[Cryptography] In the face of "cooperative" end-points, PFS doesn't help

Tony Arcieri bascule at gmail.com
Sat Sep 7 16:27:00 EDT 2013

On Fri, Sep 6, 2013 at 6:49 PM, Marcus D. Leech <mleech at ripnet.com> wrote:

> It seems to me that while PFS is an excellent back-stop against NSA
> having/deriving a website RSA key

Well, it helps against passive eavesdropping. However if the NSA has a web
site's private TLS key, they can still MitM the traffic, even with PFS.

Likewise with "perfect" forward secrecy, they can collect and store all
your traffic for the next 10-20 years when they get a large quantum
computer, and decrypt your traffic then.

PFS is far from "perfect"

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130907/861fc0c6/attachment.html>

More information about the cryptography mailing list