[tptacek]

Nobody has ever presented any evidence ever that NSA has Google's SSL/TLS keys. Not only that, but Google has (a) pinned their public keys so that the browser binary itself can reject bogus- but- signed certificates, and (b) pushed heavily to enable forward secrecy in TLS, which means that even if you compromise their key, you can't decrypt sessions without being an active man in the middle.

[jemfinch]

Forward secrecy proposal for those curious: http://tools.ietf.org/html/draft-balfanz-tls-channelid-00 .

[tptacek]

That's one, but the basic mechanism --- deriving session keys from RSA-signed DH exchanges --- is old, and is simply a ciphersuite (Google deploys an ECC-version of it for performance).

[kniht]

That proposal is for an ephemeral, per gTLD client key and an example of mutual authentication that aims to defeat _active_ attackers (MITM).

Perfect forward secrecy in TLS is a bit different in that the ephemeral diffie-hellman key exchange sets up a shared key that is protected from a _passive_ attacker that observes the TLS encrypted communication and later gets a copy of the server's public key.

[pwf]

Interesting, I did not know (b). That certainly makes me feel a lot better.