This morning Mikko “@mikko” Hypponen put out an encrypted tweet with the message indicating that you needed a TS/SCI with Poly clearance to read it. Dan “@dakami” Kaminsky followed up with the idea of possibly creating an encrypted tweet mechanism. Now there’s an idea… Right now companies like Twitter and Facebook make money off of the content we give to them. If there was an easy way to encrypt and decrypt that same content, could their business models fall apart?
mikko: ENCRYPTED TWEET Click To Read ==dHkgT3BlcmF0aW9ucyBDZW50ZXIgPHNvY0B1cy1jZXJ0Lmdvdj6JAa4EEAECAJgF== TS/SCI with Polygraph Clearance Required. ~We don’t think Twitter and Facebook have anything to worry about though. Email encryption solutions have been around for more than 15 years but we’re pretty sure the number of messages you’ve ever encrypted can probably be counted on one hand. Plus we don’t see encrypting your tweets as being that necessary except for those one-off direct messages that you would rather Twitter not see.
dakami: @mikko I actually wonder what would happen if I released an encrypted tweet mechanism. hmmmmmmmmmmmm ~
mikko: @dakami Remember to add text compression. ~
Of course encrypting Twitter messages is something we’ve been able to do for a while. All you need is a local or web-based app that allows you to enter text, input a key, and push an encrypt/decrypt button. This technique isn’t very convenient though as you end up copying and pasting a lot of text back and forth all over the place. In search of a solution to ease this copy/paste exercise we started passively looking for more convenient options but then Petraeus happened (“Assuming Users Are Already Compromised” and “4 Steps to Anonymous & Secured Communication“) and suddenly this research seemed a lot more relevant.
Although we covered Wickr in the past and there have been some recent entries (e.g., Silent Circle from Phil Zimmerman of PGP fame), most of these apps require users to communicate over their proprietary systems. What we were particularly looking for was an encryption add-on to use over existing communication streams like Twitter and Facebook.
Of course the big issue with any encrypted communication system is key distribution. Products like Wickr and Silent Circle handle all of this complexity for us but you have to “trust” them. Back in the day some very smart people came up with the concept of Public Key Implementation (PKI) to solve the key distribution problem and over the years many have created tools to implement it. But for whatever reason though … PKI has never really taken off.
Any new system will undoubtedly have the same key distribution problems however some good options for specific niche groups may exist. Given that the infosec community may be one of those groups, we’ve come across a few good solutions ranging from the less convenient to nicely integrated systems that we’d like to share. But before we mention them we’d like to hear from you. Do you know of any workable Twitter encryption tools? We’ve pointed out a few down below in the closing signature to get you started…
- CryptTweet: Group of Python scripts designed to encrypt direct messages (DM); uses RSA public-key crypto (more info)
- AnonTwi: Complete Python-based framework for not only encrypting content but also routing through TOR; distributed and open source but requires user to manage keys (more info)
- Encrypt Facebook: Chrome extension that allows you to encrypt Twitter content as well; not centralized but must choose random key share with desired parties (more info)
- Encipher.it: Bookmark-based encryption; not centralized but requires users to choose and share a random key with others; software is open source (more info)
- Priv.ly: Content stored on server and linked to with a priv.ly link; browser plugin allows users to select link to expand the message in place; servers are open source and can be implemented in a distributed manner (more info)
- Scrambls.com: Free version for automatically encrypting/decrypting content any place on the web; iOS app for use on Twitter; keys held on Scrambls server; commercial version offers corporate key servers (more info)
Out of the remaining two, Priv.ly seems like the best solution due to its public key structure and open source servers. Unfortunately, the project is still in an alpha state and doesn’t look to be too usable at this time. They developers detailed their future plans in a blog post in early November so we hope they have a bright 2013.
That leaves Scambls as the best option in our opinion for now. It would be nice if there was an open source key server that used a public key structure. That way the owner of any key server wouldn’t be able to access the messages assuming only the user holds the private portion of the key.
If anyone is interested in testing this service out, we’ve created a Scambls group called NovaInfosec just to see how it works. Contact us if you’d like to be added. And be sure to checkout their iPhone/iPad version for when on the go.