Context Navigation

nginx_https_pfs

v1	v1
	1	[https://en.wikipedia.org/wiki/Forward_secrecy Perfect Forward Secrecy] (PFS) is a countermeasure against surveillance programs as [https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29 PRISM] by the NSA or [https://en.wikipedia.org/wiki/Telecommunications_data_retention Vorratsdatenspeicherung] in Europe. These programs intercept and store ssl-encrypted traffic which became known as [http://www.spiegel.de/international/world/snowden-reveals-how-gchq-in-britain-soaks-up-mass-internet-data-a-909852.html "full take"] in the [http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html summer of Snowden] in 2013. This data can be decrypted at some point of time in the future after the ssl master key has been obtained. That is, unless perfect forward secrecy is used to negotiate session keys between server and client. PFS is based on [http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange Diffie-Hellman key exchange] that never sends the session key which can therefore not be intercepted. The only advantage of stealing the ssl master key when PFS is employed would therefore be a stealthy [https://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle attack].
	2
	3	One word of caution: if you change your server to use PFS you must re-key your server (and obtain a new ssl certificate) or your traffic until this moment will still be vulnerable to decryption if the master ssl key will be stolen in the future.