CrypTweet encrypts Twitter direct messages

But don't use this work-in-progress software for truly secret communications just yet

Recent US attempts to obtain the communication records of people alleged to be associated with or even discussing WikiLeaks or the Occupy movement have inspired the development of encryption for Twitter messages.

CrypTweet has been put together by Mark Pesce, a Sydney-based author, futurist and educator who was also responsible for the virtual reality modelling language (VRML), a pioneering system for creating 3D interactive spaces on the web.

"I was appalled that the US government could subpoena Twitter's records in pursuit of political enemies like Julian Assange," Pesce told CSO Online.

According to the project website, "CrypTweet is a collection of Python programs designed to work together, using RSA public-key cryptography so that anyone can send you an encrypted direct message, but only you can read it."

CrypTweet is still rough at the edges and should be considered a work in progress.

Downloads are provided for Linux / OS X and Windows 7, and some command-line work is required to install and configure the software.

DMs can be sent and received from the command line, or CrypTweet can be run as a web service and accessed through a web browser.

"CrypTweet is really intended to be running entirely within your mobile," writes Pesce.

"While an Android port is under way, CrypTweet already has been tested on the Nokia N9 (running Meego, a flavour of Linux), and works flawlessly. If you have a jailbroken iPhone or iPad, you can install CrypTweet, but it requires a newer version of Python than is available from the Cydia package manager."

Initial reactions to CrypTweet have been mixed.

Commenters at Hacker News, for example, have pointed out flaws that they claim would make CrypTweet vulnerable to various attacks including a known-plaintext attack (KPA), where an attacker with samples of both the original and encrypted text could work backwards to recover the encryption keys, and the padding oracle attack.

"Don't use this for anything other than a toy. The crypto is misdesigned," wrote one.

Critics on Twitter pointed to the current lack of HTTPS encryption between CrypTweet and its public key server, and to the all-encompassing permissions that CrypTweet requires to use Twitter's API — although that's forced by that API's lack of granularity. Granting read-write access to a Twitter user's DMs automatically grants access to everything else.

The project doesn't use modern software development tools such as a source code browser like github or a documented API.

"Encrypting Tweets is like installing Linux on a toaster. I'm happy for you, though," tweeted cynical mobile developer Leslie Nassar.

Nassar has a point. Encrypting DMs wouldn't make much difference if the sender or receiver's device or the key server itself had been compromised — and mobile devices are increasingly the target of sophisticated malware.

However other commenters considered CrypTweet "a nice initial attempt" and noted that the project's "broader motivation is to bring crypto to services that people are using, not the other way round".

Pesce understands that CrypTweet has flaws, and has released the code at this early stage precisely so that experts can help improve it.

"There are bright folks who know lots more about cryptography than I do. They'll be able to spot the flaws and holes in CrypTweet. I'm hoping they can share their findings so those holes can be closed," Pesce said.

CrypTweet requires Python version 2.6 or greater, but not Python3. No additional packages are necessary.

Pesce reckons he spent around 70 to 100 hours developing CrypTweet over the past six weeks. The project was funded in part by a grant from the Shuttleworth Foundation.

Join the CSO newsletter!

Error: Please check your email address.

More about LinuxNokiaRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts