Perfect Forward Secrecy
Credit: HNGN

With reports coming in that the government is spying on personal and private data of individuals, users have become more conscious about the information they share on various social media networks. Therefore, Twitter has introduced Perfect Forward Secrecy for protecting the information of users. Not many people are aware of this concept.

This is basically a fancy kind of security. In short, the safety and privacy that’s offered by Secure Sockets Layer-based connections (SSL) is kicked up a notch by Perfect Forward Secrecy and this aids in making sure that the user activity on Twitter is not monitored from outside. In other words, this particular measure is basically thumbing your nose towards the government eavesdroppers who are part of the National Security Agency. That bit wasn’t explicitly mentioned by Twitter in its blog announcement. However, there was a link to an article from the Electronic Frontier Foundation (EFF) that referred to NSA by name for its capabilities of data storage.

According to an activist of EFF, there is a secret key used by every HTTPS for encrypting user data and a new session key is generated with this secret key, which is known by the server and browser only. The NSA or any other eavesdropper will not have access to the traffic that is traveling back and forth between the server and user without this secret key. However, he said that the data could be recorded by any eavesdropper including the NSA and they could decrypt the stored data if they get access to the secret key any time in the future. This means that the data is safe as long as the service provider doesn’t disclose the secret key or the server’s security isn’t compromised.

The unique thing about this new security measure is that for each web session, an individual session key is generated. This means that even if the key was acquired by anyone, they would only be able to decrypt the data that was shared in a single Twitter session. A ton of past communications could be decrypted but access to the corresponding session keys will be required instead of a single SSL key.

Officially, the switch of perfect forward secrecy was flipped by Twitter on October 21st, but it waited before informing users for making sure that there weren’t any bugs manifesting themselves in it.