Twitter improves security with eye on stopping snooping
(MoneyWatch) Last Friday, Twitter announced on its blog that it was stepping up its security practices by enabling forward security for traffic on Twitter.
Forward security -- known officially as "perfect forward security" -- is a somewhat arcane principle in the field of data encryption, but it has significant implications for people who rely on encryption for exchanging private information. In simple terms, forward security ensures that any particular session key -- used to unlock encrypted data -- will not be compromised if the long-term key for that account is compromised. That means that if bad guys (or the NSA, perhaps) compromises any single encryption key, only the session associated with that key is lost -- not the entire account.
Says the Twitter blog:
"If an adversary is currently recording all Twitter users' encrypted traffic, and they later crack or steal Twitter's private keys, they should not be able to use those keys to decrypt the recorded traffic."
The Twitter blog does not specify what adversary the site is explicitly defending its data against, though pundits like Tech Crunch agree that the NSA is the most likely organization likely to be caching large volumes of data in hopes of decrypting it later.
Twitter isn't the first online service to move to forward security. Google made a similar change with Gmail last year, for example, and it's a technology endorsed by the Electronic Frontier Foundation. Facebook is expected to follow soon. So while Twitter is clearly on the leading edge of this kind of security enhancement today, it's likely just a matter of time before most essential security services follow suit, making it harder for hackers and intelligence agencies to mine your data.