from the protecting-your-privacy dept
The Twitter blog post on this actually goes into a fairly detailed discussion about the technology choices they made, and the trade-offs involved. It's pretty clear this wasn't just written by a PR person. That said, security researcher Nicholas Weaver notes some potential issues with Twitter's transport encryption choices, noting that there are some indications that RC4 is no longer secure, even when used in TLS. Hopefully further changes can make it even more secure.
That said, the Twitter blog post makes a key point towards the end, about how greater and greater security, especially against the ability of an entity like the NSA, needs to be "the new normal."
At the end of the day, we are writing this not just to discuss an interesting piece of technology, but to present what we believe should be the new normal for web service owners. A year and a half ago, Twitter was first served completely over HTTPS. Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.
If you are a webmaster, we encourage you to implement HTTPS for your site and make it the default. If you already offer HTTPS, ensure your implementation is hardened with HTTP Strict Transport Security, secure cookies, certificate pinning, and Forward Secrecy. The security gains have never been more important to implement.