Google is strengthening the encryption on Gmail and other services so that messages stored today can’t easily be decrypted later by faster computers using brute force methods.
The company is enabling what is called “forward secrecy” by default, Adam Langley from Google’s security team, wrote in a blog post yesterday.
“Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today,” he wrote. “In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.”
With forward secrecy, the private crypto keys for a connection are not kept in persistent storage, which would allow an adversary to decrypt past connections by breaking a single key.
Forward secret HTTPS (Hyper Text Transfer Protocol Secure) is live for Gmail, Google Docs, SSL (Secure Sockets Layer) Search, and Google+.
Chrome users can check whether they have forward secret connections by clicking on the green padlock in the address bar of HTTPS sites and looking for the “ECDHE_RSA” key exchange mechanism.
Firefox and Internet Explorer on Vista and later support forward secrecy using elliptic curve Diffie-Hellman. However, only Chrome and Firefox will initially use it by default with Google services because IE doesn’t support the combination of ECDHE and RC4. “We hope to support IE in the future,” Langley wrote.
Google has been aggressive in rolling out encryption options for its users, starting with a Gmail option back in July 2008, then SSL by default in Gmail in January 2010, and more recently, default SSL for search in October.