Twitter Steps Up Its SSL Encryption: An Important Move for the Web
NEWS ANALYSIS: Twitter's use of Forward Secrecy should be a wake-up call for all Website admins that the time has come to push the ball forward on Web security.Twitter is now deploying a robust form of security, known as Forward Secrecy for Secure Sockets Layer (SSL) encryption, in a bid to further secure its users. Forward Secrecy is not a new idea, though its widespread implementation has been lacking. SSL technology is the foundation for most Web security, providing encryption for data transport. Every time you visit a banking Website and get that little padlock in the corner of your Web browser window, you're using SSL. Properly implementing SSL is a challenge for many organizations as it involves multiple configuration steps that aren't always performed properly, if at all. The way SSL typically works is that there is a private encryption key that resides on the server. If that key is cracked by an attacker, or an overzealous three-letter agency of the U.S. government, there is the possibility that all the encrypted traffic on the server could be intercepted and decrypted. Forward Secrecy for SSL offers the promise of resiliency for the encryption, even if the server's private key at some point becomes compromised. "When an encrypted connection uses perfect forward secrecy, that means that the session keys the server generates are truly ephemeral, and even somebody with access to the secret key can't later derive the relevant session key that would allow her to decrypt any particular HTTPS session," the Electronic Frontier Foundation's Parker Higgins, wrote in a recent blog post. "So intercepted encrypted data is protected from prying eyes long into the future, even if the Website's secret key is later compromised."
The mechanics involved in Forward Secrecy are complex and were first described in a 1992 paper authored by cryptography legend Whit Diffie. The computational complexity and overhead that Forward Secrecy introduces have meant that it has not been part of the normal operations for SSL, until now.