Understanding Twitter’s Security Enhancements

Understanding Twitter’s Security Enhancements

Understanding Twitter’s Security Enhancements

Last week Twitter announced a significant security enhancement – enablement of forward secrecy on twitter.com, api.twitter.com, and mobile.twitter.com domains. The prime objective of this change is to deprive hackers of an important exploitation tool.

Why was this necessary?

In the past 18 months, Twitter, akin to many other social network companies, has come under several cyber attacks by hacking community. Though not publicly acknowledged, some of them may have lead to data breaches as well. attacks-twitter

Also in between a new adversary has emerged in the form of Govt. assisted programs like NSA. It is now widely believed that such programs have collected user data without consent or knowledge of companies.

Quite naturally these social network companies are concerned about the breach of users’ privacy and data. In addition to downtime or data loss the biggest risk from such attacks is loss of reputation and the trust of millions of subscribers. No business can afford to ignore concerns of such a large number of users and hence action was imminent.

How would forward secrecy help

It is a common practice that an adversary would capture the targets network traffic and mine it for crucial information. Plain text (i.e. not encrypted) traffic can be very easily skimmed for passwords and other PIIs. So Twitter and other companies decided to switch to HTTPS which meant that network traffic was travelling in an encrypted form.

But even this was not enough especially when the company used a limited set of secret keys to encrypt the traffic. Once the adversary obtained one or more such secret keys they could de-crypt the whole traffic captured earlier. To circumvent this risk Electronic Frontier Foundation (EFF) recommended the site to implement Forward Secrecy or also known as Perfect Forward Secrecy (PFS).

In forward secrecy the session keys used by servers are truly ephemeral. Twitter implemented it by enabling the EC Diffie-Hellman cipher suite. In this scheme the client and server manage to come up with a shared, random session key without ever sending the key across the network, even under encryption.

Due to this it becomes extremely difficult (though when it comes to security nothing is impossible) to de-crypt previously captured traffic and also does not help in guessing future encryption keys.

Is this all Twitter would have done towards improving security?

The recent announcement will help strengthen user confidence and stop them from exploring other options. The EFF had recommended implementation of additional security features like HTTP Strict Transport Security; secure cookies, encryption of data center links, STARTTLS, and certificate pinning and Twitter is doing good on that front.

Forward secrecy largely affects the traffic in transit, one of the three broad areas where security lapse can occur.

Another set of changes concern end users directly. HTTPS is something that end users might have noticed on their browser. Earlier in May this year twitter introduced improved login verification using two factor authentication.  They also educate users on improved secure practices.

Finally Twitter must have taken measures for better in-house handling of data. Organization security policies and practices, cloud base backup and recovery plans and procedures or physical security come into ambit. This is something that only internal employees might have been informed about.

Does this all make Twitter future safe?

Not really. Security is always a dynamic system. Something that seems secure today may become vulnerable tomorrow. Not so long ago HTTPS alone was considered safe. These steps may be sufficient for now, but surely will get revisited in future.

Twitter thus joins other cloud companies like Facebook, Google and Dropbox in implementing these measures. With all leading cloud companies implementing it, soon this will become the default level of security.

By Manoj Tiwari

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

Sorry, comments are closed for this post.

Comic
The Annual Compliance & Ethics Institute:  Hot Topics – Cyber Security, Big Data, Privacy Breach Response

The Annual Compliance & Ethics Institute: Hot Topics – Cyber Security, Big Data, Privacy Breach Response

Cyber Security, Big Data, Privacy Breach Response MINNEAPOLIS, Aug. 30, 2016 /PRNewswire-USNewswire/ — Cyber security, social media, modern slavery, anti-corruption, export controls and sanctions, and privacy top the list of “Hot Issues” compliance and ethics professionals face each day. These and many other compliance and ethics concerns will be addressed at the 2016 Compliance & Ethics…

Top 5 Digital Health Trends

Top 5 Digital Health Trends

Digital Health Trends It is very important to keep up with the changing technology. However, it is also just as important to advance the consumer experience, care delivery methods and create opportunities for career development for the healthcare workforce. Five trends that are proven to be effective in winning in the digital age have been…

Technological Advances In The Healthcare Industry

Technological Advances In The Healthcare Industry

The Healthcare Industry The use of smart devices in healthcare is expanding, and according to a report by Technavio the global smart wearable healthcare device and services market will show a compounded annual growth rate of over 18%. Thanks to modern medicine, lifespans are increasing, resulting in aging populations and a higher frequency of chronic…

How Secure Is Your School Campus Network?

How Secure Is Your School Campus Network?

School Networks School related networks are one of the most attacked sectors today, coming in third worldwide to healthcare and retail. Because of the ever growing threat of cybercrime, IT professionals everywhere aren’t thinking in terms of “what if our network gets attacked?” Now, they think in terms of “when will our network be attacked?”…

IBM and VMware Expand Partnership to Enable Easy Hybrid Cloud Adoption

IBM and VMware Expand Partnership to Enable Easy Hybrid Cloud Adoption

IBM and VMware Expand Partnership More than 500 new clients, including Marriott International are now running VMware software on IBM Cloud since the strategic cloud partnership was announced;Introduction of VMware Cloud Foundation on IBM Cloud helps move existing apps to the cloud within hours; More than 4,000 IBM service professionals trained to help organizations extend…

5 Things To Consider About Your Next Enterprise File Sharing Solution

5 Things To Consider About Your Next Enterprise File Sharing Solution

Enterprise File Sharing Solution Businesses have varying file sharing needs. Large, multi-regional businesses need to synchronize folders across a large number of sites, whereas small businesses may only need to support a handful of users in a single site. Construction or advertising firms require sharing and collaboration with very large (several Gigabytes) files. Financial services…

Digital Transformation: Not Just For Large Enterprises Anymore

Digital Transformation: Not Just For Large Enterprises Anymore

Digital Transformation Digital transformation is the acceleration of business activities, processes, and operational models to fully embrace the changes and opportunities of digital technologies. The concept is not new; we’ve been talking about it in one way or another for decades: paperless office, BYOD, user experience, consumerization of IT – all of these were stepping…

The Cloud Is Not Enough! Why Businesses Need Hybrid Solutions

The Cloud Is Not Enough! Why Businesses Need Hybrid Solutions

Why Businesses Need Hybrid Solutions Running a cloud server is no longer the novel trend it once was. Now, the cloud is a necessary data tier that allows employees to access vital company data and maintain productivity from anywhere in the world. But it isn’t a perfect system — security and performance issues can quickly…

Four Keys For Telecoms Competing In A Digital World

Four Keys For Telecoms Competing In A Digital World

Competing in a Digital World Telecoms, otherwise largely known as Communications Service Providers (CSPs), have traditionally made the lion’s share of their revenue from providing pipes and infrastructure. Now CSPs face increased competition, not so much from each other, but with digital service providers (DSPs) like Netflix, Google, Amazon, Facebook, and Apple, all of whom…

The Security Gap: What Is Your Core Strength?

The Security Gap: What Is Your Core Strength?

The Security Gap You’re out of your mind if you think blocking access to file sharing services is filling a security gap. You’re out of your mind if you think making people jump through hoops like Citrix and VPNs to get at content is secure. You’re out of your mind if you think putting your…

Low Cost Cloud Computing Gives Rise To Startups

Low Cost Cloud Computing Gives Rise To Startups

Balancing The Playing Field For Startups According to a Goldman Sachs report, cloud infrastructure and platform spending could reach $43 billion by 2018, which is up $16 billion from last year, representing a growth of around 30% from 2013 said the analyst. This phenomenal growth is laying the foundation for a new breed of startup…

4 Different Types of Attacks – Understanding the “Insider Threat”

4 Different Types of Attacks – Understanding the “Insider Threat”

Understanding the “Insider Threat”  The revelations that last month’s Sony hack was likely caused by a disgruntled former employee have put a renewed spotlight on the insider threat. The insider threat first received attention after Edward Snowden began to release all sorts of confidential information regarding national security. While many called him a hero, what…

Disaster Recovery – A Thing Of The Past!

Disaster Recovery – A Thing Of The Past!

Disaster Recovery  Ok, ok – I understand most of you are saying disaster recovery (DR) is still a critical aspect of running any type of operations. After all – we need to secure our future operations in case of disaster. Sure – that is still the case but things are changing – fast. There are…

Do Small Businesses Need Cloud Storage Service?

Do Small Businesses Need Cloud Storage Service?

Cloud Storage Services Not using cloud storage for your business yet? Cloud storage provides small businesses like yours with several advantages. Start using one now and look forward to the following benefits: Easy back-up of files According to Practicalecommerce, it provides small businesses with a way to back up their documents and files. No need…

5 Predictions For Education Technology

5 Predictions For Education Technology

Education Technology Although technology has fast influenced most sectors of our world, education is an area that’s lagged behind. Many classrooms still employ the one-to-many lecturing model wherein the average student is catered for while a few are left behind, and others bored. Recently, there’s been a drive to uncover how to use technology successfully…

Cloud Infographic: The Future of File Storage

Cloud Infographic: The Future of File Storage

 The Future of File Storage A multi-billion dollar market Data storage has been readily increasing for decades. In 1989, an 8MB Macintosh Portable was top of the range; in 2006, the Dell Inspiron 6400 became available, boasting 160GB; and now, we have the ‘Next Generation’ MacBook Pro with 256GB of storage built in. But, of course,…