On 09/07/2013 06:57 PM, james hughes wrote:
There's no question in my mind that PFS helps. I have, in the past,
been very in much favor of turning on PFS support in various protocols,
when it has
PFS may not be a panacea but does help.
been available. And I fully understand what the *purpose* of PFS is.
But it's not entirely clear to me that it will help enough in the
scenarios under discussion. If we assume that mostly what NSA are doing
is acquiring a site
RSA key (either through "donation" on the part of the site, or
through factoring or other means), then yes, absolutely, PFS will be a
If, however, they're getting session-key material (perhaps through
back-doored software, rather than explicit cooperation by the target
PFS does nothing to help us. And indeed, that same class of
compromised site could just as well be leaking plaintext. Although
keys is lower-profile.
I think all this amounts to a preamble for a call to think deeply,
again, about end-to-end encryption. I used OTR on certain chat
sessions, for example,
because the consequences of the "server in the middle" disclosing the
contents of those conversations protected by OTR could have dire
for one of the parties involved.
Jeff Schiller pointed out a little while ago that the crypto-engineering
community have largely failed to make end-to-end encryption easy to
use. There are
reasons for that, some technical, some political, but it is
absolutely true that end-to-end encryption, for those cases where "end
to end" is the obvious
and natural model, has not significantly materialized on the
Internet. Relatively speaking, a handful of crypto-nerds use end-to-end
schemes for e-mail
and chat clients, and so on, but the vast majority of the Internet
user-space? Not so much.
The cryptography mailing list