Forward secrecy also makes it impossible to decrypt the SSL traffic if your private key may has been stolen or lost or your US company is enforced by a national security letter to shut up and give them your private key. As IIS user you are not affected by the Heartbleed bug in OpenSSL, but we all hope Microsoft schannel.dll does not have any similar bugs.
Always keep in mind that decrypting of todays SSL traffic could also been done in a few years if computers are fast enough to break today's certificates. Please note that perfect forward secrecy is the only way to prevent hackers or intelligence services to decrypt your SSL data after traffic shaping. It works on both Windows Desktops and Servers. This means Microsoft Exchange and Internet Explorer and Edge and all applications that use WinHTTP API, too. It was originally written for Microsoft Internet Information Server 7.5/8.0/8.5/10 (IIS) on Windows 2008R2/2012/2012R2/2016/2019, but the below settings implements system wide settings that work for everything that uses the Microsoft Crypto infrastructure. This script implements the current best practice rules.
Additionally it increases security of your SSL connections by disabling insecure SSL2 and SS元 and all insecure and weak ciphers that a browser may fall-back, too. This PowerShell script setups your Windows Computer to support TLS 1.1 and TLS 1.2 protocol with Forward secrecy. This is a living document - check back from time to time.
0 kommentar(er)
