Best Practices 08-05-2014

Forward Secrecy Secures Past Data from Future Compromises


On top of the foundation of encryption from SSL and HTTPS, Twitter made headlines when it enabled Forward Secrecy as a way to enhance its efforts to secure online systems and protect user communication online.

Forward Secrecy is a powerful security option that ensures communication that was previously secured online remains safe, even if the encryption key from the site is compromised in the future.

The Heartbleed bug threatened the security of many HTTPS sites. By some estimates, Heartbleed affected nearly 2 out of 3 servers on the Internet. Heartbleed isn't an SSL bug or a flaw in the SSL protocol or HTTPS; Heartbleed is a programming error in OpenSSL, which is widely used on many server platforms.

DigiCert’s systems and core CA infrastructure don’t run on software affected by Heartbleed, so DigiCert customer data has always been protected from the effects of Heartbleed.

Forward Secrecy Keeps Data Safe From Future Threats

Sites affected by Heartbleed, however, could have relied on Forward Secrecy as a way to mitigate compromised information. If servers are configured, like Twitter, to support forward secrecy, a compromised private key still couldn't be used to decrypt past communications from that server.

Forward Secrecy ensures that any previously secured communication that has already taken place always remains secure.

SSL Still Remains the Foundation of Data Security

DigiCert SSL Certificates provide the foundation of encryption for sensitive information online. With cyber criminals always looking for new opportunities to attack systems, it's critical that administrators take advantage of security advances and add multiple layers to their security environment.

Managing a large scale of servers across multiple network environments can become a challenge for even the most experience administrators. Services like Certificate Inspector make it easy to manage multiple SSL Certificate instances across networks large and small.

Certificate Inspector's free cloud-based service automatically checks for common security issues, critical vulnerabilities, and keeps track of which network resources are utilizing enhanced security features like Forward Secrecy, Elliptic Curve Cryptography, OCSP Stapling, and more.

DigiCert is Partnering to Improve Security Standards

Industry working groups like the Internet Engineering Task Force (IETF), CA/Browser Forum, and the CA Security Council are continually working to propose changes to security policies and best practices to improve data security. DigiCert takes an active leadership role in many of these groups and will continue to work with security-concerned Internet users to support new initiatives, like Forward Secrecy, that improve online security.

After the effects of Hearbleed, it's more important than ever to ensure that enterprises take precautions against possible threats to their network resources. The Electronic Frontier Foundation (EFF) supports the use of new initiatives like Forward Secrecy to protect the integrity of SSL keys and encryption. "Whether that threat is an existing or future software bug, an insider who steals the key, a secret government demand to enable surveillance, or a new cryptographic breakthrough, the beauty of forward secrecy is that the privacy of today's sessions doesn't depend on keeping information secret tomorrow," says Yan Zhu, Technologist at EFF.

Information security is everyone's responsibility. It's no longer enough to rely any one single security solution. After creating a strong encryption base, administrators can implement additional layers of security to ensure that the encryption backbone of their network remains safe from future threats.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


What Is A CA’s Role In Delivering Digital Trust?


The Entrust distrust: Key takeaways for CAs and organizations


The Entrust distrust: Key takeaways for CAs and organizations