Possible mistake in Chapter 4: Transport Layer Security

[tysonliddell]

I think that the end of the following text in Chapter 4: Transport Layer Security might be incorrect:

By contrast, the Diffie-Hellman key exchange allows the client and server to negotiate a shared secret without explicitly communicating it in the handshake: the server’s private key is used to sign and verify the handshake, but the established symmetric key never leaves the client or server and cannot be intercepted by a passive attacker even if they have access to the private key.

The shared secret is calculated by the server using its private key and the public key of the client. Any attacker with the private key of the server could simply perform the same calculation to arrive at the shared secret.

Also noted this typo in the preceding paragraph:

then they can decrypt the the entire session

[tysonliddell]

After a bit of further reading I think that I have confused some terminology. It seems there are two private keys held by the server in this instance. There is the long term private key used by the server to sign messages, and another ephemeral private key generated for the Diffie-Hellman key exchange. If the latter is compromised, then the ephemeral symmetric key for that session would be compromised.

I think a quick mention of this situation would be helpful to clear up any potential confusion.