Quote:
Originally Posted by Barry-xlovecam
Ever install a SSL Key? If you bought your SSL certificate from Verisign, Thawt, Komodo, or other public vendors there is a record of your encrypt/decrypt key on file. All they need is a subpoena -- if the SSL Cert issuer is in the US the "governmental agency" can get that key -- YOUR ENCRYPTION IS TRASHED.
|
Yep, that was my point. Hoovering encrypted data is really no different to cleartext, since if the NSA finds anything pointing to the encrypted data that suggests it has relevance, they can "legally" acquire the SSL key and decrypt the data they've already stored.
There's something called (I think) forward security which uses a one-time encryption key for SSL, but it's not widely supported. I don't really understand how it works, since two hosts negotiating the random encryption key could be captured by a third party. Seems a little like yelling out your password across the room... but I'm not a cryptographer, so I presume there's some magic way it works.
