On 11.4.2014 10:52, André Warnier wrote:
3) if he has recorded past encrypted traffic to/from your server, and saved
this recording, then he can at any time go back and decrypt this past
traffic, and pick up
anything interesting from there, even without having the new keys. Such
a recording could contain, for example, any number of submits
from HTML login pages, which were theoretically protected by being made
on an encrypted
channel. That could probably also contain any communications which your
server did with other servers over encrypted channels.
... unless Forward secrecy was utilized, which is pretty much invented
to defeat future decryption of recorded traffic.
Forward secrecy was easy to set up on Linux with APR.
When tcnative 1.1.30 is released, it will be easy to set up on Windows
with APR.
If issue 55988 [1] is resolved, it would be also possible to set it up
on JSSE connectors with Java 8.
-Ognjen
[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=55988
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
