Google Enables Forward Secrecy For HTTPS Services

Martin Brinkmann
Nov 23, 2011
Updated • Dec 10, 2012

Last year Google started to push the HTTPS protocol on many of their services which basically meant that users always connected to the https version of the site regardless of their own preference. Before that, https was only an option in a service's settings. Gmail users for instance were able to enable https for their account since 2008 which basically forced the use of https for that connection.

Https encrypts the traffic between the user's computer and the server. The core benefit here is that it protects the data from network snooping. That's handy if you are using a public computer, are in a computer network or do not want your ISP or your boss to find out what you are doing on a particular site that has https enabled.

Yesterday Google announced that they have enabled forward secrecy by default.

Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.

Forward secrecy requires that the private keys for a connection are not kept in persistent storage. An adversary that breaks a single key will no longer be able to decrypt months’ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions.

https perfect forward secrecy

Perfect forward secrecy basically makes sure that attackers cannot use private keys that they have obtained in the future can not be used to compromise data that has been recorded in the past.

Forward secrecy has been enabled for Google Mail (Gmail) and other Google services that use the https including SSL search, Google Docs and Google+.

The only browsers currently supported are Google Chrome and Firefox on all platforms and Microsoft's Internet Explorer on Vista or later.

Google has also made available the work that they did on the open source OpenSSL library that made the implementation of forward secrecy possible. You can read the original announcement over at the Google Online Security blog.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Yoav said on November 23, 2011 at 1:05 pm

    That’s great for privacy but what metrics can replace search keywords? That is a lot of valuable information that Google is locking up – what are webmasters, like you, doing to deal with that? What should regular bloggers do?

    1. Martin Brinkmann said on November 23, 2011 at 1:46 pm

      Good question. Nothing really that you can do about it. Oh, and Google could care less about what webmasters see. A side effect for them is that it promotes their Google Webmaster Tools service and reduces the functionality of competitive analytic services. Google will probably enable a workaround for Google Analytics (is not that already the case for Google Analytics Pro? Costs 250k per year though so not really something that a lot of webmasters or even companies are willing to pay).

      1. Yoav said on November 23, 2011 at 4:36 pm

        I’m just surprised there hasn’t been a lot more backlash on this issue. After all, as a Google user we provide it with information. In return, why should we not be able to use this information, as bloggers for instance? Why does Google get exclusive rights to information we provide it with as users?
        On the other hand, I am liking the privacy this provides.

  2. ódio said on November 23, 2011 at 12:13 pm

    the title says HTPS instead of HTTPS

    1. Martin Brinkmann said on November 23, 2011 at 12:44 pm

      Well spotted, thanks and corrected.

  3. ilev said on November 23, 2011 at 10:58 am

    What good it is if SSL and TLS 1.0 are broken and Browsers like Firefox 8, IE9, doesn’t support TLS 2.0 ?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.