Gmail PFS

It looks like gmail is using pfs. Why don't all providers do this?Google mail crypto tweak makes eavesdropping harder ? The Register

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

it_consultant

Bl8ckr0uter wrote: »

It looks like gmail is using pfs. Why don't all providers do this?Google mail crypto tweak makes eavesdropping harder ? The Register

My watchguard firewall appliances support PFS for site to site VPNs, I have never used them because I never really knew what it was for...

Bl8ckr0uter

PFS is pretty sweet.

Perfect Forward Secrecy (PFS)—PFS ensures that a given IPsec SA key was not derived from any other secret, like some other keys. In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone can potentially break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret in order to compromise the IPsec SAs setup by this IKE SA. With PFS, breaking IKE does not give an attacker immediate access to IPsec. The attacker needs to break each IPsec SA individually. The Cisco IOS IPsec implementation uses PFS group 1 (D-H 768 bit) by default.
An Introduction to IP Security (IPSec) Encryption* [IPSec Negotiation/IKE Protocols] - Cisco Systems

I like to think that it is something that you should always enable if possible.

it_consultant

Probably, it has the word "perfect" in it so I should probably give it a look! I am just trying to convince people to stop using DES as the encrypt set. Hell, AES is faster anyway.

Bl8ckr0uter

it_consultant wrote: »

Probably, it has the word "perfect" in it so I should probably give it a look! I am just trying to convince people to stop using DES as the encrypt set. Hell, AES is faster anyway.

t said

I've been doing the same thing at work. There is just no reason for it with modern equipment.