Why Forward Secrecy (PFS) Matters
Perfect Forward Secrecy (PFS) ensures that even if your server’s private key is stolen, past encrypted sessions remain secure. It’s not optional — it’s a cornerstone of modern TLS.
How PFS Works
Traditional RSA key exchange:
- Client encrypts pre-master secret with server’s public key
- Server decrypts with private key
- All sessions can be decrypted if private key is compromised
With ECDHE/DHE:
- Ephemeral keys generated per session
- Session keys derived from Diffie-Hellman
- Private key compromise does not decrypt past traffic
Real-World Impact
Heartbleed (2014) exposed private keys. Sites without PFS had all past traffic decryptable. Sites with ECDHE were safe.
PFS in Cipher Suites
- With PFS:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - No PFS:
TLS_RSA_WITH_AES_256_GCM_SHA384
Enable PFS
Use ECDHE or DHE in your cipher list. The Weak Cipher Tester flags static RSA suites with a -20 score penalty.
FAQ
Is DHE as good as ECDHE?
ECDHE is faster and more secure. DHE is acceptable but slower.
Does TLS 1.3 require PFS?
Yes — all TLS 1.3 handshakes use ephemeral keys.
Can I have PFS with RSA authentication?
Yes — ECDHE_RSA uses RSA for auth, ECDHE for key exchange.
One breach shouldn’t decrypt your history. Demand PFS.