With revelations about mass surveillance in the news everywhere, an obscure feature of SSL/TLS called forward secrecy has suddenly become very interesting. So what is it, and why is it so interesting now?
Session keys generation and exchange
Every SSL connection begins with a handshake, during which the two parties communicate their capabilities to the other side, perform authentication, and agree on their session keys. The session keys are then used to encrypt the rest of the conversation (session), possibly spanning multiple connections. They are deleted afterwards. The goal of the key exchange phase is to enable the two parties to negotiate the keys securely; in other words, to prevent anyone else from learning these keys.
Several key exchange mechanisms exist, but, at the moment, by far the most commonly used one is based on RSA, where the server's private key is used to protect the session keys. This is an efficient key exchange approach, but it has an important side-effect: anyone with access to a copy of the server's private key can uncover the session keys and decrypt the conversation.
For some, this side-effect is desirable. Many network security devices, for example, can be configured to decrypt communication (and inspect traffic) when given servers' private keys. Without this capability, passive IDS/IPS and WAF devices have no visibility into the traffic and thus provide no protection.
In the context of mass surveillance, however, the RSA key exchange is a serious liability. Your adversaries might not have your private key today, but what they can do now is record all your encrypted traffic. Eventually, they might obtain the key in one way or another (e.g., by bribing someone, obtaining a warrant, or by breaking the key after sufficient technology advances) and, at that time, they will be able to go back in time to decrypt everything.