Perfect Forward Secrecy Explained – Hashed Out by The SSL Store™

Perfect Forward Secrecy Ensures HTTPS Traffic Stays Encrypted – Even if the Private Key is Later Compromised

Imagine for a second that someone breaks into your house. They can theoretically take whatever is in your place at that moment. That’s a scary enough thought right there. But what if it went a step further? What if they could also pick from everything that’s ever been in your house in the past? And then be able to steal any future item you purchase, as well? Sounds like a nightmare scenario, doesn’t it?

Unfortunately, the same thing can happen with your data. Encryption keeps it safe, but only as long as your private key is safe. We all dread the thought of one of our private keys being compromised, ending up in the hands of a hacker. Your future communications would immediately be at risk. Not only that, but what’s stopping them from examining your past data for juicy, sensitive information that they can exploit for their own gain?

But don’t worry, it’s not all doom and gloom. Cryptographers have once again come to the rescue! A solution was created to deal with exactly this sort of problem, and it’s called “perfect forward secrecy.” Long story short, it prevents future security incidents from compromising past encrypted data.

More and More Site Owners Are Taking Advantage of Perfect Forward Secrecy

Even better, it’s a security feature that is continuing to become more and more common. All major browsers support it, as do post-Windows XP operating systems. SSL Labs found in their October 2020 scan that 21.8% of surveyed sites supported perfect forward secrecy with all modern browsers and 64.5% supported perfect forward secrecy with most browsers. Only 1.2% of sites didn’t support perfect forward secrecy at all.   

The numbers keep going up, and the support of industry giants certainly hasn’t hurt, either. Google has been using it with Gmail and other products for years now, and Apple made perfect forward secrecy a requirement on the App Store in 2017. When TLS 1.3 was introduced, the Internet Engineering Task Force (IETF) mandated perfect forward secrecy, only allowing cipher suits that offered it. It’s an important part…