some standardized prime numbers that were foolishly used by programmers
Cory, that’s totally unfair.
I agree. Until now, you probably “foolishly” believed it was secure as well.
Thanks for the instructions, done.
I have to read the specs, but I think the key exchange can be attacked by MITM (intercept the prime, replace it on the fly with another one). But if all sides use the same hardcoded primes (as it’s done with IPSec, the configuration is done with a handful of well-known DH groups) this attack vector is minimized.
Point taken.
Imperfect Forward Secrecy will resound through the security world, and we can expect that vendors will begin to take steps to fix things.
I wish I shared your optimism. The paper was published in May, and has mostly failed to resound so far.
Probably some vendors have taken some baby steps already. Others who missed the first publication will catch it this time around and do something. Still others will probably remain oblivious, as they have been for the last five months.
Oh the irony of everyone switching to Diffie-Hellman from RSA because they were afraid of RSA (the company) intentionally weakening crypto.
?
Diffie-Hellmann is key exchange, Rivest/Shamir/Adleman public key cryptography.
You can do key exchange with asymmetric encryption - as is done in TLS/SSL and SSH with RSA. That said, DH does give you cheap perfect forward secrecy (not that it matters if what they say is true).
You can actually do ephemeral RSA, but AFAIK, it isn’t supported in TLS because it is extremely slow.
ah, sure. I thought in the wrong direction when reading your original comment
I’m too lazy to break cryptography.
You see the battering-ram proof door in the lead .gif? The wall it’s set in is less than ten feet tall, and open at the top. And in real use, a door like that is typically set into a block or 2x4 wall, trivially defeated, that also contains windows which are held in place by screws.
The application of this analogy to Real World™ computer security is left as an exercise for the reader. 
Can’t remember if it was a film or documentary or what, but the scene showed the guy not needing hacking skills to get the files he needed. He just tortured the guy with the password until he got it.
Though for covert spying, they probably want to go with that other stuff.
And since people are increasingly in favor of outlawing any effective means of self-defense, Orwell’s prediction comes to mind…
Crypto can only help the average person if we live in a culture that doesn’t allow torture or unnecessary police brutality. You and I do not presently live in such a culture, but it would be nice to achieve that goal, and we may as well have good crypto available just in case. 
THAT’S what I was thinking about. Oh thank you, that was going to bug me all day.
Is it? I’d assume that if you’re going to need DH then you have reason to take it somewhat seriously and do a proper build. How do you mean unfair?
Small steps. But if there’s anything that makes their job that fraction more difficult? Gravy.
Don’t be an a anarchist. …
The boot on face approach to breaking password has one inconvenient consequence: It becomes impossible to pretend that the password is still secure. Even after Snowden’s revelations, most Americans seem to prefer to pretend that there’s nothing to worry about, and the inconvenience of a revolution is not, strictly speaking, necessary. The NSA and their owners would prefer it remain that way, it’s a lot less work for them.
I understand the logic of a cryptography party, with personal key exchanges, even though I’ve never been to one. This article implies that something like a key party happens every time I use my bank’s Web site, but it’s assumed the reader already knows about it. I’m forced to conclude that the topic doesn’t concern me, otherwise I’d already be familiar with these names.
It does concern you, the DH params (i.e. the thingy discussed here) are used to create a session key between your browser and the banking site. Diffie-Hellman is great because the session encryption enables perfect forward secrecy (PFS).
Even if an attacker is able to intercept and decrypt the current session this is not enough to decrypt older archived encrypted data. But not if the NSA (or whoever) solved the DH problem for a given DH parameter set (the prime).
