Enable Perfect Forward Secrecy for your stacks
Today we announce the public availability of Perfect Forward Secrecy
support for all of our customers at Cloud 66.
You can simply enable it in your manifest
a single line.
What is Perfect Forward Secrecy?
There is a great article about Perfect Forward
how it works and how it helps with security.
Here is a summary:
In order to understand [Perfect Forward Secrecy], it’s helpful to have a basic idea of how HTTPS works in general. Every Web server that uses HTTPS has its own secret key that it uses to encrypt data that it sends to users. Specifically, it uses that secret key to generate a new “session key” that only the server and the browser know. Without that secret key, the traffic traveling back and forth between the user and the server is incomprehensible, to the NSA and to any other eavesdroppers.
But imagine that some of that incomprehensible data is being recorded anyway. An eavesdropper who gets the secret key at any time in the futureeven years latercan use it to decrypt all of the stored data!
That’s where perfect forward secrecy comes in. When an encrypted connection uses perfect forward secrecy, that means that the session keys the server generates are truly ephemeral, and even somebody with access to the secret key can’t later derive the relevant session key that would allow her to decrypt any particular HTTPS session.
The tl;dr; version of it is that it stops those who are recording your
SSL traffic now to decrypt it tomorrow (when they get their hands on
your private key or just by bruteforce) in their tracks.