Dec 04 2013
Last month I wrote about Perfect Forward Secrecy (PFS) for the Akamai corporate blog. But if you’d asked me two months earlier what PFS was, you would have seen me madly scrambling for Google to find out more about it. And I’m not alone; before this summer only a few deeply technical engineers had heard of PFS, almost everyone else had either never encountered it or dismissed it as an unnecessary burden on their servers. Except the NSA managed to change that perception over the summer.
Now most companies are looking at PFS, or looking at it again. In a nutshell, PFS is a method used with SSL that creates a temporary key to transmit the session keys for the browser session and then dumps key from memory afterward. You can use words like ‘ephemeral elliptic curve cryptography’, but the important part of this is that PFS enables a method of encrypting SSL communications that don’t rely on the master key on the server to protect your traffic, it creates a new key every time. This means that even if that master key is somehow compromised, it doesn’t allow access to all the traffic for that SSL certificate, the attacker must crack each and every session individually. Which means you have to have a lot more computing power at your disposal to crack more than a few conversations.
PFS is a good idea we should have instantiated some time ago, but it’s got a downside in that it requires a lot of server overhead. But having to view our own governments as the enemy has given tech companies around the globe the impetus to make the change to PFS. Google is moving towards encrypting all traffic by default, with PFS being part of this effort. Facebook has moved in the same direction, with PFS also being a critical piece in the protection puzzle. And Twitter. And Microsoft. And … you get the picture. Companies are moving to use PFS across the board because it gives them a tool they can point to in order to tell users that they really care about securing end user communications.
I have to applaud these companies for taking this step, but even more, I have to hand it to Google, Yahoo, Facebook, and Microsoft for challenging the current status quo of National Security Letters and the secrecy they entail. There are more questions than answers when it comes to how NSL’s are being used, if they’re necessary and if they are even something a country like the US should be allowing. Technology is great and it’ll help with some of the problems we’re just starting to understand, but the only long term changes are going to come if we examine the current issues with the NSA and other agencies slurping up every available byte of data for later analysis. Changes to the laws probably won’t stop anything immediately, but we have to have the conversation.
Using PFS is just a start in to what will be fundamental changes in the Internet. Encryption everywhere has to become an integral part of the Internet, something privacy boffins have been saying for years. It may be too late for this to be an effective measure, but we have to do something. PFS makes for a pretty good first step.