Twitter Steps Up Its SSL Encryption: An Important Move for the Web

NEWS ANALYSIS: Twitter's use of Forward Secrecy should be a wake-up call for all Website admins that the time has come to push the ball forward on Web security.


Twitter is now deploying a robust form of security, known as Forward Secrecy for Secure Sockets Layer (SSL) encryption, in a bid to further secure its users. Forward Secrecy is not a new idea, though its widespread implementation has been lacking.

SSL technology is the foundation for most Web security, providing encryption for data transport. Every time you visit a banking Website and get that little padlock in the corner of your Web browser window, you're using SSL. Properly implementing SSL is a challenge for many organizations as it involves multiple configuration steps that aren't always performed properly, if at all.

The way SSL typically works is that there is a private encryption key that resides on the server. If that key is cracked by an attacker, or an overzealous three-letter agency of the U.S. government, there is the possibility that all the encrypted traffic on the server could be intercepted and decrypted. Forward Secrecy for SSL offers the promise of resiliency for the encryption, even if the server's private key at some point becomes compromised.

"When an encrypted connection uses perfect forward secrecy, that means that the session keys the server generates are truly ephemeral, and even somebody with access to the secret key can't later derive the relevant session key that would allow her to decrypt any particular HTTPS session," the Electronic Frontier Foundation's Parker Higgins, wrote in a recent blog post. "So intercepted encrypted data is protected from prying eyes long into the future, even if the Website's secret key is later compromised."

The mechanics involved in Forward Secrecy are complex and were first described in a 1992 paper authored by cryptography legend Whit Diffie. The computational complexity and overhead that Forward Secrecy introduces have meant that it has not been part of the normal operations for SSL, until now.

With the recent disclosures about National Security Agency (NSA) snooping, combined with the increased computational power of modern silicon, the time for wide deployment of Forward Secrecy is now here.

Twitter is still in the minority, as most sites don't yet properly implement Forward Secrecy. According to the most recent SSL Pulse statistics, 54 percent of SSL sites do not currently support Forward Secrecy at all. Only 0.6 percent fully implement a robust Forward Secrecy regimen, while the remainder have incremental capabilities for Forward Secrecy.

While Forward Secrecy might involve a performance cost on older hardware, it can be implemented without software cost using open-source Web server technology. Noted SSL expert Ivan Ristic of security vendor Qualys, wrote an article this past summer about how to configure the open-source Apache and Nginx Web servers for Forward Secrecy.

The use of Forward Secrecy is a major step forward for the security and privacy of the Internet, making it significantly less likely that communications and data can be intercepted and decrypted by unauthorized parties. Twitter's public announcement that is it using Forward Secrecy is hopefully a wakeup call for Website administrators everywhere that the time has come to push the ball forward on Web security.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.