Ognjen Blagojevic wrote:
On 11.4.2014 10:52, André Warnier wrote:
3) if he has recorded past encrypted traffic to/from your server, and
saved
this recording, then he can at any time go back and decrypt this past
traffic, and pick up
anything interesting from there, even without having the new keys. Such
a recording could contain, for example, any number of submits
from HTML login pages, which were theoretically protected by being made
on an encrypted
channel. That could probably also contain any communications which your
server did with other servers over encrypted channels.
... unless Forward secrecy was utilized, which is pretty much invented
to defeat future decryption of recorded traffic.
Forward secrecy was easy to set up on Linux with APR.
All agreed. But I was talking about existing recordings of past communications.
Whatever is done from now on, would not help in that respect, would it ?
When tcnative 1.1.30 is released, it will be easy to set up on Windows
with APR.
If issue 55988 [1] is resolved, it would be also possible to set it up
on JSSE connectors with Java 8.
-Ognjen
[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=55988
Famous last words..
"- I don't think this feature justifies a big blob of ugly code, so this should wait for
Java 8."
I gather that this was written before HeartBleed became public knowledge.
;-)
I believe that in the end, it has to be hoped that the bad guys are no better than the
good guys, and that they did not spot this any earlier than the good guys.
http://www.theregister.co.uk/2014/04/01/nsa_plans_range_of_free_cloud_services_data_analytics/
They must be very pleased.
Now that they have the keys also, they can go back and decode all that stuff, and then
they they can zip it properly and reclaim a lot of disk space.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
