Securing a tweet

Contact: Wendy Nather

Whisper Systems has announced that it has been acquired by Twitter (appropriately enough, the news was tweeted). Terms of the acquisition were not disclosed, but given Whisper’s emphasis on Google Android security, we expect that the deal was as much about the brains behind the technology as it was about the tools themselves. Whisper’s products include WhisperCore, a set of functions for data and network encryption as well as permissions management; WhisperMonitor, an Android-based firewall for mobile devices; Flashback, a cloud-based secure backup service for Android data; TextSecure, a facility for encrypting SMS messages on the fly; and RedPhone, an encryption function for voice that saw heavy use by activists during Egypt’s political uprising.

Twitter has inked 15 transactions, but this is the first one that focuses on security, and it’s in an area that appears to add real gravitas to the communications technology: it’s not just for ensuring that your Uncle Fred can’t accidentally get to your status updates. Mobile devices and protection against regimes make a solid combo, and they bolster Twitter’s use as a real-time reporting system. It’s not clear how many of the current products will remain viable under Twitter’s control, but the reasoning behind the choice of Whisper, as opposed to any number of other mobile device security startups, seems pretty clear.

But we find this deal even more interesting due to the fact that one of Whisper’s founders, security researcher Moxie Marlinspike, has also been making the conference rounds discussing a well-known problem: that of Internet-wide trust in domain name system (DNS) and SSL infrastructure. Certificate authorities that underpin transactions over the Internet have been increasingly attacked directly (with COMODO and DigiNotar being prime examples; the latter went bankrupt as a result of its breach), and DNS-based attacks are on the rise. Marlinspike not only points out the inherent design problems in the trust-based system, but also has proposed the most plausible solution: overhauling the structure into a new system he has dubbed Convergence. When you have access to an Internet security architect of Marlinspike’s caliber, you don’t let it go to waste. We’ll be watching for new developments on a possibly more fundamental level than just secure text messaging for Tweets.