Forward Secret HTTPS Enabled For Google Services

Google adds forward secure HTTPS encryption for its key Web services to thwart retrospective decryption

Like Fox Mulder in the “X-Files” Google is fighting the future when it comes to securing email search and other Web services.

The search engine provider, which last month made HTTPS encryption its default security mode for search, said it has added forward secret HTTPS for Google+, Gmail, SSL Search and Docs, paving the way for more secure Web services in the future.

Retrospective decryption protection

Most major sites that support HTTPS, such as Facebook and Twitter, do so in a non-forward secret fashion. What this means is that encrypted, normally unreadable email could be recorded while being delivered to a computer today and decrypted in the future by knowledgeable attackers, when computers become much faster.

To combat what it calls “retrospective decryption,” Google is using forward secrecy, which requires that the private keys for a connection are not kept in persistent storage. When an adversary breaks a single key, they will no longer be able to decrypt several months’ worth of connections. Moreover, server operators themselves won’t be able to decrypt HTTPS sessions in the future.

Google said forward secret HTTPS is now live for Gmail and many other Google HTTPS services such as SSL Search, Docs and Google+.

Google’s Chrome and Mozilla’s Firefox Web browsers and Microsoft Internet Explorer (Vista or later) browsers support forward secrecy using elliptic curve Diffie-Hellman (ECDHE), a key agreement protocol that allows two parties possessing an elliptic curve public-private key pair to establish a shared secret over an insecure channel.

No Microsoft Support

Only Chrome and Firefox will initially use it by default with Google services because Microsoft Internet Explorer does not support ECDHE and the RC4 software stream cipher.

Users can check whether they have forward secret connections in Chrome by clicking on the green padlock in the address bar of HTTPS sites. Google’s forward secret connections will have a key exchange mechanism of ECDHE_RSA.

Google Security team member Adam Langley also said Google has released the work that it did on the open-source OpenSSL library that led to forward secrecy HTTPS encryption.

“We would very much like to see forward secrecy become the norm and hope that our deployment serves as a demonstration of the practicality of that vision,” added Langley, who provided more detail of Google’s security move on his personal blog.

Google’s security team has been very active in trying to thwart some of the more mainstream attacks on its Web services.

In April, Google  began work on two security projects to improve the public key infrastructure, which was rocked by the Comodo digital certificate spoofing incident in March.

The Google Certificate Catalog is a database of all of the SSL certificates Google’s Web crawlers record in the DNS for the company’s search engine and Web services. The DANE Working Group at the IETF is intended to allow domain operators to publish information about SSL certificates used on their hosts.