On Thu, Aug 1, 2013 at 1:33 PM, James Salsman jsalsman@gmail.com wrote:
With the NSA revelations over the past months, there has been some very questionable information starting to circulate suggesting that trying to implement perfect forward secrecy for https web traffic isn't worth the effort. I am not sure of the provenance of these reports, and I would like to see a much more thorough debate on their accuracy or lack thereof. Here is an example:
http://tonyarcieri.com/imperfect-forward-secrecy-the-coming-cryptocalypse
As my IETF RFC coauthor Harald Alvestrand told me: "The stuff about 'have to transmit the session key I the clear' is completely bogus, of course. That's what Diffie-Hellman is all about."
Ryan Lane tweeted yesterday: "It's possible to determine what you've been viewing even with PFS. And no, padding won't help." And he wrote on today's Foundation blog post, "Enabling perfect forward secrecy is only useful if we also eliminate the threat of traffic analysis of HTTPS, which can be used to detect a user’s browsing activity, even when using HTTP," citing http://blog.ioactive.com/2012/02/ssl-traffic-analysis-on-google-maps.html
It is not at all clear to me that discussion pertains to PFS or Wikimedia traffic in any way.
I strongly suggest that the Foundation contract with well-known independent reputable cryptography experts to resolve these questions. Tracking and correcting misinformed advice, perhaps in cooperation with the EFF, is just as important.
Well, my post was reviewed by quite a number of tech staff and no one rebutted my claim.
Assuming traffic analysis can be used to determine your browsing habits as they are occurring (which is likely not terribly hard for Wikipedia) then there's no point in forward secrecy because there's no point in decrypting the traffic. It would protect passwords, but people should be changing their passwords occasionally anyway, right?
Using traffic analysis it's also likely possible to correlate edits with users as well, based on timings of requests and the public data available for revisions.
I'm not saying that PFS is worthless, but I am saying that implementing PFS without first solving the issue of timing and traffic analysis vulnerabilities is a waste of our server's resources.
- Ryan