Twitter Boosts User Protection With ‘Forward Security’ Encryption Enhancements

Twitter has introduced its own form of ‘forward secrecy’, in a bid to protect users from so-called man-in-the-middle attacks where encryption is bypassed.

The improvements, which have been tested over the last month, should mean that even where Twitter’s private keys have been compromised, an attacker can not spy on users.

Twitter had already introduced HTTPS by default, but wanted to build on the use of SSL with better encryption methods.

Twitter encryption boost

“In order to support forward secrecy, we’ve enabled the EC Diffie-Hellman cipher suites. Under those cipher suites, the client and server manage to come up with a shared, random session key without ever sending the key across the network, even under encryption,” Twitter said in a blog post.

“The server’s private key is only used to sign the key exchange, preventing man-in-the-middle attacks.”

Twitter said it had opted for the Elliptic Curve Diffie-Hellman cipher suite as it had proven to cause a “negligible” increase in CPU usage, whilst providing greater security. It has used HTTP keepalives and session resumption to ensure most requests do not require a full handshake, thereby improving efficiency.

The micro-blogging company has also implemented TLS session tickets, where an abbreviated handshake is used for the encryption if a session ticket from a recent connection is still in use.

Twitter has deployed a smart key rotation system, involving the use of a string of key generator machines, with a leader generating a new session ticket key every 12 hours and killing old keys after 36 hours. Keys are stored in a RAM-based filesystem, tmpfs , to prevent them being written to long-term storage, making users of those keys more vulnerable if that storage were compromised.

Ticket keys are collected from a key generator machine via SSH, whilst timestamps are added to encryption files so servers know what to decrypt.

“At the end of the day, we are writing this not just to discuss an interesting piece of technology, but to present what we believe should be the new normal for web service owners,” Twitter added.

“If you are a webmaster, we encourage you to implement HTTPS for your site and make it the default. If you already offer HTTPS, ensure your implementation is hardened with HTTP Strict Transport Security, secure cookies, certificate pinning, and forward secrecy. The security gains have never been more important to implement.

“If you don’t run a website, demand that the sites you use implement HTTPS to help protect your privacy, and make sure you are using an up-to-date web browser so you are getting the latest security improvements.”

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

US Widening AI Lead Over China, Finds Stanford Report

US widening lead over China on AI development, as UK places third in Stanford index…

2 hours ago

Amazon To Pump Another $4bn Into AI Start-Up Anthropic

Amazon to invest a further $4bn into AI start-up Anthropic, doubling its investment as it…

3 hours ago

The Cost of Tech Skills

The demand for tech skills is surging, driving economic growth but revealing challenges. Financial costs,…

3 hours ago

Supreme Court Says Meta Must Face Multibillion-Dollar Fraud Lawsuit

US Supreme Court tosses Meta's appeal over Cambridge Analytica-linked investor lawsuit, meaning case must proceed

3 hours ago

Uber Seeks $10m Stake In Pony AI Via IPO

Uber reportedly seeks $10m stake in Chinese autonomous driving firm Pony AI via US IPO,…

4 hours ago

Apple Developing ‘LLM Siri’ AI For 2026

iPhone maker reportedly developing next-generation AI large language model for Siri for spring 2026 as…

4 hours ago