scary certificate for

Ian Batten igb at
Tue Jun 19 09:23:21 BST 2012

On 19 Jun 2012, at 00:37, Peter Fairbrother wrote:

> Ian Batten wrote:
>> But the moment there is the slightest suggestion that your hypothesis
>> is true, PFS is there to thwart it.  
> That's just the ephemeral DHE key exchange I talked about a day or so ago.
> It may well thwart it - but it isn't commonly, or even often, used.

But Google are using it over their entire estate.    Every google service I could immediately think of to contact with https reports "The connection is encrypted using RC4_128, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism."  Gmail forces https these days, and there are encrypted versions of all the other major Google apps, including search.  They use EC DH, and therefore they offer PFS.  

Yes, the ability to break certificates in reasonable time isn't useless even in the face of PFS: you would have access to traffic you could MITM for the lifetime of the keys less the lead time to perform the break.  So if you could break a key in a week, but certificates rolled over every two years, you'd have 99% coverage.  

But with ECDHE, as I understand it, you have to MITM the connection: passively snooping the traffic isn't enough, even if you know the private part of all the certificates in use.    It might be possible to do that for targeted individuals without news getting out: doing it on a wider basis without getting caught would be impossible.


More information about the ukcrypto mailing list