[arkadiyt]

> Make an RSA key of 4096 bits. Call it your personal key.

This is bad advice - making a 4096 bit key slows down visitors of your website and only gives you 2048 bits of security (if someone can break a 2048 bit RSA key they'll break the LetsEncrypt intermediate cert and can MITM your site). You should use a 2048 bit leaf certificate here

[Arnavion]

My webhost only supports RSA keys, so I use an RSA-4096 key just to annoy them into supporting EC keys.

[asimops]

The key in question is the acme account key though, correct?

[nothrabannosir]

Amateur question: does a 4096 not give you more security against passive capture and future decrypting? Or is the intermediate also a factor in such an async attack?

[arkadiyt]

> does a 4096 not give you more security against passive capture and future decrypting?

If the server was using a key exchange that did not support forward secrecy then yes. But:

    % echo | openssl s_client -connect rachelbythebay.com:443 2>/dev/null | grep Cipher
    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

^ they're using ECDHE (elliptic curve diffie hellman), which is providing forward secrecy.

[nothrabannosir]

I thought FS only protected other sessions from leak of your current session key. How does it protect against passive recording of the session and later attacking of the recorded session in the future?

[arkadiyt]

If using a non-FS key exchange (like RSA) then the value that the session key is derived from (the pre-master secret) is sent over the wire encrypted using the server's public key. If that session is recorded and in the future the server's private key is obtained, it can be used to decrypt the pre-master secret, derive the session key, and decrypt the entire session.

If on the other hand you use a FS key exchange (like ECDHE), and the session is recorded, and the server's private key is obtained, the session key cannot be recovered (that's a property of ECDHE or any forward-secure key exchange), and none of the traffic is decryptable.

[nothrabannosir]

Thanks I think I understand better now!

[dingaling]

> the session key cannot be recovered

Of course it can, but only for that specific session.

[KAMSPioneer]

No, my GP is correct: if the server's RSA private key is compromised it does not allow decryption of any previously-recorded sessions.

You would need to compromise the _ephemeral session key_ which is difficult because it is discarded by both parties when the session is closed.

Compromising the RSA key backing the certificate allows _future_ impersonations of the server, which is a different attack altogether.

[upofadown]

The certificate is for authentication of the server. It has nothing to do with the encryption of the data.

Basically forward secrecy is where both the sender and receiver throw away the key after the data is decrypted. That way the key is not available for an attacker to get access to later. If the attacker can find some way other than access to the key to decrypt the data then forward secrecy has no benefit.