[Wikimedia-l] Disinformation regarding perfect forward secrecy for HTTPS
Ryan Lane
rlane at wikimedia.org
Fri Aug 2 00:07:20 UTC 2013
On Thu, Aug 1, 2013 at 1:33 PM, James Salsman <jsalsman at gmail.com> wrote:
> With the NSA revelations over the past months, there has been some very
> questionable information starting to circulate suggesting that trying to
> implement perfect forward secrecy for https web traffic isn't worth the
> effort. I am not sure of the provenance of these reports, and I would like
> to see a much more thorough debate on their accuracy or lack thereof. Here
> is an example:
>
> http://tonyarcieri.com/imperfect-forward-secrecy-the-coming-cryptocalypse
>
> As my IETF RFC coauthor Harald Alvestrand told me: "The stuff about 'have
> to transmit the session key I the clear' is completely bogus, of course.
> That's what Diffie-Hellman is all about."
>
> Ryan Lane tweeted yesterday: "It's possible to determine what you've been
> viewing even with PFS. And no, padding won't help." And he wrote on today's
> Foundation blog post, "Enabling perfect forward secrecy is only useful if
> we also eliminate the threat of traffic analysis of HTTPS, which can be
> used to detect a user’s browsing activity, even when using HTTP," citing
> http://blog.ioactive.com/2012/02/ssl-traffic-analysis-on-google-maps.html
>
> It is not at all clear to me that discussion pertains to PFS or Wikimedia
> traffic in any way.
>
> I strongly suggest that the Foundation contract with well-known independent
> reputable cryptography experts to resolve these questions. Tracking and
> correcting misinformed advice, perhaps in cooperation with the EFF, is just
> as important.
>
Well, my post was reviewed by quite a number of tech staff and no one
rebutted my claim.
Assuming traffic analysis can be used to determine your browsing habits as
they are occurring (which is likely not terribly hard for Wikipedia) then
there's no point in forward secrecy because there's no point in decrypting
the traffic. It would protect passwords, but people should be changing
their passwords occasionally anyway, right?
Using traffic analysis it's also likely possible to correlate edits with
users as well, based on timings of requests and the public data available
for revisions.
I'm not saying that PFS is worthless, but I am saying that implementing PFS
without first solving the issue of timing and traffic analysis
vulnerabilities is a waste of our server's resources.
- Ryan
More information about the Wikimedia-l
mailing list