“Perfect forward secrecy” (PFS) is now live across all platforms, Twitter said, which makes it “effectively impossible” to collect data on users without the company’s permission, according to experts.
The move is thought to be part of a bid to make it more difficult to collect data on users without going through legal channels, according to the Telegraph.
Introduction of PFS ensures protection of encrypted data even if another party obtains decryption keys, as US and UK intelligence agencies have done in the past according to whistleblower Edward Snowden.
An internal team of security engineers has spent several months implementing PFS, which adds an extra layer of security to the widely used HTTPS encryption.
Google, Facebook, Dropbox and Tumblr have all implemented PFS, and LinkedIn is understood to be introducing it in 2014, according to the Guardian.
Technology companies and online service providers are attempting to restore user trust in the wake of the Snowden revelations of the US Prism internet surveillance programme.
The introduction of PFS means greater protection of direct private messages, protected tweets and data on what users say, who they comment on and who else they read.
PFS creates a new, disposable key for each exchange of information, so the key for every individual session would have to be decrypted to access the data.
In a blog post announcing the implementation, Twitter said PFS is what should be the “new normal” for web service owners to protect users from all predators on the internet.
“If you are a webmaster, we encourage you to implement HTTPS for your site and make it the default. If you already offer HTTPS, ensure your implementation is hardened with HTTP Strict Transport Security, secure cookies, certificate pinning, and Forward Secrecy,” the post reads.
Twitter also calls on website users to demand that the sites they use implement HTTPS to help protect privacy and to use an up-to-date web browser with the latest security improvements.
“HTTPS is surprisingly important for any web service that lets you login up front and then stay logged in indefinitely,” said Paul Ducklin, security technologist at security firm Sophos.
“That’s because your logged-in status is usually dealt with by a session cookie that is used by the server to recognize a user and transmitted in the HTTP traffic,” he wrote in a blog post.
According to Ducklin, without HTTPS to encrypt the cookie between the browser and the server, an attacker could sniff the traffic, extract the cookie and use it to masquerade as a legitimate users.
Plain HTTPS only requires the server to send a user a public key to which it has a matching private key, allowing the server to use the same public-private keypair over and over again.
HTTPS with forward secrecy, however, requires the server to send you a public key that is unique to a session, so the corresponding private key can be destroyed after use, said Ducklin.
“That’s how the forward secrecy is achieved: once the decryption keys from your session are destroyed, any copies of the encrypted data are effectively ‘nailed down’ into an eternally-encrypted state, like a padlock to which you’ve lost the key,” he said.