Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Google hardens HTTPS encrypted traffic against future attacks

SSL-secured communication now assigns separate private keys

Article comments

Google has modified the encryption method used by its HTTPS-enabled services including Gmail, Docs and Google+, in order to prevent current traffic from being decrypted in the future when technological advances make this possible.

The majority of today's HTTPS implementations use a private key known only by the domain owner to generate session keys that are subsequently used to encrypt traffic between the servers and their clients.

This approach exposes the connections to so-called retrospective decryption attacks. "In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today's email traffic," explained Adam Langley, a member of Google's security team.

In order to mitigate this relatively low, but real security risk, Google has implemented an encryption property known as forward secrecy, which involves using different private keys to encrypt sessions and deleting them after a period of time.

In this way, an attacker who manages to break or steal a single key won't be able to recover a significant quantity of email traffic that spans months of activity, Langley said. In fact, he pointed out that not even the server admin will be able to decrypt HTTPS traffic retroactively.

Because SSL wasn't designed to support key exchange mechanisms capable of forward secrecy by default, the Google engineers had to design an extension for the popular OpenSSL toolkit. This was integrated into OpenSSL 1.0.1, which has yet to be released as a stable version.

The new Google HTTPS implementation uses ECDHE_RSA for key exchange and the RC4_128 cipher for encryption. Unfortunately, this combination is only supported in Firefox and Chrome at the moment, which means that HTTPS connections on Internet Explorer will not benefit from the added security.

This isn't necessarily a problem with Internet Explorer, which does support a combination of EDH (Ephemeral Diffie-Hellman) key exchange and RC4. EDH also provides forward secrecy, but Google chose ECDHE (Elliptic curve Diffie-Hellman) instead for performance reasons.

The company plans to add support for IE in the future and hopes that its example will encourage other service providers that use HTTPS to implement forward secrecy, so that one day it can become the norm for online traffic encryption.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *