[zs-p2p] Forward Secrecy

[Bill Stewart]

At 07:24 AM 7/25/2013, Bryce Lynch wrote:
> > Yet note, Dec, a provider simply logging the session keys is 
> still possible.
>On the server side, or in their production networks?

A web server (or SSL box in front of a web server) could 
theoretically log session keys, even with "Perfect" Forward Secrecy.
After all, both ends of the Diffie-Hellman exchange do get the actual 
shared session key (which is the point of the exchange :-), and it 
would be possible to save it in addition to using it.  From a 
security perspective, it'd be a really bad idea to do so, and AFAICT 
there's no useful business purpose for doing so, and you're not going 
to be able to pay Peter Gutman enough to modify OpenSSL to do that, 
but one of the fun things about security of open source software is 
that the some miscreant could easily do it themselves, using the 
modules that are already available, and position it as a "feature" 
that lets you support efficient load-balancing across multiple web 
servers in a single session, with an "auditing" or "debugging" 
feature to let you be sure the load-balancing is implemented 
successfully in your cloud.  (And oops, the UI feature that turns off 
debugging didn't get implemented in this sprint.)