Internet common sense tells you to look for an “https” prefix on site URLs before offering up private information such as credit card numbers. Thanks to efforts from Google, sites with that security designation should be even more secure.
The Google Blog explains the details of what it’s doing, which admittedly go a little over our heads:
Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.
Forward secrecy requires that the private keys for a connection are not kept in persistent storage. An adversary that breaks a single key will no longer be able to decrypt months’ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions.
Translation: When you’re using Google stuff, the “s” in “https” is now even more “s.”
Google says it’s enabled the forward secret feature in several of its services, including Gmail and Google+ and other services.
Protecting data for the long term with forward secrecy [Google Blog via Lifehacker, ReadWriteWeb]