The newly added capability, namely forward secrecy, takes the privacy and safety provided by Secure Sockets Layer-based connections (SSL) and kicks it up a notch, preventing those who break through the encryption to see what a user is doing online.
In a recent blog post, Twitter has explained how this feature works.
Under traditional HTTPS, the client chooses a random session key, encrypts it using the server’s public key, and sends it over the network. Someone in possession of the server’s private key and some recorded traffic can decrypt the session key and use that to decrypt the entire session. In order to support forward secrecy, Twitter has enabled the EC Diffie-Hellman cipher suites. Under those cipher suites, the client and server manage to come up with a shared, random session key without ever sending the key across the network, even under encryption. The server’s private key is only used to sign the key exchange, preventing man-in-the-middle attacks.
There are two main categories of Diffie-Hellman key exchange. Traditional Diffie-Hellman (DHE) depends on the hardness of the Discrete Logarithm Problem and uses significantly more CPU than RSA, the most common key exchange used in SSL. Elliptic Curve Diffie-Hellman (ECDHE) is only a little more expensive than RSA for an equivalent security level. Vincent Bernat (@vince2_) benchmarked ECDHE at a 15% overhead relative to RSA over 2048-bit keys. DHE, by comparison, used 310% more CPU than RSA.
According to the Electronic Frontier Foundation, this type of protection is increasingly important on today’s internet.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now