November 29, 2011 | By Parker Higgins

Long Term Privacy with Forward Secrecy

This week, Google activated a web privacy feature called “forward secrecy”, becoming one of the web’s first major players to put this important component in place. It’s an important step, and other sites should follow suit. In order to understand why enabling forward secrecy is so important, it’s helpful to know how HTTPS works in the first place.

HTTPS encrypts requests that your browser makes to web servers, and then encrypts the resulting pages. That makes the exchanged messages incomprehensible to anybody in between, such as your ISP or an eavesdropper. Each web server has a secret key, and only somebody with that secret key can decrypt the messages.1 That arrangement provides a basic layer of security from many online threats to your privacy.

(It’s worth noting that some websites that allow HTTPS connections don’t use them by default. To tell your browser to default to encrypted connections with over 1,000 sites, you can use our Firefox extension HTTPS Everywhere.)

Without forward secrecy enabled, the encrypted messages can be stored and decrypted with the private key at any time. That can lead to major issues: if your traffic has been intercepted, and the web server’s key is ever compromised, there’s no way to stop the attacker from decrypting and reading the old messages — even years later.

Forward secrecy is the way to address that threat. With forward secrecy enabled, some of the information that’s needed to decrypt those messages is ephemeral and never stored. That means that even if the secret key is compromised, only new encrypted traffic is at risk — and if the web server operator detects the attack, they can revoke the old secret key and create a new one.

This technique is already in use in other cryptographic technologies. One popular example is the Off-The-Record (OTR) messaging protocol, co-developed by 2011 EFF Pioneer Award winner Ian Goldberg. Because it uses forward secrecy, instant messages exchanged using OTR can only be decrypted with a private key at the time they are received, and encrypted messages that are intercepted and stored can never again be unscrambled and read.

Other web sites have implemented HTTPS with forward secrecy before — we have it enabled by default on — but it hasn’t yet been rolled out on a site of Google’s scale. Some sites have publicly resisted implementing forward secrecy because it is more CPU intensive than standard HTTP or HTTPS. In order to address that problem, Google made improvements to the open source OpenSSL library, and has incorporated those changes into the library for anybody to use.

Forward secrecy is an important step forward for web privacy, and we encourage sites, big and small, to follow Google’s lead in enabling it!

  • 1. Technically, the web server’s secret key is used to encrypt data that becomes a new, random session key that is shared between the two parties. But because the session key is encrypted with the server key, a compromised server key can decrypt the session key, which can then decrypt the data.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Censorship powers, data retention, and vague hacking crimes: Pakistan's terrible cybercrime bill has it all:

Nov 25 @ 5:11pm

While Bangladesh blocks social messaging apps, locals are turning to Tor and Twitter:

Nov 25 @ 3:50pm

You've heard recent news about Securus, the prison phone service. It's also the proud owner of a very stupid patent.

Nov 25 @ 3:09pm
JavaScript license information