Home Dashboard Directory Help

Better support for Perfect forward secrecy by Lionel Fourquaux



Type: Bug
ID: 796877
Opened: 8/9/2013 3:19:36 AM
Access Restriction: Public
User(s) can reproduce this bug


Perfect forward secrecy (http://en.wikipedia.org/wiki/Perfect_forward_secrecy) is a desirable property for encrypted communication. While TLS includes some ciphers that have Perfect forward secrecy (PFS), Internet Explorer doesn't implement several of them, and gives low priority to the ones it implements (probably because they are a bit slower).
Moreover, most of the implemented ciphers are recent ciphers based on elliptic curves. Supporting more old-fashioned ciphers would 1) make PFS work with RSA certificates and 2) be safer in case a flaw in elliptic curve ciphers is found.
Please add support for TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (as defined in TLS 1.2), and an option to prefer PFS over performance.

Sign in to post a comment.
Posted by Lionel Fourquaux on 4/11/2014 at 2:47 PM
Support for TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 was added in Windows 8.1 Update. Thank you very much!
Posted by Microsoft on 8/9/2013 at 8:28 AM
Requests to include security enhancements like Perfect Forward Secrecy are greatly appreciated by the IE Team.
Suggestions like these help us to create a safer browser so we will definitely take your requests into consideration in future IE releases.

Best regards,

The Internet Explorer Team
Sign in to post a workaround.