The Lighter Side Of The Cloud – iCloud
The Lighter Side Of The Cloud – PRISM
The Lighter Side Of The Cloud – Thunderstorm
Understanding Twitter’s Security Enhancements

Understanding Twitter’s Security Enhancements

Understanding Twitter’s Security Enhancements

Last week Twitter announced a significant security enhancement – enablement of forward secrecy on twitter.com, api.twitter.com, and mobile.twitter.com domains. The prime objective of this change is to deprive hackers of an important exploitation tool.

Why was this necessary?

In the past 18 months, Twitter, akin to many other social network companies, has come under several cyber attacks by hacking community. Though not publicly acknowledged, some of them may have lead to data breaches as well. attacks-twitter

Also in between a new adversary has emerged in the form of Govt. assisted programs like NSA. It is now widely believed that such programs have collected user data without consent or knowledge of companies.

Quite naturally these social network companies are concerned about the breach of users’ privacy and data. In addition to downtime or data loss the biggest risk from such attacks is loss of reputation and the trust of millions of subscribers. No business can afford to ignore concerns of such a large number of users and hence action was imminent.

How would forward secrecy help

It is a common practice that an adversary would capture the targets network traffic and mine it for crucial information. Plain text (i.e. not encrypted) traffic can be very easily skimmed for passwords and other PIIs. So Twitter and other companies decided to switch to HTTPS which meant that network traffic was travelling in an encrypted form.

But even this was not enough especially when the company used a limited set of secret keys to encrypt the traffic. Once the adversary obtained one or more such secret keys they could de-crypt the whole traffic captured earlier. To circumvent this risk Electronic Frontier Foundation (EFF) recommended the site to implement Forward Secrecy or also known as Perfect Forward Secrecy (PFS).

In forward secrecy the session keys used by servers are truly ephemeral. Twitter implemented it by enabling the EC Diffie-Hellman cipher suite. In this scheme the client and server manage to come up with a shared, random session key without ever sending the key across the network, even under encryption.

Due to this it becomes extremely difficult (though when it comes to security nothing is impossible) to de-crypt previously captured traffic and also does not help in guessing future encryption keys.

Is this all Twitter would have done towards improving security?

The recent announcement will help strengthen user confidence and stop them from exploring other options. The EFF had recommended implementation of additional security features like HTTP Strict Transport Security; secure cookies, encryption of data center links, STARTTLS, and certificate pinning and Twitter is doing good on that front.

Forward secrecy largely affects the traffic in transit, one of the three broad areas where security lapse can occur.

Another set of changes concern end users directly. HTTPS is something that end users might have noticed on their browser. Earlier in May this year twitter introduced improved login verification using two factor authentication.  They also educate users on improved secure practices.

Finally Twitter must have taken measures for better in-house handling of data. Organization security policies and practices, cloud base backup and recovery plans and procedures or physical security come into ambit. This is something that only internal employees might have been informed about.

Does this all make Twitter future safe?

Not really. Security is always a dynamic system. Something that seems secure today may become vulnerable tomorrow. Not so long ago HTTPS alone was considered safe. These steps may be sufficient for now, but surely will get revisited in future.

Twitter thus joins other cloud companies like Facebook, Google and Dropbox in implementing these measures. With all leading cloud companies implementing it, soon this will become the default level of security.

By Manoj Tiwari

Follow Us!

CloudTweaks

Established in 2009, CloudTweaks.com is recognized as one of the leading authorities in cloud computing information. Most of the excellent CloudTweaks articles are provided by our own paid writers, with a small percentage provided by guest authors from around the globe, including CEOs, CIOs, Technology bloggers and Cloud enthusiasts. Our goal is to continue to build a growing community offering the best in-depth articles, interviews, event listings, whitepapers, infographics and much more...
Follow Us!

Sorry, comments are closed for this post.

Popular Archives

5 Considerations You Need To Review Before Investing In Data Analytics

5 Considerations You Need To Review Before Investing In Data Analytics

Review Before Investing In Data Analytics Big data, when handled properly, can lead to big change. Companies in a wide variety of industries are partnering with data analytics companies to increase operational efficiency and make evidence-based business decisions. From Kraft Foods using business intelligence (BI) to cut customer satisfaction analysis time in half, to a…

5 Ways CIOs Can Tackle Cloud Fears

5 Ways CIOs Can Tackle Cloud Fears

5 Ways CIOs Can Tackle Cloud Fears  CIOs are tired of hearing about cloud computing concerns. They’ve spent years reading about how cloud resources are subject to risks, and wonder – what can they do to help people trust the cloud?  The truth is that despite being a hot issue for years, the topic of…

The Cloud Above Our Home

The Cloud Above Our Home

Our Home – Moving All Things Into The Cloud The promise of a smart home had excited the imagination of the movie makers long ago. If you have seen any TV shows in the nineties or before, the interpretation presented itself to us as a computerized personal assistant or a robot housekeeper. It was smart,…

Cloud Infographic – Interesting Big Data Facts

Cloud Infographic – Interesting Big Data Facts

Big Data Facts You Didn’t Know The term Big Data has been buzzing around tech circles for a few years now. So much, in fact, that you’re probably getting sick of hearing about it. Here are some interesting facts you might not know about big data via The Visual Capitalist: Big Data got its start in the…

2014 Future Of Cloud Computing Survey Results

2014 Future Of Cloud Computing Survey Results

Engine Yard Joins North Bridge Venture Partners, Gigaom Research and Industry Collaborators to Unveil 2014 Future of Cloud Computing Survey Results SAN FRANCISCO, CA–(Marketwired – Jun 25, 2014) – Engine Yard, the leading cloud application management platform, today announced its role as a collaborator in releasing the results of the fourth annual Future of Cloud Computing Survey,…

Recent

Cloud Security Hottest Issue At RSA

Cloud Security Hottest Issue At RSA

Cloud Security Hottest Issue The integral integration of cyber security and cloud technology seemed to be the hottest issue at the busy RSA 2015 Conference in San Francisco. Interested parties packed security and cloud service booths for the duration of the conference. Several prominent publications covered the increased importance of securing their private information that’s…

Imperfect Security: The RSA Conference And The Illusion Of Safety

Imperfect Security: The RSA Conference And The Illusion Of Safety

The RSA Conference And The Illusion Of Safety This year’s 2015 RSA Conference is taking place from April 20th to 24th, in San Francisco, California. Here, security leaders from across the vast expanse of tech, politics, and more will gather to discuss the past, present, and future of security. From application security to technology infrastructure,…

The Lighter Side Of The Cloud – Day 5

The Lighter Side Of The Cloud – Day 5

By David Fletcher Are you looking to supercharge your Newsletter, Powerpoint presentation, Social media campaign or Website? Our universally recognized tech related comics can help you. Contact us for information on our commercial licensing rates. About Latest Posts Follow Us!CloudTweaksEstablished in 2009, CloudTweaks.com is recognized as one of the leading authorities in cloud computing information.…

Contact Us

Sending

Technology Sponsors

hp Logo CityCloud-PoweredByOpenstack-Bluesquare_logo_100x100-01
cisco_logo_100x100 vmware citrix100
Site 24x7 200px-KPMG

Established in 2009, CloudTweaks is recognized as one of the leading influencers in cloud computing, big data and internet of things (IoT) information. Our goal is to continue to build our growing information portal, by providing the best in-depth articles, interviews, event listings, whitepapers, infographics and much more.

CloudTweaks Comic Library

Advertising