Can't have the NSA just scooping stuff off the wire
Make them pay us for the data they want.
Twitter says it has rolled out stronger encryption to safeguard its users' connections from eavesdroppers. The micro-blogging ad-pusher said it has switched on "forward secrecy" for traffic to and from its desktop and mobile websites and its app interface; this goes beyond the protections afforded by traditional HTTPS. …
Nah, it's pure privacy theatre. As I have said probably a gazillion times by now, crypto is actually entirely irrelevant if any official can legally demand they get the raw data. I'm not sure how much power they have to order a version with a backdoor to be created, but Twitter is IMHO too big to risk saying no and face being closed down.
Oh, and as for really caring about client privacy, umm, I don't think so:
; <<>> DiG 9.8.3-P1 <<>> twitter.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58910
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;twitter.com. IN MX
;; ANSWER SECTION:
twitter.com. 600 IN MX 20 alt1.aspmx.l.google.com.
twitter.com. 600 IN MX 20 alt2.aspmx.l.google.com.
twitter.com. 600 IN MX 30 ASPMX2.GOOGLEMAIL.com.
twitter.com. 600 IN MX 30 ASPMX3.GOOGLEMAIL.com.
twitter.com. 600 IN MX 10 aspmx.l.google.com.
QED.
...isn't exactly what Twitter is about.
They're protecting user account details with this move, and it would be good to see similar moves from others, but the way it's being reported you'd think Twitter was being used to transmit state secrets.
Now if regular email suddenly switched to using similar encryption for all traffic, regardless of provider, that would be far more significant.
TLS implemented well is more than enough to keep even professional criminals from eavesdropping on your traffic. I'd far sooner trust Twitter to use OpenSSL or GnuTLS according to the instructions than I would them implementing their own cryptosystem. Frankly, they're almost bound to have got it wrong somewhere.
It does nothing to keep the real problem at bay, that being government agents bearing rubber-stampted court orders, and adds a real element of risk that they've fucked it up and made themselves vulnerable to actual, feasible attacks rather than the largely theoretical bullshit attacks against TLS 1.1.
Why not just deploy TLS 1.2 everywhere and wait for browsers to catch up in support?
The security services are shooting themselves in the foot. From now on a battle is raging between privacy and their security work. All manner of technology and software is going to be developed to keep things private.
If they had only focused on the criminals and terrorists then it wouldn't have been so bad.
"Encrypting messages in transit....." They are just encrypting logins because there have been an embarrassing number of account hijackings. If the Twatterati stop trusting the login mechanism then they will stop Twattering and Twatter loses all that ad revenue. In reality it is still pretty pointless if most Twatterati continue to use insecure passwords such as their pet's name, etc.
For an indignant, factually-non-criminal to say, "If I catch whoever is planting trojans, spyware, and remote controls on my devices, I will put a "capture and 1-leg-break/6-finger-mangle" bounty on YOU, your boss, and you next two suborninates" if said person could demonstrate an ability to find, out, and display the suspected exploits his/her devices?
With Twitter, all thats matters is post information, so IP addresses and geo data. Ultimately geo data is public anyway on the site, much as the tweet content is, so all that needs to be protected is the IP address. What else matters? They could just stop logging IP's against sent messages, problem solved.
Absolutely useless. The secret courts of the USA make this so. This is damage control, no two ways about it.
IF you really want to protect users, move your servers and your business to a location where there are no secret courts to secretly steal user information.
Also, make sure you do not use any Microsoft software, nor any Cisco hardware.
As an up and coming IT security professional, that is the only recommendation I could ever make to clients where security is a concern.
Full Stop!