CrypTweet encrypts Twitter direct messages

But don't use this work-in-progress software for truly secret communications just yet

Recent US attempts to obtain the communication records of people alleged to be associated with or even discussing WikiLeaks or the Occupy movement have inspired the development of encryption for Twitter messages.

CrypTweet has been put together by Mark Pesce, a Sydney-based author, futurist and educator who was also responsible for the virtual reality modelling language (VRML), a pioneering system for creating 3D interactive spaces on the web.

"I was appalled that the US government could subpoena Twitter's records in pursuit of political enemies like Julian Assange," Pesce told CSO Online.

According to the project website, "CrypTweet is a collection of Python programs designed to work together, using RSA public-key cryptography so that anyone can send you an encrypted direct message, but only you can read it."

CrypTweet is still rough at the edges and should be considered a work in progress.

Downloads are provided for Linux / OS X and Windows 7, and some command-line work is required to install and configure the software.

DMs can be sent and received from the command line, or CrypTweet can be run as a web service and accessed through a web browser.

"CrypTweet is really intended to be running entirely within your mobile," writes Pesce.

"While an Android port is under way, CrypTweet already has been tested on the Nokia N9 (running Meego, a flavour of Linux), and works flawlessly. If you have a jailbroken iPhone or iPad, you can install CrypTweet, but it requires a newer version of Python than is available from the Cydia package manager."

Initial reactions to CrypTweet have been mixed.

Commenters at Hacker News, for example, have pointed out flaws that they claim would make CrypTweet vulnerable to various attacks including a known-plaintext attack (KPA), where an attacker with samples of both the original and encrypted text could work backwards to recover the encryption keys, and the padding oracle attack.

"Don't use this for anything other than a toy. The crypto is misdesigned," wrote one.

Critics on Twitter pointed to the current lack of HTTPS encryption between CrypTweet and its public key server, and to the all-encompassing permissions that CrypTweet requires to use Twitter's API — although that's forced by that API's lack of granularity. Granting read-write access to a Twitter user's DMs automatically grants access to everything else.

The project doesn't use modern software development tools such as a source code browser like github or a documented API.

"Encrypting Tweets is like installing Linux on a toaster. I'm happy for you, though," tweeted cynical mobile developer Leslie Nassar.

Nassar has a point. Encrypting DMs wouldn't make much difference if the sender or receiver's device or the key server itself had been compromised — and mobile devices are increasingly the target of sophisticated malware.

However other commenters considered CrypTweet "a nice initial attempt" and noted that the project's "broader motivation is to bring crypto to services that people are using, not the other way round".

Pesce understands that CrypTweet has flaws, and has released the code at this early stage precisely so that experts can help improve it.

"There are bright folks who know lots more about cryptography than I do. They'll be able to spot the flaws and holes in CrypTweet. I'm hoping they can share their findings so those holes can be closed," Pesce said.

CrypTweet requires Python version 2.6 or greater, but not Python3. No additional packages are necessary.

Pesce reckons he spent around 70 to 100 hours developing CrypTweet over the past six weeks. The project was funded in part by a grant from the Shuttleworth Foundation.

Google patches Android icon permissions attack

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]

Comments

Allen

1

Encryption concepts are interesting and eager to know how the process would take place.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Sophos Mobile Control

Data protection, policy compliance and device control for mobile devices

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.