On Thu, Aug 1, 2013 at 1:33 PM, James Salsman <jsalsman(a)gmail.com> wrote:
With the NSA revelations over the past months, there
has been some very
questionable information starting to circulate suggesting that trying to
implement perfect forward secrecy for https web traffic isn't worth the
effort. I am not sure of the provenance of these reports, and I would like
to see a much more thorough debate on their accuracy or lack thereof. Here
is an example:
http://tonyarcieri.com/imperfect-forward-secrecy-the-coming-cryptocalypse
As my IETF RFC coauthor Harald Alvestrand told me: "The stuff about 'have
to transmit the session key I the clear' is completely bogus, of course.
That's what Diffie-Hellman is all about."
Ryan Lane tweeted yesterday: "It's possible to determine what you've been
viewing even with PFS. And no, padding won't help." And he wrote on today's
Foundation blog post, "Enabling perfect forward secrecy is only useful if
we also eliminate the threat of traffic analysis of HTTPS, which can be
used to detect a user’s browsing activity, even when using HTTP," citing
http://blog.ioactive.com/2012/02/ssl-traffic-analysis-on-google-maps.html
It is not at all clear to me that discussion pertains to PFS or Wikimedia
traffic in any way.
I strongly suggest that the Foundation contract with well-known independent
reputable cryptography experts to resolve these questions. Tracking and
correcting misinformed advice, perhaps in cooperation with the EFF, is just
as important.
Well, my post was reviewed by quite a number of tech staff and no one
rebutted my claim.
Assuming traffic analysis can be used to determine your browsing habits as
they are occurring (which is likely not terribly hard for Wikipedia) then
there's no point in forward secrecy because there's no point in decrypting
the traffic. It would protect passwords, but people should be changing
their passwords occasionally anyway, right?
Using traffic analysis it's also likely possible to correlate edits with
users as well, based on timings of requests and the public data available
for revisions.
I'm not saying that PFS is worthless, but I am saying that implementing PFS
without first solving the issue of timing and traffic analysis
vulnerabilities is a waste of our server's resources.
- Ryan