sfs8 pt1

[Dave Howe]

Ian G Batten wrote:
> On 28 Aug 2006, at 15:48, Dave Howe wrote:
>> TBH I haven't looked at the process of negotiating a session key, 
>> but had assumed it was recoverable if you had the secret key from 
>> the server; if this is not the case, then there isn't really a 
>> scenario where the police can take intercepted https traffic to a 
>> bank and successfully demand to see the plaintext.

> It's not recoverable, unless one party retains the ephemeral key. 
> Provided both ends of the communication want the connection to offer
>  perfect forward secrecy, it offers perfect forward secrecy.
> Clearly, if one end `collaborated' (or is this `defected'?) and
> retained either the ephemeral key, that's the ballgame.    I'm pretty
> certain that recording or subverting the randomness one end generated
> plus recording all the communications it received from the other end
> would be sufficient.

Revisiting a *really* old post here, but was just playing with wireshark
and noticed that, given the server's private key and a packet capture
(no MitM or knowledge of the key during the capture) it will quite
happily decrypt the content of packets for you.

Duplicated this using a stock apache 2.2 server (current release) plus
several variations of IE and Firefox. I haven't looked at the source to
see why this is yet (given I suspect my employers may object to me
spending work hours understanding source), but the implications worry me.