Online privacy and security advocates have long urged Web services to improve their data encryption methods. The Heartbleed bug, which was discovered this week and attacks the most widely used security software on the Internet, has proven that a change in Web safety protocol is needed. Groups like the Electronic Frontier Foundation said this week’s incident should be the final wakeup call for companies to start using the “perfect forward secrecy” encryption method.
Not even the EFF is immune to Heartbleed -- the group’s private communications with anonymous sources have been compromised -- but any potential damage was mitigated by perfect forward secrecy, which generates a new random key every time public data is transmitted to EFF’s server.
“If a server was configured to support forward secrecy, then a compromise of its private key can’t be used to decrypt past communications,” Yah Zhu, a staff technologist at EFF, wrote on the advocacy group’s blog. Even if a hacker used Heartbleed to access EFF’s private key, he or she couldn’t use it to read any traffic sent to EFF’s website since it adopted perfect forward secrecy.
Most websites don’t support any form of forward secrecy, meaning any keys stolen with Heartbleed could be used to read any previously unintelligible information a hacker may have gathered from a compromised server.
“In the aftermath of [Heartbleed], it’s clear that forward secrecy is necessary to protect against unforeseeable threats to SSL private keys,” Zhu said. “Whether that threat is an existing or future software bug, an insider who steals the key, a secret government demand to enable surveillance, or a new cryptographic breakthrough, the beauty of forward secrecy is that the privacy of today’s sessions doesn’t depend on keeping information secret tomorrow.”