On 09/07/2013 06:57 PM, james hughes wrote:

PFS may not be a panacea but does help.

There's no question in my mind that PFS helps. I have, in the past, been very in much favor of turning on PFS support in various protocols, when it has
  been available.  And I fully understand what the *purpose* of PFS is.

But it's not entirely clear to me that it will help enough in the scenarios under discussion. If we assume that mostly what NSA are doing is acquiring a site RSA key (either through "donation" on the part of the site, or through factoring or other means), then yes, absolutely, PFS will be a significant roadblock. If, however, they're getting session-key material (perhaps through back-doored software, rather than explicit cooperation by the target website), the PFS does nothing to help us. And indeed, that same class of compromised site could just as well be leaking plaintext. Although leaking session
   keys is lower-profile.

I think all this amounts to a preamble for a call to think deeply, again, about end-to-end encryption. I used OTR on certain chat sessions, for example, because the consequences of the "server in the middle" disclosing the contents of those conversations protected by OTR could have dire consequences
  for one of the parties involved.

Jeff Schiller pointed out a little while ago that the crypto-engineering community have largely failed to make end-to-end encryption easy to use. There are reasons for that, some technical, some political, but it is absolutely true that end-to-end encryption, for those cases where "end to end" is the obvious and natural model, has not significantly materialized on the Internet. Relatively speaking, a handful of crypto-nerds use end-to-end schemes for e-mail and chat clients, and so on, but the vast majority of the Internet user-space? Not so much.

The cryptography mailing list

Reply via email to