[Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

Raphaël Jacquot sxpert at sxpert.org
Fri Sep 6 12:52:46 EDT 2013

On 06.09.2013 18:20, Peter Saint-Andre wrote:
> Hash: SHA1
> On 9/6/13 8:36 AM, Perry E. Metzger wrote:
>>>> One solution, preventing passive attacks, is for major
>>>> browsers and websites to switch to using PFS ciphersuites (i.e.
>>>> those based on ephemeral Diffie-Hellmann key exchange).
>> It occurred to me yesterday that this seems like something all
>> major service providers should be doing. I'm sure that some voices
>> will say additional delay harms user experience. Such voices should
>> be ruthlessly ignored.
> +1
> In practice, how do we make that happen? On the XMPP network we're
> pushing to make sure that all client-to-server and server-to-server
> hops are encrypted (yes, I know, per-hop encryption is not enough, we
> need end-to-end encryption too). Is there a handy list of PFS-friendly
> ciphersuites that I can communicate to XMPP developers and admins so
> they can start upgrading their software and deployments?
> Thanks!
> Peter

yet, one can find this sort of thing in 3rd position when searching 
"nginx crypto" :


quote :

The developers of Nginx have recently changed the default SSL ciphers to 
include the very strong Diffie-Hellman Ephemeral (DHE) cipher. DHE is 
used to provide perfect forward secrecy in TLS.

Further reading on Ephermal Diffie-Hellman, PFS and TLS at Wikipedia.org

While I applaud this move on the part of the Nginx dev team there is a 
tradeoff and that is slower performance. DHE provides stronger 
encryption which in turn requires more computation but here’s where it 
gets interesting. To meet today’s PCI DSS crypto standards DHE is not 
required. Like many things in life there’s a balance to be struck 
between the risk of compromised encryption and the additional expense or 
rather the relative loss of connections per second. I’m not a lawyer nor 
should this be considered legal advice but I prefer things that go fast 
while meeting the necessary PCI compliance criteria.

In order to disable DHE in the server context of the Nginx configuration 
add the following line:

ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;

More information about the cryptography mailing list