Gmail PFS

Bl8ckr0uter · November 2011

It looks like gmail is using pfs. Why don't all providers do this?Google mail crypto tweak makes eavesdropping harder ? The Register

it_consultant · November 2011

Bl8ckr0uter wrote: »

It looks like gmail is using pfs. Why don't all providers do this?Google mail crypto tweak makes eavesdropping harder ? The Register

My watchguard firewall appliances support PFS for site to site VPNs, I have never used them because I never really knew what it was for...

Bl8ckr0uter · December 2011

PFS is pretty sweet.

Perfect Forward Secrecy (PFS)—PFS ensures that a given IPsec SA key was not derived from any other secret, like some other keys. In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone can potentially break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret in order to compromise the IPsec SAs setup by this IKE SA. With PFS, breaking IKE does not give an attacker immediate access to IPsec. The attacker needs to break each IPsec SA individually. The Cisco IOS IPsec implementation uses PFS group 1 (D-H 768 bit) by default.
An Introduction to IP Security (IPSec) Encryption* [IPSec Negotiation/IKE Protocols] - Cisco Systems

I like to think that it is something that you should always enable if possible.

it_consultant · December 2011

Probably, it has the word "perfect" in it so I should probably give it a look! I am just trying to convince people to stop using DES as the encrypt set. Hell, AES is faster anyway.

Bl8ckr0uter · December 2011

it_consultant wrote: »

Probably, it has the word "perfect" in it so I should probably give it a look! I am just trying to convince people to stop using DES as the encrypt set. Hell, AES is faster anyway.

t said

I've been doing the same thing at work. There is just no reason for it with modern equipment.

Gmail PFS

Comments