[Cryptography] People should turn on PFS in TLS

Perry E. Metzger perry at piermont.com
Fri Sep 6 13:13:44 EDT 2013


On Fri, 06 Sep 2013 18:52:46 +0200 Raphaël Jacquot
<sxpert at sxpert.org> wrote:
> While I applaud this move on the part of the Nginx dev team there
> is a tradeoff and that is slower performance. DHE provides stronger 
> encryption which in turn requires more computation but here’s where
> it gets interesting. To meet today’s PCI DSS crypto standards DHE
> is not required. Like many things in life there’s a balance to be
> struck between the risk of compromised encryption and the
> additional expense or rather the relative loss of connections per
> second.

As I've said earlier, I think that we no longer have the luxury of
speaking in terms of higher connection establishment latency or
similar considerations as a reason not to use PFS techniques. At the
very least, we should presume that people will pressure technologists
to overconsider such issues in an attempt to assure that stealing
keys is enough to be able to read TLS connections.

Certainly in a very wide variety of contexts, like XMPP, connections
are so long lived that there is never a performance excuse.

Google is also now (I believe) using PFS on their connections, and
they handle more traffic than anyone. A connection I just made to
https://www.google.com/ came out as, TLS 1.2, RC4_128, SHA1,
ECDHE_RSA.

It would be good to see them abandon RC4 of course, and soon.


Perry
-- 
Perry E. Metzger		perry at piermont.com


More information about the cryptography mailing list