Session Keys "broken" @ Lavabit, similar to PFS here?

[retiredpilot 6]

I did a thorough read about Lavabit's founder.  I am going to attach a link to the article.  Lower in the article it discusses why he shut down.  One interesting comment is that he suspects the Feds have figured out how to break session keys.   Suspects is different than proof.  I will paste that paragraph below as well.

 

**Security question: The purpose for this thread is to inquire as to any similarities between what he refers to as "session keys" and the PFS used here?  I am simply asking for the opinions of staff or others as to how this might be relevant for all the members here?????

 

 

Direct paste from linked article:

 

The FBI needed two things: a warrant to see metadata (the recipient of an email and time it was sent, for example, but not the content of the email) and a method to decrypt the SSL connections. The warrant was easy. The ability to decrypt SSL connections was problematic.

Normally, an email service logs metadata, and those logs can be monitored by the government. But Lavabit wasn’t a normal email service. Ladar engineered it so that such metadata were never kept on his servers. So when the feds said they wanted to monitor the email of the target(s) in real time, and when they asked for Lavabit’s private SSL master key to do so, Ladar deduced that they’d come up with a way to figure out those third keys, the session keys. Until now, uncovering a session key was thought to be theoretically possible but also so difficult that it would be impractical. Ladar realized the FBI had been able to “reduce” the problem such that it had the ability to uncover session keys in real time. This meant that once they had access to the private SSL keys, they would be able to monitor everyone who was accessing Lavabit and examine everything being sent to and from its servers.

“Nobody knows that capability exists,” Ladar says. He admits he’s just guessing, but then, he would be in a better position than anyone on the planet to guess about such a thing. “That’s why they were trying to keep it secret. They have figured out how to listen to a large number of encrypted conversations in real time.

Link to article:

http://www.dmagazine.com/Home/D_Magazine/2013/November/Real_Story_of_Lavabit_Founder_Ladar_Levison.aspx?p=1

[Staff 9813]

Hello,

 

unfortunately the article is technically so unclear and inaccurate that nothing specific can be said.

 

The definition of Perfect Forward Secrecy implies that a session key can't be derived by any previous key. In AirVPN this is achieved through DHE or ECDHE keying in the web site (TLS up to 1.2, if the browser supports it) and through DHE in OpenVPN (TLS).

 

Kind regards