This morning Mikko “@mikko” Hypponen put out an encrypted tweet with the message indicating that you needed a TS/SCI with Poly clearance to read it. Dan “@dakami” Kaminsky followed up with the idea of possibly creating an encrypted tweet mechanism. Now there’s an idea… Right now companies like Twitter and Facebook make money off of the content we give to them. If there was an easy way to encrypt and decrypt that same content, could their business models fall apart?
mikko: ENCRYPTED TWEET Click To Read ==dHkgT3BlcmF0aW9ucyBDZW50ZXIgPHNvY0B1cy1jZXJ0Lmdvdj6JAa4EEAECAJgF== TS/SCI with Polygraph Clearance Required. ~
dakami: @mikko I actually wonder what would happen if I released an encrypted tweet mechanism. hmmmmmmmmmmmm ~
mikko: @dakami Remember to add text compression. ~
We don’t think Twitter and Facebook have anything to worry about though. Email encryption solutions have been around for more than 15 years but we’re pretty sure the number of messages you’ve ever encrypted can probably be counted on one hand. Plus we don’t see encrypting your tweets as being that necessary except for those one-off direct messages that you would rather Twitter not see.
Of course encrypting Twitter messages is something we’ve been able to do for a while. All you need is a local or web-based app that allows you to enter text, input a key, and push an encrypt/decrypt button. This technique isn’t very convenient though as you end up copying and pasting a lot of text back and forth all over the place. In search of a solution to ease this copy/paste exercise we started passively looking for more convenient options but then Petraeus happened (“Assuming Users Are Already Compromised” and “4 Steps to Anonymous & Secured Communication“) and suddenly this research seemed a lot more relevant.
Although we covered Wickr in the past and there have been some recent entries (e.g., Silent Circle from Phil Zimmerman of PGP fame), most of these apps require users to communicate over their proprietary systems. What we were particularly looking for was an encryption add-on to use over existing communication streams like Twitter and Facebook.
Of course the big issue with any encrypted communication system is key distribution. Products like Wickr and Silent Circle handle all of this complexity for us but you have to “trust” them. Back in the day some very smart people came up with the concept of Public Key Implementation (PKI) to solve the key distribution problem and over the years many have created tools to implement it. But for whatever reason though … PKI has never really taken off.
Any new system will undoubtedly have the same key distribution problems however some good options for specific niche groups may exist. Given that the infosec community may be one of those groups, we’ve come across a few good solutions ranging from the less convenient to nicely integrated systems that we’d like to share. But before we mention them we’d like to hear from you. Do you know of any workable Twitter encryption tools? We’ve pointed out a few down below in the closing signature to get you started…
Have any tools that you use to encrypt tweets? Let us know in the comments below. Today’s post pic is from PlexusProject.org (one of the many great Twitter encryption projects out there). Also @mikko mentioned one on Twitter recently. See ya!