The linked quora answer (from the co-author of Firesheep) says that even in that case one can't launch a passive man in the middle attack if perfect forward secrecy is used.
Google.com uses Diffie–Hellman key exchange which provides perfect forward secrecy.
So... If I understand everything correctly, it should be impossible to decrypt passively captured HTTPS traffic to/from google.com.
We are not disagreeing with anything he says. We are saying the NSA has the private key.
Ian Gallager: > so if you have the private key, you can decrypt that key, and then use it to decrypt the bulk-encrypted data.
Like he says, if you have the key, wireshark can decrypt the data trivially.
If you have the CA master keys, then the only thing you can do is perform a MITM attack, but not silently decrypt the raw data. A MITM attack would eventually get detected.
Ephemeral Diffie-Hellman creates a new key per connection in a public-safe manner. You cannot eavesdrop on such a connection, even if you have the signing key. The question then becomes, are the SSL sessions actually using that mode.
> Ephemeral Diffie-Hellman creates a new key per connection in a public-safe manner.
How does that make a difference when you have the Diffie-Hellman key? We are saying they have the Diffie-Hellman keys, not the signing keys, nor the block cipher key that is exchanged. They have the only key that matters.
How are they getting the DH keys without cooperation from at least one of the SSL endpoints involved? They're newly generated at every SSL handshake, you can't just get a mole to hand you the keys once and be done with it. If you had the certificate private key, you could do a MITM, but this requires a LOT more resources and would be much more easily detectable.
But I am still lost on how it would be detectable? From Google's end, some client just disconnected. From the client's end, the internet just got a tiny bit more latency.
If you had Google's certificate private key, you can pretend to be Google. It's undetectable from the user's perspective. I think we should trust Google to keep their private keys safe, although it would help a lot if the published in general terms how they accomplish this.
The signing key for Gmail's certificate is a 1024-bit RSA key. That key size is simply not safe against an attacker like the NSA today, so we may as well assume they have the private key even if Google didn't voluntarily give it to them.
But while the signing key may allow them to impersonate Google in some circumstances, it doesn't really help decrypting passively recorded TLS traffic to the real Google. For that, they would need to break the ECDH key exchange, and if Google uses reasonable elliptic curve parameters, that's presumably much harder than factoring a 1024-bit RSA modulus, at least with known cryptanalytic techniques.
"I think we should trust Google to keep their private keys safe, although it would help a lot if the published in general terms how they accomplish this."
Really, I would think it would be easy for the NSA, etc to get an operative inside Google, FB etc and steal these. Intelligence organizations are very good at this after all..
>How are they getting the DH keys without cooperation from at least one of the SSL endpoints involved?
One possibility is to actually compute discrete logarithms.
Does anyone know what elliptic curve parameters Gmail uses for key exchange? If the parameters are large, it is not feasible to break discrete logs using known methods, but while I'm usually wary of claims that the NSA is miles ahead of the academic research community, I could perhaps believe they have faster algorithms for e.g. some NIST curves.
So... If I understand everything correctly, it should be impossible to decrypt passively captured HTTPS traffic to/from google.com.
http://www.quora.com/SSL-Secure-Sockets-Layer/Is-it-ever-pos...
Could someone more knowledgeable confirm this?