User: Password:
Subscribe / Log in / New account

Wrong, see Diffie-Hellman

Wrong, see Diffie-Hellman

Posted Jan 8, 2011 20:46 UTC (Sat) by kleptog (subscriber, #1183)
In reply to: Default "secrets" by erwbgy
Parent article: Default "secrets"

Well, the GP poster is correct, if Diffie-Hellman is enabled in SSL then you have perfect forward secrecy. In other words, even if someone has the private key and sniffs all the traffic, they *still* can't decrypt it.

It's a neat trick whereby the server and client can agree on a key over an insecure channel.

So this list is useful for MITM attacks but not always useful for eavesdropping. Now, if they have checked all these routers and confirmed that in fact DH is disabled by default, then we have a different problem indeed.

(Incidently, I just tried my own router and Firefox doesn't say whether DH is enabled or not. Maybe that means no.)

For the fun of it, try surfing the web and rejecting any SSL connections that don't use DH. You'd be surprised the number of sites that either (a) are incompetent or (b) want anyone who has the private to be able to sniff your traffic. There are a lot of sites which will accept DH if you ask for it but will default to no.

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds