Google Enables Forward Secrecy For HTTPS Services - gHacks Tech News

Google Enables Forward Secrecy For HTTPS Services

Last year Google started to push the HTTPS protocol on many of their services which basically meant that users always connected to the https version of the site regardless of their own preference. Before that, https was only an option in a service's settings. Gmail users for instance were able to enable https for their account since 2008 which basically forced the use of https for that connection.

Https encrypts the traffic between the user's computer and the server. The core benefit here is that it protects the data from network snooping. That's handy if you are using a public computer, are in a computer network or do not want your ISP or your boss to find out what you are doing on a particular site that has https enabled.

Yesterday Google announced that they have enabled forward secrecy by default.

Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.

Forward secrecy requires that the private keys for a connection are not kept in persistent storage. An adversary that breaks a single key will no longer be able to decrypt months’ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions.

https perfect forward secrecy

Perfect forward secrecy basically makes sure that attackers cannot use private keys that they have obtained in the future can not be used to compromise data that has been recorded in the past.

Forward secrecy has been enabled for Google Mail (Gmail) and other Google services that use the https including SSL search, Google Docs and Google+.

The only browsers currently supported are Google Chrome and Firefox on all platforms and Microsoft's Internet Explorer on Vista or later.

Google has also made available the work that they did on the open source OpenSSL library that made the implementation of forward secrecy possible. You can read the original announcement over at the Google Online Security blog.





  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. ilev said on November 23, 2011 at 10:58 am
      Reply

      What good it is if SSL and TLS 1.0 are broken and Browsers like Firefox 8, IE9, doesn’t support TLS 2.0 ?

    2. ódio said on November 23, 2011 at 12:13 pm
      Reply

      the title says HTPS instead of HTTPS

      1. Martin Brinkmann said on November 23, 2011 at 12:44 pm
        Reply

        Well spotted, thanks and corrected.

    3. Yoav said on November 23, 2011 at 1:05 pm
      Reply

      That’s great for privacy but what metrics can replace search keywords? That is a lot of valuable information that Google is locking up – what are webmasters, like you, doing to deal with that? What should regular bloggers do?

      1. Martin Brinkmann said on November 23, 2011 at 1:46 pm
        Reply

        Good question. Nothing really that you can do about it. Oh, and Google could care less about what webmasters see. A side effect for them is that it promotes their Google Webmaster Tools service and reduces the functionality of competitive analytic services. Google will probably enable a workaround for Google Analytics (is not that already the case for Google Analytics Pro? Costs 250k per year though so not really something that a lot of webmasters or even companies are willing to pay).

        1. Yoav said on November 23, 2011 at 4:36 pm
          Reply

          I’m just surprised there hasn’t been a lot more backlash on this issue. After all, as a Google user we provide it with information. In return, why should we not be able to use this information, as bloggers for instance? Why does Google get exclusive rights to information we provide it with as users?
          On the other hand, I am liking the privacy this provides.

    Leave a Reply