Let's talk about perfect forward secrecy
Let's talk about perfect forward secrecy
Posted Nov 16, 2013 16:30 UTC (Sat) by glaesera (guest, #91429)Parent article: Let's talk about perfect forward secrecy
Well, normally I do not read other people's comments, maybe I should do so ...? In fact I prefer to do the commenting in a lightning-chess style, just read and then write down, what comes to mind instantly. In some Cases there may be a plan, what to answer, even before starting reading, then while reading there are only minor changes made to the initial concept, depending on the content. This is how I do it.
On Forward Secrecy it appeared to me, that the so called bit-rot has to be regarded. The longer spying-services keep the data on their harddisks, the more likely it gets, that connections cannot be decrypted correctly anymore, years later, because the data was affected by single rotting bits, which would make them unusable, wouldn't it ?
Then, as far as I know, PFS can be provided currently by Apache version 2.4 and later, which is in Debian-Jessie and was not backported yet to Wheezy.
Finally, it does not have very high priority to backport Apache probably, because when US-companies use it, the NSA will read encrypted data anyway in a man-in-the-middle fashion, when the data pass into or out from these companies' cloud-services, so in fact very good encryption only means, that the NSA will read your data exclusively, when storing them in the US, just others will be unable to decrypt the contents, but these 'locked-out' services can still try to do statistical analysis on your data and try to provide a sense of security that way.
I want to point you there again:
https://www.eff.org/https-everywhere
These FAQ were also helpful for me:
https://www.eff.org/https-everywhere/faq
They tell you, what ssl-encryption can protect you from in principle.
If I got it correctly, then the meta-data can still be recorded in spite of encryption, but not the contents of your online-connections.
On Forward Secrecy it appeared to me, that the so called bit-rot has to be regarded. The longer spying-services keep the data on their harddisks, the more likely it gets, that connections cannot be decrypted correctly anymore, years later, because the data was affected by single rotting bits, which would make them unusable, wouldn't it ?
Then, as far as I know, PFS can be provided currently by Apache version 2.4 and later, which is in Debian-Jessie and was not backported yet to Wheezy.
Finally, it does not have very high priority to backport Apache probably, because when US-companies use it, the NSA will read encrypted data anyway in a man-in-the-middle fashion, when the data pass into or out from these companies' cloud-services, so in fact very good encryption only means, that the NSA will read your data exclusively, when storing them in the US, just others will be unable to decrypt the contents, but these 'locked-out' services can still try to do statistical analysis on your data and try to provide a sense of security that way.
I want to point you there again:
https://www.eff.org/https-everywhere
These FAQ were also helpful for me:
https://www.eff.org/https-everywhere/faq
They tell you, what ssl-encryption can protect you from in principle.
If I got it correctly, then the meta-data can still be recorded in spite of encryption, but not the contents of your online-connections.
Posted Nov 16, 2013 21:12 UTC (Sat)
by dlang (guest, #313)
[Link]
Let's talk about perfect forward secrecy
that's a unique way to use the term bit-rot