[zs-p2p] Forward Secrecy
Bill Stewart
bill.stewart at pobox.com
Fri Jul 26 14:43:33 PDT 2013
At 07:24 AM 7/25/2013, Bryce Lynch wrote:
> > Yet note, Dec, a provider simply logging the session keys is
> still possible.
>On the server side, or in their production networks?
A web server (or SSL box in front of a web server) could
theoretically log session keys, even with "Perfect" Forward Secrecy.
After all, both ends of the Diffie-Hellman exchange do get the actual
shared session key (which is the point of the exchange :-), and it
would be possible to save it in addition to using it. From a
security perspective, it'd be a really bad idea to do so, and AFAICT
there's no useful business purpose for doing so, and you're not going
to be able to pay Peter Gutman enough to modify OpenSSL to do that,
but one of the fun things about security of open source software is
that the some miscreant could easily do it themselves, using the
modules that are already available, and position it as a "feature"
that lets you support efficient load-balancing across multiple web
servers in a single session, with an "auditing" or "debugging"
feature to let you be sure the load-balancing is implemented
successfully in your cloud. (And oops, the UI feature that turns off
debugging didn't get implemented in this sprint.)
More information about the cypherpunks
mailing list