Understanding Twitter’s Security Enhancements

Understanding Twitter’s Security Enhancements

Understanding Twitter’s Security Enhancements

Last week Twitter announced a significant security enhancement – enablement of forward secrecy on twitter.com, api.twitter.com, and mobile.twitter.com domains. The prime objective of this change is to deprive hackers of an important exploitation tool.

Why was this necessary?

In the past 18 months, Twitter, akin to many other social network companies, has come under several cyber attacks by hacking community. Though not publicly acknowledged, some of them may have lead to data breaches as well. attacks-twitter

Also in between a new adversary has emerged in the form of Govt. assisted programs like NSA. It is now widely believed that such programs have collected user data without consent or knowledge of companies.

Quite naturally these social network companies are concerned about the breach of users’ privacy and data. In addition to downtime or data loss the biggest risk from such attacks is loss of reputation and the trust of millions of subscribers. No business can afford to ignore concerns of such a large number of users and hence action was imminent.

How would forward secrecy help

It is a common practice that an adversary would capture the targets network traffic and mine it for crucial information. Plain text (i.e. not encrypted) traffic can be very easily skimmed for passwords and other PIIs. So Twitter and other companies decided to switch to HTTPS which meant that network traffic was travelling in an encrypted form.

But even this was not enough especially when the company used a limited set of secret keys to encrypt the traffic. Once the adversary obtained one or more such secret keys they could de-crypt the whole traffic captured earlier. To circumvent this risk Electronic Frontier Foundation (EFF) recommended the site to implement Forward Secrecy or also known as Perfect Forward Secrecy (PFS).

In forward secrecy the session keys used by servers are truly ephemeral. Twitter implemented it by enabling the EC Diffie-Hellman cipher suite. In this scheme the client and server manage to come up with a shared, random session key without ever sending the key across the network, even under encryption.

Due to this it becomes extremely difficult (though when it comes to security nothing is impossible) to de-crypt previously captured traffic and also does not help in guessing future encryption keys.

Is this all Twitter would have done towards improving security?

The recent announcement will help strengthen user confidence and stop them from exploring other options. The EFF had recommended implementation of additional security features like HTTP Strict Transport Security; secure cookies, encryption of data center links, STARTTLS, and certificate pinning and Twitter is doing good on that front.

Forward secrecy largely affects the traffic in transit, one of the three broad areas where security lapse can occur.

Another set of changes concern end users directly. HTTPS is something that end users might have noticed on their browser. Earlier in May this year twitter introduced improved login verification using two factor authentication.  They also educate users on improved secure practices.

Finally Twitter must have taken measures for better in-house handling of data. Organization security policies and practices, cloud base backup and recovery plans and procedures or physical security come into ambit. This is something that only internal employees might have been informed about.

Does this all make Twitter future safe?

Not really. Security is always a dynamic system. Something that seems secure today may become vulnerable tomorrow. Not so long ago HTTPS alone was considered safe. These steps may be sufficient for now, but surely will get revisited in future.

Twitter thus joins other cloud companies like Facebook, Google and Dropbox in implementing these measures. With all leading cloud companies implementing it, soon this will become the default level of security.

By Manoj Tiwari

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

Sorry, comments are closed for this post.

Connecting With Customers In The Cloud

Connecting With Customers In The Cloud

Customers in the Cloud Global enterprises in every industry are increasingly turning to cloud-based innovators like Salesforce, ServiceNow, WorkDay and Aria, to handle critical systems like billing, IT services, HCM and CRM. One need look no further than Salesforce’s and Amazon’s most recent earnings report, to see this indeed is not a passing fad, but…

Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Infrastructure-as-a-Service Security It’s no secret many organizations rely on popular cloud providers like Amazon and Microsoft for access to computing infrastructure. The many perks of cloud services, such as the ability to quickly scale resources without the upfront cost of buying physical servers, have helped build a multibillion-dollar cloud industry that continues to grow each…

5% Of Companies Have Embraced The Digital Innovation Fostered By Cloud Computing

5% Of Companies Have Embraced The Digital Innovation Fostered By Cloud Computing

Embracing The Cloud We love the stories of big complacent industry leaders having their positions sledge hammered by nimble cloud-based competitors. Saleforce.com chews up Oracle’s CRM business. Airbnb has a bigger market cap than Marriott. Amazon crushes Walmart (and pretty much every other retailer). We say: “How could they have not seen this coming?” But, more…

How To Overcome Data Insecurity In The Cloud

How To Overcome Data Insecurity In The Cloud

Data Insecurity In The Cloud Today’s escalating attacks, vulnerabilities, breaches, and losses have cut deeply across organizations and captured the attention of, regulators, investors and most importantly customers. In many cases such incidents have completely eroded customer trust in a company, its services and its employees. The challenge of ensuring data security is far more…

Data Breaches: Incident Response Planning – Part 1

Data Breaches: Incident Response Planning – Part 1

Incident Response Planning – Part 1 The topic of cybersecurity has become part of the boardroom agendas in the last couple of years, and not surprisingly — these days, it’s almost impossible to read news headlines without noticing yet another story about a data breach. As cybersecurity shifts from being a strictly IT issue to…

The Cloud Is Not Enough! Why Businesses Need Hybrid Solutions

The Cloud Is Not Enough! Why Businesses Need Hybrid Solutions

Why Businesses Need Hybrid Solutions Running a cloud server is no longer the novel trend it once was. Now, the cloud is a necessary data tier that allows employees to access vital company data and maintain productivity from anywhere in the world. But it isn’t a perfect system — security and performance issues can quickly…

3 Keys To Keeping Your Online Data Accessible

3 Keys To Keeping Your Online Data Accessible

Online Data Data storage is often a real headache for businesses. Additionally, the shift to the cloud in response to storage challenges has caused security teams to struggle to reorient, leaving 49 percent of organizations doubting their experts’ ability to adapt. Even so, decision makers should not put off moving from old legacy systems to…