Feds put heat on Web firms for master encryption keys

[Riad S. Wahby]

Adam Back <adam at cypherspace.org> wrote:
> Forward secrecy is a good step, and its confusing why not everyone is using
> it.

At a guess, I'd say a mix of laziness, inconsistent (client and server)
software support, and worries about additional CPU overhead.

Really high traffic sites are incentivized to use the least resource
intensive SSL algorithms they can, and generally speaking the forward
secrecy algorithms take more CPU time and more entropy for key exchange.
How many web servers these days are running on VMs like AWS where
entropy is a precious resource?

Apache 2.2 and earlier, without specific patches, didn't support forward
secrecy for a majority of browsers. I had to pull Apache 2.4 out of Sid
on the cpunks.org machine to get forward secrecy working with all modern
browsers.

Speaking of browsers, there are still a huge number of really old
browsers out there that won't or can't (corporate policy, et cetera) be
updated any time in the near future. Turning off non-FS algos breaks SSL
for a *lot* of people.

Oh, and don't forget, OpenSSL 0.98(ish) and before didn't support the FS
algorithms. So the many servers where OpenSSL isn't getting upgraded any
time soon can't do it either.

Even if you do happen to have a conforming version of the appropriate
software server-side, you've still got to worry about actually setting
up the key order preferences appropriately. Few if any vendors are
shipping default configs that enable FS.

At least this last one is something we stand a chance of changing,
though: perhaps a start would be to submit bugs against the web server
packages from the usual suspects (debian et al) asking them to turn on
forward secrecy by default?

-=rsw