"Every Web server that uses HTTPS has its own secret key that it uses to encrypt data that it sends to users," wrote EFF activist Parker Higgins. "Specifically, it uses that secret key to generate a new 'session key' that only the server and the browser know. Without that secret key, the traffic traveling back and forth between the user and the server is incomprehensible, to the NSA and to any other eavesdroppers."

"But imagine that some of that incomprehensible data is being recorded anyway—as leaked NSA documents confirm the agency is doing," he continued. "An eavesdropper who gets the secret key at any time in the future—even years later—can use it to decrypt all of the stored data! That means that the encrypted data, once stored, is only as secure as the secret key, which may be vulnerable to compromised server security or disclosure by the service provider."

Saturday, November 23, 2013