If you’re tired of hearing stories about the NSA peeking into your favorite social networks or your email communications, you may welcome the fact that Twitter has officially introduced a new form of security to maintain the privacy of its users. The security is called “perfect forward security” and it promises to pave the way for the next generation of security in digital accounts across the web.
Prior to “perfect forward security”, most web users depended on Secure Sockets Layer (SSL) to maintain privacy in transmitting information and messages over the internet. In this scenario, when you connect to a remote web server using SSL (connecting via HTTPS), your browser and the remote server each have a secret encryption key. Information is encrypted, transmitted, and then decrypted in each direction. Without the key, the message can’t be decrypted.
While this level of security is good, it involves a single security key per web server that you connect to. This doesn’t overcome NSA-style snooping, which involves collecting the encrypted traffic en masse. Without the key, the transmissions are just a garbled mess. However, should anyone get their hands on your “secret key” for your email for example, all of your past encrypted communications can then be decrypted.
By using perfect forward secrecy, Twitter is generating a new “session key” that is unique to every single Twitter session. This means that even if some snoop is collecting all of your encrypted private Twitter transmissions, it will be much more difficult to decode that information. Why? Because even if someone obtains one of your session keys, they will only be able to use it to decrypt the single session. All prior sessions – each protected with its own unique encryption key – remain indecipherable.
According to the New York Times, the additional layer of security only impacts performance of the Twitter service by approximately 150-milliseconds. Twitter enabled the new layer of security on October 21, but only announced it in late November after ensuring that the new security would not cause any major issues or bugs for Twitter users.
Source: New York Times