Better support for Perfect forward secrecy - by Lionel Fourquaux

Status : 


ID 796877 Comments
Status Active Workarounds
Type Bug Repros 2
Opened 8/9/2013 3:19:36 AM
Access Restriction Public


Perfect forward secrecy ( is a desirable property for encrypted communication.  While TLS includes some ciphers that have Perfect forward secrecy (PFS), Internet Explorer doesn't implement several of them, and gives low priority to the ones it implements (probably because they are a bit slower).
Moreover, most of the implemented ciphers are recent ciphers based on elliptic curves.  Supporting more old-fashioned ciphers would 1) make PFS work with RSA certificates and 2) be safer in case a flaw in elliptic curve ciphers is found.
Please add support for TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (as defined in TLS 1.2), and an option to prefer PFS over performance.

Sign in to post a comment.
Posted by jsmith2113 on 5/21/2015 at 7:09 AM
"...In addition to the availability of TLS, has also enabled Perfect Forward Secrecy (PFS) encryption support for sending and receiving mail between email providers. Forward secrecy uses a different encryption key for every connection, making it more difficult for attackers to decrypt connections."

Advancing our encryption and transparency efforts
Posted by Lionel Fourquaux on 4/11/2014 at 2:47 PM
Support for TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 was added in Windows 8.1 Update. Thank you very much!
Posted by Microsoft on 8/9/2013 at 8:28 AM
Requests to include security enhancements like Perfect Forward Secrecy are greatly appreciated by the IE Team.
Suggestions like these help us to create a safer browser so we will definitely take your requests into consideration in future IE releases.

Best regards,

The Internet Explorer Team