Product Updates

Celoxis + Perfect Forward Secrecy


What we are doing
Security is a moving target today. Not long ago, cracks developed in SSL that was considered unbreakable. Wisdom lies in anticipating what’s coming next. That’s why we will be bulletproofing our web servers by incorporating “Perfect Forward Secrecy” in to our HTTPS layer.  

When are we doing it
Oct 19, 2019

Why are we doing it
From WhatIs.com:

Perfect Forward Secrecy (PFS), also known as Forward Secrecy, is an encryption style known for producing temporary private key exchanges between clients and servers. For every individual session initiated by a user, a unique session key is generated. If one of these session keys is compromised, data from any other session will not be affected. Therefore, past sessions and the information within them are protected from any future attacks.

Without perfect forward secrecy, a user initiates a communication session with a client and the entire conversation is encrypted based on the client’s special key. However, the client uses the same special key to generate encryption for all of its sessions, and if it becomes compromised, so does all of the information contained within each conversation.

With perfect forward secrecy, every communication session generates a unique encryption key that is separate from the special key, private, and only lasts for the duration of the session. If an attacker were to compromise one of the user’s special key, the conversations would stay encrypted and secure. Similarly, if an attacker were to compromise the unique encryption key, only that specific conversation would be leaked.


What you need to do
Most of you will be using modern browsers and won’t have to do anything. The change will be seamless to you. If you are using old libraries to connect with our API or using specific SSL ciphers, you will need to use one of the following ciphers:

• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-ECDSA-CHACHA20-POLY1305
• ECDHE-RSA-CHACHA20-POLY1305
• DHE-RSA-AES128-GCM-SHA256
• DHE-RSA-AES256-GCM-SHA384
We recommend that you switch to a modern library as most have them already support the ciphers mentioned above. If you have any questions, please contact us.


Comments