With the scope of the National Security Agency seemingly expanding with every new revelation, Web services are rushing to implement security measures that will keep both hackers and nosy government agencies out. Twitter is the latest to implement "forward secrecy," a cryptographic technique that should stymie even the NSA.
The technique has been around for decades, but few used it until recently. Commonly used encryption methods rely on a sort of master key held on, say, Facebook's servers. This key allows Facebook to decrypt secure communications from its users. But if someone were to get hold of that key, they too would be able to access huge amount of data from perhaps millions of users, since it was all secured with the same key.
Think of it like this: You have a decoder ring that you and some friends use to send coded letters. If someone duplicates the ring, they can decode all those letters. What forward secrecy does, essentially, is give each letter its own dedicated ring. Now if someone copies a ring, they can only decode one letter.
It adds a lot of overhead to the servers involved, but the end result is that even if the NSA were to somehow get one of Facebook's decryption keys, that key would only work on a single session from a single person. Everyone logging in encrypts their data with different keys, and the keys even change every time they log in.
Twitter doesn't mention the NSA by name in explaining why they've enabled the new system, but the technique used by a hypothetical "adversary" in the introduction does happen to match the NSA's passive surveillance, in which it stores data it can't decrypt until, one way or another, it acquires a key.
Google started using forward secrecy in 2011, and Facebook turned it on in June, so Twitter is a bit behind in this case — although to its credit, it was the first to move entirely to the secure HTTPS protocol in 2012.
Technically-minded readers might find the implementation of the system, described on Twitter's official blog, interesting. Forward secrecy is already in effect, and doesn't require anything from you to make sure it's working or anything, so enjoy the extra security.
Devin Coldewey is a contributing writer for NBC News Digital. His personal website is coldewey.cc.
First published November 22 2013, 3:58 PM