[SSL Observatory] Ubiquitous usage of non-ephemeral keys
Erwann ABALEA
eabalea at gmail.com
Wed Apr 6 15:24:57 PDT 2011
If the negociated ciphersuite uses DH (either plain DH or EDH), then you
can't decipher a capture with only the RSA private key.
EDH is used by default if your Apache config is not properly optimized for
speed.
Le 6 avr. 2011 23:36, "ArkanoiD" <ark at eltex.net> a écrit :
> Are we really sure it is ok that anyone who got possession of expired
server private key can decipher any old capured SSL traffic? Expired keys
are rarely disposed properly, most people think there is no harm in leaking
keys that are not in use anymore.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110406/c2bcb38f/attachment.html>
More information about the Observatory
mailing list