Google implements "forward secrecy" in its encrypted traffic, releases improvements to SSL library for all to use


6 Responses to “Google implements "forward secrecy" in its encrypted traffic, releases improvements to SSL library for all to use”

  1. Mordicai says:

    You know what would REALLY impress me?  Some kind of ability to share articles on Google Reader.  What an incredible leap forward that would be!  #SourGrapes

  2. Thad Boyd says:

    Seems to me that if someone breaks into Google, the goal is to get actual search data and not merely a private key to decrypt previously-snooped packets.  But still, this is a good step forward.

  3. Brian Carp says:

    So if the advantage of “forward secrecy” is that stored encrypted messages can never be decrypted later, this raises a question: why would a server ever bother to store an encrypted message that it can’t decrypt?

    If you don’t waste resources storing indecipherable information, it’s not only more efficient but also more secure against future singularity-era technologies that could break the encryption.  It’s not at all clear to me why a server would bother with the storage in the first place.

  4. scroffy says:

    I sad that everyone misses the key point here. Google is in the business of saving data for future use, including sales to governments. US government competes on save traffic by sniffing the traffic, something they are loath to admit (AT&T tapping in San Francisco springs to mind?). Since Google will retain the plaintext for traffic that they are party to (eg Gmail), this new scheme means that they will be the monopoly on that traffic data when it is desired by government later on. The NSA won’t have a copy. Google will able to sell it. And because government wants the data, but doesn’t want to disclose the extent of the privacy invasions, they are less likely to damage Google’s business model because they need the relationship.

  5. Forgive me, but aren’t Google still storing the originating IP for each search query?  

    So: yes, this is good, but it doesn’t mean make them anywhere near perfect…

  6. Pepijn says:

    That’s nice. Meanwhile, they still do not support HTTPS for AdSense, forcing everyone using Google ads to leave their pages insecurely available via HTTP.

Leave a Reply