After the treatment that Jacob Appelbaum and others have had at the hands of the the government of the United States of America, it has become clear that Twitter users require a secure communication channel; one that, even when subpoenaed, would not easily give up its secrets.
The solution is obvious: strong encryption.
After CrypTweet's release on 20 February 2012, a number of people have examined the code, and have indicated that it has security flaws. The flaws identified thus far are:
This means that CrypTweet, in the words of one reviewer, is 'a toy'. It does not provide real security, just the illusion of security.
CRYPTWEET IS NOT SUITABLE FOR SENSITIVE USES.
IT IS AN EXPERIMENT.
With the assistance of the cyptographic community, I hope to correct the identified shortcomings in the next version of CrypTweet. Cryptographic software is neither easy to design nor review, so it may be some time before CrypTweet is deemed appropriate for securing sensitive information. That is the eventual goal.
CrypTweet is distributed under the MIT License, a very permissive, GPL-compliant, open source license. Please use it, reuse it, and fork it as you see fit!
I am deeply indebted and dependent on the fine folks who wrote the bottle, RSA, pyDes, twitter and pyasn1 modules. This work would not exist without theirs. Many thanks to my long-suffering alpha testers: kcarruthers, RealNickHodge, stilgherrian, danoot, wyld, ZenPsycho, sylmobile, rossdawson and embee.
This work was funded in part by a generous grant from the Shuttleworth Foundation, which was engineered by the very busy and creative Paul Gardner-Stephen. I am indebted to both.
@mpesce - last updated 21 February 2012
If you want to install CrypTweet on multiple computers, you must migrate your public and private keys. There will be tools to do this -- but they aren't finished yet. For now, go into your home directory, and look for the two files:
Copy these two files to the home directory of the machine you plan to install CrypTweet upon.
python ctsetup.py on the new machine. The setup will use the existing keys, but you will
still have to authorize that machine to read your Twitter Direct Messages.
You may notice that a single direct message becomes 3 encrypted direct messages. This is because the RSA key size is 3072 bits (384 characters) in length - which makes it very secure. All encyrpted messages are that size. That's three direct messages, so a direct message, when encrypted, is transmitted as three that are reassembled by the receiver before being decrypted.
CrypTweet is really intended to be running entirely within your mobile. While an Android port is underway, CrypTweet already has been tested on the Nokia N9 (running Meego, a flavour of Linux), and works flawlessly.
If you have a jailbroken iPhone or iPad, you can install CrypTweet, but it requires a newer version of Python than is available from the Cydia package manager. Here's a link to an iOS version of Python 2.6.5 - ideal for running Cryptweet. Once it's correctly installed, you can install CrypTweet just as you would on any other computer, and it'll work.
Word of warning: Even on an iPhone 4S, decryption is not terribly fast. And all that math sucks down the battery quickly.
If something dies on you - and it probably will, this is brand new software, do me a favor and mail a bug report to email@example.com. If you get a Python stack trace (assuming you know what that is), send it along in the body of the email it will really help me solve problems more quickly.
All reports, suggestions, new uses, comments, improvements are welcome!
python ctsetup.py, using new, shorter, and less weird password characters.
If you know for sure the user has set up CrypTweet, check the spelling of the user's Twitter username. Those usernames are case-sensitive in CryptTweet, so "Mpesce" does not equal "mpesce".
First, you will need a computer with a Python interpreter (version 2.6 or greater, but not Python3, download here). Cryptweet is designed to work with a basic Python installation. No additional packages are necessary, because CrypTweet comes with 'batteries included'.
Next, download Cryptweet (current version 0.03):
This is the only legitimate download site for CrypTweet.
Once you've downloaded the file, expand it. It will become a directory named 'cryptweet'.
Open a terminal on your computer - this is Terminal.app on OSX, or cmd.exe on Windows. From the terminal, traverse to the cryptweet directory. Once there, type the following command:
When you hit return, CrypTweet will begin to run its setup. This setup does a few important things:
Once the setup has finished, you're ready to send and receive encrypted direct messages.
CrypTweet comes with its own web service, which allows you to both read and send encrypted messages from within your favorite web browser. On Linux or OSX, start the web service by typing the following onto the command line:
In a few moments, the web service will start, and the command line prompt will return.
On Windows 7, type
python ctwww.py nodaemon
When you hit enter, the web server will start up. It will send messages to the command window until you shut it down - with a Control-C.
At this point, fire up a web browser and go to http://localhost:8080/
If everything is working, you should see something that looks like this:
We'll start by sending an encrypted Direct Message. Click on the "Send Message" area, and you will see a screen requesting a Twitter username for the recipient of this Direct Message:
Enter the Twitter user name of the recipient - note that this is CASE SENSITIVE, so make sure you type it in exactly as it appears in Twitter. Submit the name, and you'll then be presented with a text box where you can type in the message:
Hit submit, and CrypTweet will send the encrypted Direct Message off to the recipient. Once the message has been transmitted, return to the home screen. Now we'll read any encrypted Direct Messages that others have sent us. Click on the "Read Messages" area, and you'll now be challenged for the four passwords you set up earlier:
Select whether you want to get the last few encrypted direct messages (if any), or whether you want to read a lot of them. It takes a lot of time to do the decryption on messages, so the more messages you want to read, the longer you will be waiting for those messages to appear. When you hit the "Submit" button, CrypTweet will go away for a while - as long as a minute or more - as it reads the Direct Messages in, decrypts them, and builds page with the decrypted messages. Be patient. Eventually you'll see the messages:
To shut down the CrypTweet web service on Linux or OSX, type the same command which started it:
On Windows 7, use a control-C keypress within the command window to stop the web service.
That's it. If you can master this, you can use CrypTweet!
While the default settings for the CrypTweet web service will work for most people, some folks already have web services running, and CrypTweet might conflict with that service. If this is the case, there are two command line options which might help you resolve those conflicts.
python ct.py [-p portnumber -n hostname]
You can provide any valid portnumber and hostname on the command line, and the web service will attempt to use them. If the web service finds a conflict, use different settings and try again.
For example, if you wanted to use port 8085 on host plexusproject.org, this is the command you would use:
python ct.py -p 8085 -h plexusproject.org
You would then point your browswer to http://plexusproject.org:8085/ to use the CrypTweet web service. This means that you could run CrypTweet on a machine other than the one under your fingertips, accessing your encrypted direct messages remotely, but this is a huge security risk (because someone could tap into the network and read the decrypted messages) and is NOT RECOMMENDED.
To send an encrypted direct message, go to the terminal and type:
python cttx.py [-u username -f -m "Message text"]
The program will ask for the Twitter username of the recipient. If you do not have a public key for that user, the program will ask the keyserver for that user's public key. Once you've got the key, the program will ask you to type the message you'd like to send. Keep it to 140 characters - the program will trunate messages longer than that. When you're finished, hit return and the program will encrypt your message and send it off to that user.
NOTE: If the recipient is not following you, you will not be able to send the message.
As an experiment, try sending an encrypted message to yourself:
Twitter Username of Recipient: mpesce
Message to encode: This is a test of Cryptweet. Hope it works!
You can provide the username on the command line, and even the entire text of the message to be encrypted, so the entire command can be automated within a script. If you want to force a lookup of a user's key from the public keyserver, use the -f flag. That's good if someone has changed their private key -- without the new public key they won't be able to read encrypted messages you send them!
To receive your encrypted direct messages, go to the terminal and type:
python ctrx.py [-p1 password1 -p2 password2 -p3 password3 -p4 password4]
If there are any encyrpted direct messages to be decoded, the program will ask for the four-word password you created during the setup process, using those passwords to unlock your private key. Once unloked, the private key is used to decrypt your messages. For example, if you sent a message to yourself as above, it might look like this:
mpesce: This is a test of Cryptweet. Hope it works!
The program displays the username of the sender followed by the decoded text.
You can include any or all of the four passwords on the command line. CrypTweet will ask for the passwords that have not been supplied.
Note: Putting passwords in a script saves typing, but makes your private key much less secure. Do this at your own risk.