Google is working on strengthening its security aspects, especially the encryption on Gmail and other services. This effort has been done, keeping in mind that messages stored today can’t easily be decrypted later by faster computers using brute force methods.
Google security team’s Adam Langley, yesterday wrote in a blog post that the search engine giant is enabling what is being termed “forward secrecy” by default. The blog post had him noting, “Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today.” Further, he even wrote, “In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.”
In short, with the help of forward secrecy, it can be noted that the private crypto keys for a connection are not kept in persistent storage that would let an adversary to decrypt past connections by breaking a single key.
Google has made the forward secret HTTPS (Hyper Text Transfer Protocol Secure) live for Gmail, Google Docs, SSL (Secure Sockets Layer) Search, and Google+.
Additionally, users who are using Chrome, are guided below to check whether they have forward secret connections. They just have to click on the green padlock in the address bar of HTTPS sites and looking for the “ECDHE_RSA” key exchange mechanism. For users using other browsers such as, Firefox and Internet Explorer on Vista or above, can find support forward secrecy using elliptic curve Diffie-Hellman.
However, initially only Chrome and Firefox will be able to use it by default with Google services. This is because IE doesn’t support the combination of ECDHE and RC4. In this context, Langley wrote, “We hope to support IE in the future.”
Talking about Google updates related to security has been moving up the scale and the company seems to be taking up the matter in a really serious way. The search engine giant has been quite aggressive in rolling out encryption options for its users. Since July 2008, the encryption updates has been a part of the Google security update. They started it with a Gmail option, then moved on to the SSL by default in Gmail in January 2010. further updates were related to default SSL for search, seen more recently in October.
Google’s announcement was quite apt, which briefed everyone about the enabling of the forward secrecy by default.
Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.
Forward secrecy requires that the private keys for a connection are not kept in persistent storage. An adversary that breaks a single key will no longer be able to decrypt months’ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions.