Quiz Entry - updated: 2026.05.31
What is Perfect Forward Secrecy (PFS), and how does TLS 1.3 guarantee it?
PFS = even if an attacker later steals a server's long-term private key, they cannot decrypt past recorded TLS sessions. TLS 1.3 enforces it by requiring ephemeral Diffie-Hellman (ECDHE) for every connection.
The threat being defended against:
2025: attacker records encrypted TLS traffic, can't decrypt it.
2030: attacker compromises the server, steals its private key.
2030: without PFS, attacker decrypts the 2025 traffic.
with PFS, the 2025 traffic is still unrecoverable.
How PFS works in TLS:
- The server's long-term key is used only to sign the ephemeral DH parameters, not to encrypt anything.
- A fresh, random DH key pair is generated for each session and discarded after.
- The session key is derived from the ephemeral DH shared secret — stealing the long-term key gives the attacker no way to recover it.
Cipher-suite history:
- TLS 1.2 offered both PFS suites (
ECDHE-…) and non-PFS suites (RSA-…, plain key transport). Many old servers still used the latter. - TLS 1.3 removed all non-PFS suites — every TLS 1.3 connection has PFS by construction.
Tip: Even in 2024, plenty of legacy SSL/TLS configurations still allow non-PFS suites. Use testssl.sh or Qualys SSL Labs to confirm every cipher suite a server offers has ECDHE in it.