CrypTweet encrypts Twitter direct messages
- — 21 February, 2012 09:26
Recent US attempts to obtain the communication records of people alleged to be associated with or even discussing WikiLeaks or the Occupy movement have inspired the development of encryption for Twitter messages.
CrypTweet has been put together by Mark Pesce, a Sydney-based author, futurist and educator who was also responsible for the virtual reality modelling language (VRML), a pioneering system for creating 3D interactive spaces on the web.
"I was appalled that the US government could subpoena Twitter's records in pursuit of political enemies like Julian Assange," Pesce told CSO Online.
According to the project website, "CrypTweet is a collection of Python programs designed to work together, using RSA public-key cryptography so that anyone can send you an encrypted direct message, but only you can read it."
CrypTweet is still rough at the edges and should be considered a work in progress.
Downloads are provided for Linux / OS X and Windows 7, and some command-line work is required to install and configure the software.
DMs can be sent and received from the command line, or CrypTweet can be run as a web service and accessed through a web browser.
"CrypTweet is really intended to be running entirely within your mobile," writes Pesce.
"While an Android port is under way, CrypTweet already has been tested on the Nokia N9 (running Meego, a flavour of Linux), and works flawlessly. If you have a jailbroken iPhone or iPad, you can install CrypTweet, but it requires a newer version of Python than is available from the Cydia package manager."
Initial reactions to CrypTweet have been mixed.
Commenters at Hacker News, for example, have pointed out flaws that they claim would make CrypTweet vulnerable to various attacks including a known-plaintext attack (KPA), where an attacker with samples of both the original and encrypted text could work backwards to recover the encryption keys, and the padding oracle attack.
"Don't use this for anything other than a toy. The crypto is misdesigned," wrote one.
Critics on Twitter pointed to the current lack of HTTPS encryption between CrypTweet and its public key server, and to the all-encompassing permissions that CrypTweet requires to use Twitter's API — although that's forced by that API's lack of granularity. Granting read-write access to a Twitter user's DMs automatically grants access to everything else.
The project doesn't use modern software development tools such as a source code browser like github or a documented API.
"Encrypting Tweets is like installing Linux on a toaster. I'm happy for you, though," tweeted cynical mobile developer Leslie Nassar.
Nassar has a point. Encrypting DMs wouldn't make much difference if the sender or receiver's device or the key server itself had been compromised — and mobile devices are increasingly the target of sophisticated malware.
However other commenters considered CrypTweet "a nice initial attempt" and noted that the project's "broader motivation is to bring crypto to services that people are using, not the other way round".
Pesce understands that CrypTweet has flaws, and has released the code at this early stage precisely so that experts can help improve it.
"There are bright folks who know lots more about cryptography than I do. They'll be able to spot the flaws and holes in CrypTweet. I'm hoping they can share their findings so those holes can be closed," Pesce said.
CrypTweet requires Python version 2.6 or greater, but not Python3. No additional packages are necessary.
Pesce reckons he spent around 70 to 100 hours developing CrypTweet over the past six weeks. The project was funded in part by a grant from the Shuttleworth Foundation.