In association with heise online

24 November 2011, 13:14

Google protects connections with forward secrecy

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Google logo

Google has announced that it has enabled forward secrecy in its HTTPS services by default. Most HTTPS sites operate in such a way that a private key is retained and, theoretically, that key could be broken in the future, giving someone the ability to decrypt all the traffic that was encrypted with that key. Forward secrecy ensures that captured messages cannot be decrypted en masse by making sure that the private keys used to encrypt connections are not kept on persistent storage. "Not even the server operator will be able to retroactively decrypt HTTPS sessions," says Google.

Forward secrecy is live on Gmail, SSL Search, Docs and Google+. To see whether it is operating, Google suggests that users click on the green padlock in a Chrome window and check that the key exchange mechanism is shown as ECDHE_RSA as shown below:

Google HTTPS
Zoom Forward secrecy is enabled when ECHDE_RSA is shown as the key exchange mechanism

Chrome, Firefox and Internet Explorer support Google's forward secrecy mechanism, but Internet Explorer does not enable it by default as it does not support the combination of ECHDE (Elliptic Curve Diffie-Hellman Exchange) and RC4 that Google is using. Google hopes to support IE in the future. Google has also released its modifications to the OpenSSL Library that allowed it to enable forward secrecy and which is due to appear in OpenSSL 1.0.1.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit