SSL Perfect Forward Secrecy Checker
Check if your server supports Perfect Forward Secrecy cipher suites. Ensure your server uses ECDHE or DHE with TLS 1.2 or TLS 1.3.
Short Info
Level
Low
Single Scan
Single Scan
Can be used by
Everyone
Estimated Time
20 seconds
Time Interval
1 month 4 days
Scan only one
Domain, IPv4, Subdomain
Toolbox
-
What is SSL Perfect Forward Secrecy?
Perfect Forward Secrecy (PFS) is a security feature that ensures that even if an attacker intercepts and decrypts the session keys during transmission, the attacker cannot access past or future sessions. PFS is achieved by using ephemeral keys for each session, meaning that each encryption session has a unique set of keys, which are not reused.
The vulnerability arises when traditional encryption methods, such as static keys, are used. Attackers can compromise these static keys and decrypt past sessions. PFS mitigates this risk by using temporary keys for each session, making it extremely difficult for attackers to gain access to sensitive information, even with access to intercepted data.
To support Perfect Forward Secrecy, your server needs to use specific cipher suites that implement ephemeral key exchanges, such as ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) or DHE (Diffie-Hellman Ephemeral). These cipher suites are recommended for use with TLS 1.2 and TLS 1.3 to ensure strong encryption and forward secrecy.
