Enable Perfect Forward Secrecy for your stacks
Today we announce the public availability of Perfect Forward Secrecy support for all of our customers at Cloud 66.
You can simply enable it in your manifest file with a single line.
What is Perfect Forward Secrecy?
There is a great article about Perfect Forward Secrecy, how it works and how it helps with security.
Here is a summary:
In order to understand [Perfect Forward Secrecy], it’s helpful to have
a basic idea of how HTTPS works in general. Every Web server that uses
HTTPS has its own secret key that it uses to encrypt data that it
sends to users. Specifically, it uses that secret key to generate a
new “session key” that only the server and the browser know. Without
that secret key, the traffic traveling back and forth between the user
and the server is incomprehensible, to the NSA and to any other
But imagine that some of that incomprehensible data is being recorded
anyway. An eavesdropper who gets the secret key at any time in the
futureeven years latercan use it to decrypt all of the stored data!
That’s where perfect forward secrecy comes in. When an encrypted
connection uses perfect forward secrecy, that means that the session
keys the server generates are truly ephemeral, and even somebody with
access to the secret key can’t later derive the relevant session key
that would allow her to decrypt any particular HTTPS session.
The tl;dr; version of it is that it stops those who are recording your
SSL traffic now to decrypt it tomorrow (when they get their hands on
your private key or just by bruteforce) in their tracks.