Following the news that Amazon CloudFront has turned on Perfect Forward Secrecy, in addition to a number of changes designed to improve the performance of its SSL connections http://threatpost.com/amazon-cloudfront-turns-on-perfect-forward-secrecy/107866, Mark James, security specialist at ESET explains:
“Any security that protects our ever increasing private data stored on the interweb is a great idea. We all hear about "padlocks" in the browser and SSL along with HTTPS but often these mean little or nothing when it actually comes down to protecting our data. All too often it’s lost through Man in the middle attacks or Remote access Trojans even though we all thought it was safe. The other issue we are presented with is "protected data" being stored for future use, basically when servers exchange data over HTTPS they have a list of encryption types they can support and use one to protect your data, the web server has its own "secret key" that it can use to generate a session key that should only be known to itself and the browser. This ensures that the data being sent between the server and user is encrypted and unreadable (complete garbage) to anyone who intercepts it, either accidentally, hacked or held for "official" reasons, BUT if the secret key is ever found and used on that data it can be decrypted with no problems.
“What can be done to protect us? "Perfect Forward Secrecy" could be the answer. When this technology is used, the session keys that are generated by the server are short-lived so if the secret key is ever found in the future it cannot be used to find the session key and therefore cannot ever decrypt your private data. With Facebook, Google, Dropbox, Twitter and now Amazon CloudFront already using this technology with Microsoft and Yahoo hoping to have it implemented by the end of the year we might actually be getting a little closer to long-term protection for our very important data from prying eyes.”