago | (#45506771)

It depends on who is working for who and who is funding what.
NGO, color revolution, 'spring' uprisings, human rights stories in select countries are great.
Talking about peace, drone strikes, protests, contractors, press rights, law reform could gain traction in other countries. No Western gov really wants to see that kind of real time interaction form in their countries on web 2.0.
So you do all you can to protect the "freedom" protesters with good crypto in select distant areas but ensure the NSA and GCHQ always have the keys.
If your protesting a gov selected for a color revolution enjoy top quality encryption.
If your protesting a gov funding a color revolution: No encryption for you.

Re:like tweeting in secret? (1)

Desler (1608317) | about a year ago | (#45507291)

But isn't the point of Twatter so that you can share with the world that #ijusttookadump?

pointless PR (0)

Anonymous Coward | about a year ago | (#45506727)

why bother when all it takes is a NSA letter for them to do whatever is required of them ? its not like they have a choice

unless they and their servers/business registration leave USA this is nothing but a PR attempt (much like MS and their outlook.com) , until you stop the NSA and the USA stalker culture this is a worthless gesture and does nothing to "secure" anything

Re:pointless PR (1)

sumdumass (711423) | about a year ago | (#45506783)

Maybe the NSA and US government agencies isn't exactly who the user is afraid of monitoring their accounts. Maybe in areas like Syria where a simple tween of one faction or the other's troop advancement can mean something more serious then the US government knowing your panties are red today or whatever else you are tweeting. Maybe in Egypt or Iran, it is dangerous for the tweeter too. There are lots of entities you might not want to know what is in your tweets when they are marked private. Some could be good reasons and some less so and the reasons don't have to involve the US at all.

That new Slashdot interface (0)

Anonymous Coward | about a year ago | (#45506757)

That new Slashdot interface is a monstrosity. Also it's slow as fuck. Who needs 2.0 and cloud anyways ? Bring the fun back you insensitive clod !

NSA (0)

Anonymous Coward | about a year ago | (#45506763)

GO FUCK OFF THE PLANET NOW

PFS Determination+ (4, Informative)

cffrost (885375) | about a year ago | (#45507205)

I recommend Calomel SSL Validation [calomel.org] to anyone who's interested in the security of their SSL/TLS connections. It adds a toolbar button, the color of which is determined by a weighted, composite score based on various connections security parameters: Bit-lengths, algos (e.g., AES > RC4), PFS, handshake/protocol, domain matching, etc. Clicking the button displays the complete break-down, including a percentage-score for overall connection security.

There's also a Tools menu dialog that allows one to toggle >=128 bit, >=256 bit, PFS, and/or FIPS connections exclusively, among other security and interface tweaks.

Along the same lines, I also recommend CipherFox [github.com] , which has a configurable status-bar display of symmetric/asymmetric algos and their bit-lengths, and the hash function used in a secure connection. CipherFox also allows RC4 to be toggled, which is handy in conjunction Calomel.

The above are all freeware that appear to be written and published by individuals lacking a nefarious corporate agenda.

Google does the same thing? (2)

Midnight_Falcon (2432802) | about a year ago | (#45507485)

I just checked gmail.com with Calomel SSL Validation (thanks to cffrost's post [slashdot.org] ) and it appears gmail uses PFS as well. How come this wasn't news?

Re:Google does the same thing? (1)

lxs (131946) | about a year ago | (#45507609)

What's the value in having perfect forward security on the connection when they mine and share your data anyway?

Re:Google does the same thing? (0)

Anonymous Coward | about 10 months ago | (#45508249)

What's the value in having perfect forward security on the connection when they mine and share your data anyway?

It's a security buzzword that lots of higher eschelon folks have been seeing bandied about in the tech press (slashdot headlines, etc), and therefore those folks either (a) think it will somehow make twitter and other services a fundamentally more secure form of communications, or (b) think that it will convince a large number of lower eschelon folks to believe (a). Thus allowing the revolution of technology to get past the Snowden revelation phase, back to the throngs of miseducated into false sense of security phase. Which is what the current systems of control depend on. Yes, the foundation of our society seems to be built on technological ignorance of the masses. (The Snowden revelations are to this generation what the Church hearings were to the prior generation. I.e. the public being briefly exposed to the shear simplicity of the criminal fourth ammendment violating dragnets. But the upper eschelon folks needn't worry. The spin machines have been hard at work getting the public to think that the core insecurities have somehow been fixed (e.g. this article)

Re:Google does the same thing? (1)

auric_dude (610172) | about 10 months ago | (#45508499)

Does Mozilla Lightbeam https://www.mozilla.org/en-US/lightbeam/ [mozilla.org] throw any light on their and other's data mining efforts?

Re:Google does the same thing? (1)

Ceriel Nosforit (682174) | about 10 months ago | (#45510461)

We agreed to Google doing that when signing up. No one has agreed to share their data with the NSA.

What's the point of encrypting twitter messages? (0)

Anonymous Coward | about a year ago | (#45507523)

Isn't the whole point of Twitter to post nearly meaningless snippets of text that you want everyone to see?

Encryption seems pointless for Twitter so this seems more like a PR move than anything meaningful.

Safe elliptic curves... (2)

KonoWatakushi (910213) | about a year ago | (#45510871)

While the NIST curves are suspect, slow, and problematic in a number of other ways, there are fast and safe [cr.yp.to] elliptic curves.

Re:Safe elliptic curves... (0)

Anonymous Coward | about a year ago | (#45513051)

You don't want to know which one Tor switched to internally just after all this was announced...

Elliptic curve (1)

manu0601 (2221348) | about a year ago | (#45511315)

There are two ciphers family that will provide PFS: DHE (Diffie-Hellman Exchage) and ECDHE (Elliptic Curve DHE). Having PFS enabled for all modern browsers is just about the server offering both families with appropriate priorities, so that clients pick a PFS enabled cipher. Qualys SSL server test [ssllabs.com] is a good tool for checking for an appropriate configuration, although it could make clearer that you cannot both have PFS for modern browsers, and protect against BEAST server-side.

Note that the Elliptic Curve used in ECDHE is not the one that was claimed to be compromised by NSA. We have no information suggesting ECHDE is at risk

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?