[Above image is the famous Caesar Cipher]
One of the things that irked me about how Google handled the security of their HTTPS traffic was the lack of DHE ciphers. I banged out a post “Google and Amazon do not offer ciphers using Diffie-Hellman Ephemeral mode.“, way back in Oct 2010.
Tonight, out of the blue, I decided to see if anything had changed since then. While it is more than a year ago today but a year after my original blog post, Google finally took the initiative to encrypt their HTTPS traffic using DHE ciphers, as seen here at their Google Online Security Blog.
Google servers will still offer a range of possible ciphers for HTTPS traffic, the ECDHE-RSA-RC4-SHA cipher is now the preferred one, which is supported by all modern browsers. Less secure ciphers are still offered to many visitors who are running ancient browsers supporting only the older ciphers.
This is a great step forward for the security of Google HTTPS traffic: each session of your interactions with Google will be encrypted with a different key that exists only for a short time in memory and never written to persistent storage. If an attacker captures your HTTPS trafic and even a hijacked copy of Google server’s private key, the attacker is still missing one more piece, the ephemeral key that has long since disappeared.
Several decades down the road, if the attacker starts up a powerful (quantum?) computer for decryption attempts, a successful decryption would be limited to one HTTPS session. The attack would have to re-run for each one of the sessions. This will make it very difficult for the attacker to reconstruct what transpired between you and Google during this time.
While it’s better late than never, thank you Google for boosting the security of your traffic, which only gets more sensitive each year as more people become dependent on your services.