Google Enables Forward Secrecy For HTTPS Services
Last year Google started to push the HTTPS protocol on many of their services which basically meant that users always connected to the https version of the site regardless of their own preference. Before that, https was only an option in a service's settings. Gmail users for instance were able to enable https for their account since 2008 which basically forced the use of https for that connection.
Https encrypts the traffic between the user's computer and the server. The core benefit here is that it protects the data from network snooping. That's handy if you are using a public computer, are in a computer network or do not want your ISP or your boss to find out what you are doing on a particular site that has https enabled.
Yesterday Google announced that they have enabled forward secrecy by default.
Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt todayâ€™s email traffic.
Forward secrecy requires that the private keys for a connection are not kept in persistent storage. An adversary that breaks a single key will no longer be able to decrypt monthsâ€™ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions.
Perfect forward secrecy basically makes sure that attackers cannot use private keys that they have obtained in the future can not be used to compromise data that has been recorded in the past.
Forward secrecy has been enabled for Google Mail (Gmail) and other Google services that use the https including SSL search, Google Docs and Google+.
The only browsers currently supported are Google Chrome and Firefox on all platforms and Microsoft's Internet Explorer on Vista or later.
Google has also made available the work that they did on the open source OpenSSL library that made the implementation of forward secrecy possible. You can read the original announcement over at the Google Online Security blog.Advertisement