No Entry unless authorized

How to keep NSA and GCHQ out of the loop

If you’re managing a web server, this one could be for you. (And if you’re able to ask your local web server manager for a favor as well). It’s called Forward Secrecy, and it means making the encryption you’re already using much much harder to break for the bad guys, which on our list also includes the state-sponsored snoopers from around the world.

Here’s why you should consider offering it on your webserver: Without it, it’s enough to get hold of the secret server key if someone wants to break the widely-used SSL encryption that every browser uses for secure connections. They could get that key by breaking into the server or by way of a search warrant or subpoena. And once they’ve got the key, they can decrypt everything – including all past communications. The massive surveillance programs that have been made public by everyone’s current hero Edward Snowden were designed for that purpose (among others): to record encrypted communications just in case there might be a way to decrypt it at a later time.

Enter the concept of “Forward Secrecy” – a property of encryption systems which makes recording past encrypted communication useseless, because the keys used for securing the communication change regularly and cannot be reverse engineered. Forward Secrecy is a game changer that works in your favor, because once enabled even if someone gets at your secret server key, it won’t be useful. If you have sources or customers to protect, or if you simply do not wish to collaborate with the snoopers, this might be worth your while. (Ironically, Diffie-Hellmann Key Exchange, one of the methods of providing forward secrecy, was invented and initially kept secret by the british spies at GCHQ).

The drawback is that the calculations that have to be done consume more resources, which can slow down the whole thing. But maybe that’s OK – even Google supports it, according to SSL Labs, and you wouldn’t want to be accused of being more welcoming to snoopers than them. Just try it out, here’s a blog post that explains how: Deploying Forward Secrecy.

,,,

If you’re managing a web server, this one could be for you. (And if you’re able to ask your local web server manager for a favor as well). It’s called Forward Secrecy, and it means making the encryption you’re already using much much harder to break for the bad guys, which on our list also includes the state-sponsored snoopers from around the world.

Here’s why you should consider offering it on your webserver: Without it, it’s enough to get hold of the secret server key if someone wants to break the widely-used SSL encryption that every browser uses for secure connections. They could get that key by breaking into the server or by way of a search warrant or subpoena. And once they’ve got the key, they can decrypt everything – including all past communications. The massive surveillance programs that have been made public by everyone’s current hero Edward Snowden were designed for that purpose (among others): to record encrypted communications just in case there might be a way to decrypt it at a later time.

Enter the concept of “Forward Secrecy” – a property of encryption systems which makes recording past encrypted communication useseless, because the keys used for securing the communication change regularly and cannot be reverse engineered. Forward Secrecy is a game changer that works in your favor, because once enabled even if someone gets at your secret server key, it won’t be useful. If you have sources or customers to protect, or if you simply do not wish to collaborate with the snoopers, this might be worth your while. (Ironically, Diffie-Hellmann Key Exchange, one of the methods of providing forward secrecy, was invented and initially kept secret by the british spies at GCHQ).

The drawback is that the calculations that have to be done consume more resources, which can slow down the whole thing. But maybe that’s OK – even Google supports it, according to SSL Labs, and you wouldn’t want to be accused of being more welcoming to snoopers than them. Just try it out, here’s a blog post that explains how: Deploying Forward Secrecy.