Quote:
Originally Posted by rowan
There's something called (I think) forward security which uses a one-time encryption key for SSL, but it's not widely supported. I don't really understand how it works, since two hosts negotiating the random encryption key could be captured by a third party. Seems a little like yelling out your password across the room... but I'm not a cryptographer, so I presume there's some magic way it works.  |
SSL does have forward secrecy support, and it is supported by basically everything except for IIS and IE.
https://en.wikipedia.org/wiki/Forward_secrecy
In some instances it is impossible to mitigate the SSL BEAST attack while having forward secrecy enabled. ugh.
For an example of well-implemented forward secrecy look at OTR and Tor.