Remix.run Logo
dingaling 2 months ago

> the session key cannot be recovered

Of course it can, but only for that specific session.

KAMSPioneer 2 months ago | parent [-]

No, my GP is correct: if the server's RSA private key is compromised it does not allow decryption of any previously-recorded sessions.

You would need to compromise the _ephemeral session key_ which is difficult because it is discarded by both parties when the session is closed.

Compromising the RSA key backing the certificate allows _future_ impersonations of the server, which is a different attack altogether.