Risk
11/22/2011
05:33 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Google Ratchets Up Security Of HTTPS

'Forward secret' HTTPS feature now protects Gmail, SSL Search, Google Docs, and Google+

Google today announced that its SSL-based services are now enhanced to prevent HTTP sessions from being decrypted.

The so-called "forward secrecy" feature basically protects an HTTPS-secured session from being retroactively decrypted, according to Adam Langley, a member of the Google security team. So if a bad guy were to attempt to decrypt HTTPS sessions he had recorded, he would be unable to do so, Langley says.

"Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption," Langley said in a blog post announcing the new security feature today. "In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic."

Forward secrecy is different than nonforward secrecy, where the private keys for an SSL connection are stored for the long term. With forward secrecy, no one can go back and decrypt a recorded HTTPS session, not even the SSL server administrator, Langley says.

Secure Sockets Layer (SSL) has been under siege lately with one certificate authority after another getting hacked, its inherent vulnerability to man-in-the-middle attacks, as well as the high volume of SSL-based websites that are improperly configured.

Ivan Ristic, director of engineering at Qualys and an SSL expert, says Google's addition of forward secrecy "is communication channel encryption done right."

It also prevents governments from decrypting recorded traffic. "Without it, they might try to get Google's private keys. So Google is removing a potentially big liability for them with this move. Perhaps that was their main motivation," he says.

Google is also placing the forward secrecy technology in the public domain in hopes that it will become part and parcel of HTTPS implementations. "We have also released the work that we did on the open source OpenSSL library that made this possible," Langley says.

Users can confirm whether forward-secrecy is running in their Chrome browsers by clicking the green padlock to the left of an HTTPS URL: The key exchange mechanism is ECDHE_RSA if the new feature is active in the browser app.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web