An Experimental Study of TLS Forward Secrecy Deployments

Authors: L.S. Huang, S. Adhikarla, D. Boneh, and C. Jackson

Forward secrecy guarantees that eavesdroppers simply cannot reveal secret data of past communications. While many TLS servers have deployed the ephemeral Diffie-Hellman (DHE) key exchange to support forward secrecy, most sites use weak DH parameters resulting in a false sense of security. In our study, we surveyed a total of 473,802 TLS servers and found that 82.9% of the DHE-enabled servers were using weak DH parameters. Furthermore, given current parameter and algorithm choices, we show that the traditional performance argument against forward secrecy is no longer true. We compared the server throughput of various TLS setups, and measured real-world client-side latencies using an ad network. Our results indicate that forward secrecy is no harder, and can even be faster using elliptic curve cryptography (ECC), than no forward secrecy. We suggest that sites should migrate to ECC-based forward secrecy for both security and performance reasons.

In proceedings of W2SP 2014
IEEE Internet Computing 18(6): 43-51 (2014)

Full paper: pdf