Andre,
On 12.4.2014 0:51, André Warnier wrote:
Ognjen Blagojevic wrote:
On 11.4.2014 10:52, André Warnier wrote:
3) if he has recorded past encrypted traffic to/from your server, and
saved
this recording, then he can at any time go back and decrypt this past
traffic, and pick up
anything interesting from there, even without having the new keys. Such
a recording could contain, for example, any number of submits
from HTML login pages, which were theoretically protected by being made
on an encrypted
channel. That could probably also contain any communications which your
server did with other servers over encrypted channels.
... unless Forward secrecy was utilized, which is pretty much invented
to defeat future decryption of recorded traffic.
Forward secrecy was easy to set up on Linux with APR.
All agreed. But I was talking about existing recordings of past
communications.
Whatever is done from now on, would not help in that respect, would it ?
I was also talking about past recordings. For example, let's say that
you had a new server set up in e.g. the beginning of 2013, and you
configured HTTPS (TLS) to support Forward Secrecy from start. And let's
say, that some agency immediately started recording all your encrypted
traffic, with the idea that if will be able to decrypt it in the future.
And let's assume that the same agency found out about Heartbleed bug at
the beginning of 2014, before general public. So they obtained
immediately your private key. You find out about the same bug in
7.4.2014, and you replace your private key at the same day.
Now, it is clear that the agency was able to decrypt traffic from the
beggining of 2014 (using MITM attack), but it should also be clear that
although they have private key of your server, and they have recorded
all your conversations ever, they will not be able to decrypt
conversations from 2013.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
