Perfect Forward Secrecy


The Heartbleed vulnerability was a bit of a wake-up call for me. I’d been planning to enable SSL on this domain for some time, but never really got around to it. After updating OpenSSL to patch CVE-2014-0160, I finally bought a certificate and enabled SSL. You can now access

But that wasn’t enough. I also took the time to enable Perfect Forward Secrecy. In theory, the use of perfect forward secrecy means that if my SSL private key is compromised, no historical traffic can be decrypted. Forward secrecy would not have closed the Heartbleed bug for me; but it would have reduced the scope of the exposure a little bit.

It was easy enough to enable Perfect Forward Secrecy for nginx. After making the necessary changes, the Qualsys SSL Labs seems to verify that my site is properly secured.

It’s true that I’m not currently providing a service that really demands forward secrecy; but I’ve long held the opinion that decent encryption is sufficiently easy to use that there’s little reason not to use it. At such time as I need it, I’ll have experience using it.

In a similar vein, I’ve started using Keybase a bit more, lately. I created my first GnuPG keypair a decade ago, and had little reason to use it. Late last year I generated a new, stronger keypair. I used this public key when joining Keybase, and have enjoyed a modest uptick in encrypted communications with peers.

I’m pleased to see an increase in the casual use of strong cryptography; and glad to see it becoming easier and easier to use.

home / about / posts / notes / RSS