On Fri, 06 Sep 2013 18:52:46 +0200 Raphaël Jacquot <sxp...@sxpert.org> wrote: > While I applaud this move on the part of the Nginx dev team there > is a tradeoff and that is slower performance. DHE provides stronger > encryption which in turn requires more computation but here’s where > it gets interesting. To meet today’s PCI DSS crypto standards DHE > is not required. Like many things in life there’s a balance to be > struck between the risk of compromised encryption and the > additional expense or rather the relative loss of connections per > second.
As I've said earlier, I think that we no longer have the luxury of speaking in terms of higher connection establishment latency or similar considerations as a reason not to use PFS techniques. At the very least, we should presume that people will pressure technologists to overconsider such issues in an attempt to assure that stealing keys is enough to be able to read TLS connections. Certainly in a very wide variety of contexts, like XMPP, connections are so long lived that there is never a performance excuse. Google is also now (I believe) using PFS on their connections, and they handle more traffic than anyone. A connection I just made to https://www.google.com/ came out as, TLS 1.2, RC4_128, SHA1, ECDHE_RSA. It would be good to see them abandon RC4 of course, and soon. Perry -- Perry E. Metzger pe...@piermont.com _______________________________________________ The cryptography mailing list firstname.lastname@example.org http://www.metzdowd.com/mailman/listinfo/cryptography