Perfect Forward Secrecy Side Effects
Вставка
- Опубліковано 3 лис 2024
- Perfect Forward Secrecy (PFS) is a great security feature that protects client and server data from being decrypted in the future.
In this video, John discusses a few of the things to keep in mind as you move toward PFS ciphers.
Thanks...excellent concepts
Glad you enjoyed the video!!
Yup and outbound visibility is a big deal when PFS is enabled
Great point as well...all good things to think about when enabling PFS ciphers!
How TLS 1.3 Overcomes PFS Side effect could you please explain ?
Can you terminate the connection on the F5 and use PFS between the client and the F5 and then open a separate connection to the server? Like a reverse proxy?
This is a great question! The answer is...Yes, you can create two totally different connections...one between the client and the BIG-IP and one between the BIG-IP and the server. That's one of the huge benefits of the BIG-IP being a full-proxy architecture. For the client-side connections, you will configure a Client SSL profile. And for the backend server connections you will configure a Server SSL profile. This allows full flexibility for both sides of the connection. Hope this helps!
@@devcentral It may not be a valid solution nowadays, because many applications also utilize the so-called "certificate pinning" to only allow the trust certificate (which means the right server it wants to talk to) being received, in this case any middle box would be rejected due to certificate not matching.
cheers mate for the video i am researching for the solution so that i can implement PFS can you kindly make any video on that?
We also did a video on the basics of what PFS is...here's the link: ua-cam.com/video/IkM3R-KDu44/v-deo.html
If you have any additional details you'd like to see, feel free to comment and we can take a look at it. Thanks!
Thanks for sharing side effects. Now please share solutions to the problems caused by these side effects :)
Import your server's certificate(s) [with the private key] into the monitoring software so it has the private key to decrypt the traffic.
You don't. If you break and inspect (say with a WAF), then you end up with one of two issues: 1) You cannot execute the inspection bc of PFS or 2) The client and server will see the changes in the inspected, re-encrypted, and re-signed packets (due to the ephemeral integer) and reject the packets. Basically, you get one or the other; either PFS or your web application firewall.