1

Assuming one is logging all data between the client browser and the HTTPS server, is it possible to later decrypt that logged data, once the private key has been stolen from the webserver?

Or, perhaps separate private keys are generated on the fly for data transmission (independent of certificate signing) in which case that would not be possible?

In other words, does HTTPS provide forward secrecy?

700 Software
  • 13,807
  • 3
  • 52
  • 82
  • Covered in part 2 of [the great ursine epic of 2012](http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work) and several more specific Qs, although searching has quite a few false hits; try http://security.stackexchange.com/questions/71309/it-is-possible-to-decrypt-https-with-the-private-public-pair-if-it-uses-dhe and http://security.stackexchange.com/questions/97566/impact-of-sharing-the-private-key-with-a-third-party-for-snooping-ssl-traffic – dave_thompson_085 Oct 10 '16 at 18:51

2 Answers2

2

Retroactive decryption is possible for all connections that used RSA key exchange, but not for all connections that used DHE or ECDHE. Non-PFS key exchanges are not allowed for http2 and are deprecated in tls1.3, but are sadly widely deployed.

In September 2016, SSL Pulse [1] surveyed 139,141 sites and of those, 17,504 had no PFS cipher suites enabled, 43,422 had some PFS cipher suites enabled, 39,616 used PFS with modern browsers and 38,607 used PFS with most browsers.

1 - https://www.trustworthyinternet.org/ssl-pulse/

Z.T.
  • 7,768
  • 1
  • 20
  • 35
  • Thanks! How would one know if their site is using the RSA key exchange, instead of one of the others that do not provide forward secrecy? Is there something in the browser that would indicate this, or something on SSLLabs? – 700 Software Oct 10 '16 at 16:43
  • Also would like to know if downgrade to a non-PFS protocol can be achieved with MiTM. Should these be asked as separate questions? – 700 Software Oct 10 '16 at 17:07
  • @GeorgeBailey Yes this is a question of general interest, please ask a separate question. – kaidentity Oct 10 '16 at 18:07
  • @GeorgeBailey: all major browsers can show the keyexchange used, but they are all slightly different so you'll have to either use your particular browser's help function and maybe even think, or ask about a dozen different questions. All major browsers and practically all servers support more than one keyexchange, so it's not really whether the site 'uses' RSA or something else, but what the site _can_ use, and yes SSLLabs among many other tools displays this. – dave_thompson_085 Oct 10 '16 at 19:05
  • @GeorgeBailey MiTM downgrade from PFS to RSA key exchange shouldn't work. The client that thinks it is establishing a DHE connection to the server expects to get a ServerKeyExchange signed by the private key corresponding to the public key in the server's certificate, and a MiTM can't fake that. – Z.T. Oct 10 '16 at 22:25
  • 1
    @GeorgeBailey see http://security.stackexchange.com/a/139382/70830 – Z.T. Oct 10 '16 at 23:20
0

You should be able to see whether a cipher suite uses PFS by looking at the second element. E.g. TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA uses elliptic curve diffie hellman for key exchange. Reference: http://www.thesprawl.org/research/tls-and-ssl-cipher-suites/

kaidentity
  • 2,634
  • 13
  • 30