[SSL Observatory] Ubiquitous usage of non-ephemeral keys
ArkanoiD
ark at eltex.net
Wed Apr 6 15:33:45 PDT 2011
Sure. My impression was that it is rarely used "on the internets", most servers
try to negotiate reusable key protocol (as well non-DH ciphers are preferred in web browsers)
On Wed, Apr 06, 2011 at 11:24:57PM +0100, Erwann ABALEA wrote:
>
> If the negociated ciphersuite uses DH (either plain DH or EDH), then
> you can't decipher a capture with only the RSA private key.
> EDH is used by default if your Apache config is not properly optimized
> for speed.
>
> Le 6 avr. 2011 23:36, "ArkanoiD" <[1]ark at eltex.net> a ecrit :
> > Are we really sure it is ok that anyone who got possession of
> expired server private key can decipher any old capured SSL traffic?
> Expired keys are rarely disposed properly, most people think there is
> no harm in leaking keys that are not in use anymore.
>
> email protected and scanned by AdvascanTM - keeping email useful -
> www.advascan.com
>
> References
>
> 1. mailto:ark at eltex.net
More information about the Observatory
mailing list