Beginner’s Guide to Perfect Forward Secrecy (PFS)

By February 24, 2020 October 21st, 2021 No Comments
Perfect Forward Secrecy

When the right VPN encryption is used, it’s virtually impossible to crack. But that doesn’t mean it’s a bad idea to add an extra layer of protection – and that’s where Perfect Forward Secrecy (PFS) comes in.

After all, cybersecurity isn’t a static field; it’s always evolving.

New cyberthreats, loopholes, and exploits are constantly developed, discovered, and dealt with. And if you read our guide on How Government Surveillance Kills Your Online Privacy, you’ll also know law enforcement is already capable of cracking Apple’s personal device encryption – something Apple claims it can’t do itself.

But what is Perfect Forward Secrecy? How does it work and why is it so important?

These are the questions we answer in this guide!

What Is Perfect Forward Secrecy?

PFS is a relatively new cybersecurity feature and is sometimes referred to simply as Forward Secrecy (FS).

Forward Secrecy

However, it’s most commonly called Perfect Forward Secrecy or PFS, so this is what we’ll use in this guide.

PFS is basically another type of encryption. Think of it as a second (or even the primary) layer of encryption all online communications ought to be using.

Once upon a time, encryption was essentially limited to the idea of a single private encryption key. This key would be hosted on a server and used to decrypt all the online communication the server handled. The decryption would take place with a public key.

Sound like a problem waiting to happen?

That’s because it was.

All a cybercriminal had to do was collect the encrypted data and wait for an exploit to develop, allowing them to hack the encryption key. And once they did, they could access all the data they collected – going back years, even.

Perfect Forward Secrecy was developed as the solution to this problem.

How Does It Work?

Instead of relying on a single encryption key to access all of the data on a server, PFS generates a unique session key every time communication between the server and a visitor is initiated. What this means is even if one key is compromised, only the data shared in that specific session is exposed to the attacker.

PFS Explanation

Once the session ends, the key disappears forever.

And once that happens, the data from that session is just as safe as all the other data hosted on the server. Hackers would need to gain access to the actual server to see any of it.

It doesn’t seem like the perfect solution though, does it?

After all, even if there’s only a slim chance your session key can be compromised, it’s still a chance, right?

Well, PFS doesn’t only create a unique session key once.

It can actually be refreshed during that session, generating a new key at set intervals. This makes it even more unlikely the PFS encryption key will become compromised – and even if one of them is, the hacker will only be able to access a small portion of your session data.

If you want to get a little more technical, PFS typically uses something called Diffie-Hellman (DH) key-exchange encryption instead of the usual Rivest-Shamir-Adleman (RSA).

Diffie Helman

DH allows for ephemeral encryption keys, which is what makes the PFS encryption key disappear at the end of a session instead of being stored for later use.

This isn’t to say RSA is necessarily bad, though. It just isn’t as good as the (much newer) DH alternative. In fact, the two are sometimes used together!

How Does Perfect Forward Secrecy Keep You Safe?


It might already seem obvious, but it’s worth getting into some specifics here.

On the most basic level, PFS adds an extra layer of cybersecurity to the server in the event of a successful data breach.

The attacker is more likely to have gotten their hands on the so-called Master Key for regular encryption (though even this is highly unlikely). While they might gain access to the server’s records, those records will be protected by PFS encryption as well.

Even if the hacker also got hold of a PFS key, they’re only able to decrypt a very small set of data, either for a single user session or part thereof. This limits the damage caused by a data breach.

On a larger scale, servers that implement PFS are less attractive targets for hackers.

Cracking a server with PFS requires a lot more resources, time, and patience than most cybercriminals and even hacking groups have. Even if they’re able to crack the Master Key, the payoff is severely limited.

Still, it’s important to note there are some caveats here.

First, implementing PFS isn’t guaranteed to dissuade hackers. It just makes such an attack less likely, as most cybercriminals will prefer targeting servers requiring less work to hack.

Second, it’s no guarantee against continued government surveillance. Organizations like the National Security Agency (NSA) have a massive capacity for collecting, storing, and processing data on an international scale.

Such groups hold onto encrypted data indefinitely. They bank on the fact cybersecurity exploits are regularly developed and discovered. In fact, the NSA is often the source of those exploits!

Is PFS Really Necessary?

Given the caveats mentioned in the previous section, you might be wondering if it’s even worth using Perfect Forward Secrecy.

We’d argue any measure you can take to reasonably protect yourself and your personal data is necessary. While too much of a good thing can be a bad thing – making you stand out more to groups like the NSA, for example – this isn’t one of those cases.

Yes, PFS encryption is likely to attract more attention by government agencies. But that’s true for all encryption – and the alternative is to simply let them continue to spy on us all.

That’s not an option.

The more companies that implement PFS, the less it’ll stand out. This is true for individuals using encryption too, by the way.

Consider this: Google, while by no means a privacy-friendly company, was one of the first software giants to start using PFS on its servers.

And even though it’s one of the worst search engines to use if you’re concerned about your online privacy (and you should be), Google still dominates that market.

In 2014, Google started using an extra ranking factor to help its search engine display search results: whether a website uses HTTP or HTTPS (HyperText Transfer Protocol Secure). The “S” (Secure) shows the website uses SSL (Secure Sockets Layer) encryption.

It’s possible Google – and other, arguably better search engines – might introduce a similar preferential treatment of websites that use Perfect Forward Secrecy.



Another important chapter in the history of Perfect Forward Secrecy is the infamous Heartbleed exploit.

Heartbleed is a security flaw in older OpenSSL cryptographic software versions. OpenSSL is basically just an open-source software tool that helps website owners implement SSL and TLS (Transport Layer Security) encryption protocols for web authentication.

We won’t bore you with all the technical details of how SSL and TLS work, as that’s beyond the scope of this guide. But, as you might’ve already figured out, you’re already familiar with SSL/TLS through HTTPS.

Usually, OpenSSL protects users by providing online communications with security and privacy. But the Heartbleed exploit got around this protection using the TLS extension Heartbeat.

Heartbeat was designed to send “payloads” (typically text), together with a number specifying the payload’s size.

This allowed users to test the TLS communication.

Heartbleed essentially took advantage of the fact Heartbeat didn’t actually check the payload content. It would simply check the number specifying the payload’s size and then send the same amount of data back to the user.

So all a hacker had to do was send a small payload and increase the payload size number. For example, sending a payload request with the word “Hi” and specify the length as 500 characters. The server would then send the word “Hi” back with an additional 498 characters taken at random from its memory buffer.


While there wasn’t any way to predict what those extra characters would include, there was always a high chance of it being sensitive data. On occasion, it would even be the server’s encryption Master Key.

How Perfect Forward Secrecy Fits Into the Story

Heartbeat was introduced to TLS in 2012.

It isn’t known for certain when Heartbleed was first used to exploit the feature, but it’s very likely to have been within the same month.

However, Heartbleed was only discovered in 2014 – 2 years later. At that time, an updated version of OpenSSL was quickly developed and launched to fix the implementation exploit.

So how does Perfect Forward Secrecy come into play here?

Well, exploits like Heartbleed are pretty common, unfortunately.

And as you just learned, it can take years for these exploits to be discovered and countered. But with PFS in place, past, current, and potential future exploits are pre-emptively dealt with by locking data into isolated encryption “bubbles.”

Even if an exploit like Heartbleed leaks the server’s encryption Master Key, it can’t leak the keys used in Perfect Forward Secrecy. And, to repeat an earlier point, even if a cybercriminal has access to the Master Key, the isolated encryption of each user session (or part thereof) remains intact, so the data is still safe.

How Do I Make Sure I’m Benefiting from Perfect Forward Secrecy?

This isn’t quite as straight-forward as you might think – but the good news is it can be.


The biggest hurdle in making sure you benefit from Perfect Forward Secrecy is the fact you have no guarantee the websites you’re visiting are using PFS.

Unfortunately, there’s no real way to tell, but there are a few things you can do.

First, make sure the website’s URL includes HTTPS, not just HTTP. Remember, that “S” shows the website is using SSL/TLS, which also makes it significantly more likely PFS is also implemented.

You can also use the HTTPS Everywhere browser plugin (developed by The Onion Router and the Electronic Frontier Foundation).

HTTPS Everywhere

While not a fail-safe, HTTPS Everywhere stops websites from defaulting back to HTTP and protects any links included that send you to unencrypted HTTP pages.

Second, you can spend some time reading the privacy policy to see if PFS is mentioned anywhere. This is incredibly time-consuming though, and websites aren’t guaranteed to mention the use of PFS – even if they do have it implemented.

So what’s the straight-forward option, then?

It’s easy: use a VPN that uses Perfect Forward Secrecy.

VPNs and Perfect Forward Secrecy


The best VPNs will let you know – usually on the home and/or features pages – that it uses Perfect Forward Secrecy.

But once again, this isn’t always guaranteed. So if you’re unsure, take a look at their encryption standards.

First, your VPN must use the 256-bit Advanced Encryption Standard (AES). It should also be using the VPN protocol OpenVPN. This makes it much more likely PFS is also implemented.

Second, see if their encryption feature page (or FAQs) mentions the Diffie-Hellman key-exchange. If the encryption includes “DH” in its string of acronyms, you’re good to go.

It’s also good practice to use the VPN provider’s live-chat feature to ask them directly. You should also check with the support agent if PFS is enabled on the app as well as the VPN server (otherwise it won’t really work) and whether or not it’s enabled by default.


You should now have a good idea of what Perfect Forward Secrecy is, how it works, and why it’s so important. Not only that, but hopefully you have a better understanding of why it’s so important to choose the right VPN provider using our unique VPN comparison!

Don’t forget to check out our unbiased, BS-free VPN reviews for unbiased, BS-free insight on different VPN providers.

Mandee Rose

Mandee Rose

Mandee Rose is the editor and lead writer & researcher at TheVPNShop. A technical writer and blogger with 6+ years of experience in the cybersecurity sector. During her college years, she chased the dual-major of Cyber Security and Journalism while simultaneously offering freelance services online. As a result, Mandee was able to combine both of her passions by writing for companies like LatestHackingNews, BestVPN, Tactical Engine, Hoxhunt, AI Jobs (Medium Blog), and more. Today, she continues sharing her technical knowledge via investigative writing on topics like VPNs, programming, data breaches, artificial intelligence, and other infosec concepts.