Perfect Forward Secrecy for VPNs and HTTPS

A valuable privacy feature, Perfect Forward Secrecy could make your VPN connection and sessions more secured and protected. It also could help avoid anyone from decrypting your web history. In other words, with perfect forward secrecy, your VPN session has other different key that would make it difficult for others to decrypt your VPN activities.

Perfect Forward Secrecy is one of the best technological advancements in the privacy industry. It could keep your internet activities protected and secured. Through this article, we will explain what Forward Secrecy is and go in depth about how it works.

Best VPN with Perfect Forward Secrecy

Below is a list of our recommended VPN service providers that comes with Perfect Forward Secrecy (PFS).

  1. Private Internet Access
  2. VPN.ac
  3. IPVanish
  4. Proxy.sh
  5. ExpressVPN

What is Perfect Forward Secrecy?

As mentioned earlier Perfect Forward Secrecy is another layer of security and protection like another key. Hence, in layman’s term, for this feature, perfect forward secrecy to work, each VPN session must use unique keys which are used to encrypt your online traffic.

The advantage of having a Perfect Forward Secrecy is that even if a hacker was able to steal or guess your key to one of your encrypted sessions, s/he will not be able to decrypt any of your past and future VPN sessions anymore as that key could only be used once.

What’s more amazing is that some VPN service providers could change your encryption key mid-session. An example of this is Private Internet Access which changes their encryption keys every 60 minutes.

Perfect Forward Secrecy Requirements

  1. Each VPN activity uses a unique encryption key.
  2. Each new key does not come from previous sessions.

Benefits of Using Perfect Forward Secrecy

Just like losing your room key of your hotel room, the front desk will create you a new key but s/he does not change your key’s code on the card. Now, imagine someone finding your lost key. With your key code not changing, the one who found your key could not have unlimited access to your room. This knowledge now makes you feel not secured and protected. This situation is the same if you use a VPN without perfect forward secrecy. Someone could easily steal and guess your encryption key and once they do, they could now access any of your information and data online.

The mentioned situation does not have to happen if your VPN comes with Perfect Forward Secrecy as the key of each activity or session you have with your VPN is unique and finding that old key to decrypt your information is very difficult and impossible to do.

How Perfect Forward Secrecy Works?

Compared to other encryption protocols, the Perfect Forward Secrecy feature does not use the encryption key over and over. Moreover, it requires you to generate a new encryption key at each start of your session and for this key to be exchanged securely. This method is called Diffie Hellman key exchange which was invented 40 years ago and is still being used to ensure online protection, privacy and security.

Two Stages of VPN connection

When using Perfect Forward Secrecy, there are two phases- the handshake and the tunneling phase.

  1. The Handshake – this happens at the beginning of your VPN session or activity. This means, this is when the Diffie-Hellman exchange happens. It is when the exchange of your data to your VPN’s server is authenticated and is encrypted.
  2. The Tunnel – This phase the encryption key which is being exchanged by you and the VPN server is protected and it allows you to transmit, encrypt, and decrypt data.

What VPN Protocols does Perfect Forward Secrecy have?

  1. OpenVPN – this protocol is one of the strongest and most flexible VPN protocols. It is Perfect Forward Secrecy capable and is being offered by most VPN service providers.
  2. L2TP/IPsec – Though this protocol does not always use Perfect Forward Secrecy, it is also PFS capable and it could enable Diffie-Hellman exchange during VPN handshake.

VPN Service Providers that Offers Perfect Forward Secrecy

1. Private Internet Access

This VPN service provider is considered as one of the best VPN service providers especially for those who loves downloading torrents. It comes with top notch security and privacy features and is very flexible. It also comes with Perfect Forward Secrecy.

Other Features of Private Internet Access

  • Flexible and adjustable encryption strength and speed
  • Has no logs policy
  • Unlimited bandwidth
  • SOCKS5 proxy
  • Price at $3.33/month
Visit PIA


This VPN service provider is based in Romania and it comes with no logs policy, private DNS servers and proxy extension for Firefox and chrome. VPN.AC also comes with perfect forward secrecy.

Perfect Forward Secrecy with VPN.AC

VPN.ac comes with PFS as mentioned earlier. As a matter of fact, they advertise on their features page that their VPN has the capability. In addition to that, they also have mentioned that they use military grade AES 256-bit encryption with Elliptic Curve and 4096-bit RSA authentication, SHA512 HMAC and PFS.

Other Features

  • Encrypted zero-log DNS servers – you will not have to worry about third parties, government or even the NSA checking your online history and activities. Since having zero logs on DNS servers means the VPN.AC does not log any of your VPN activities.
  • Custom Encryption Control- through this feature, you will be able to choose your preferred encryption strength and cipher.
  • P2P/Torrent Optimized Servers- though VPN.AC allows you to do bittorrenting and file share in all server locations, they highly recommend that you use their P2P optimized servers which comes with massive bandwidth, packet routing and file-sharing friendly.
  • 7-day refund policy and starts at $4.83/month

Non VPN Users

For those who does not use VPN, there is another way to encrypt your web traffic and that is through HTTPS and SSL web traffic. Fortunately, HTTPS could also be implemented with Perfect Forward Secrecy.

What is HTTPS?

HTTPS is the more secured version of HTTP. It makes snooping and stealing of private information such as login passwords, credit card information and social security numbers more difficult to steal. It means, HTTPS is encrypted version of HTTP.

Who uses HTTPS?

When you are using HTTPS, you will find a lock icon on your browser bar. This means, it is safe to make transactions on the site that you have visited. For example, all major retailer online definitely uses https to secure your payment information and their entire site. Google also uses HTTPS all the time which makes sure that your search results and privacy are kept protected. Other entities that uses https are credit card companies, banks and online brokers as well.

Why should HTTPS use Perfect Forward Secrecy?

Perfect Forward Secrecy must be one of the most important tool for online commerce. Without it, HTTPS only uses only one private encryption key over and over which for third party observers could and may catch in time. Hence, in short, once the third party or attacker gets your and finds out your key, he will be able to get all of your transactions whether they are in the past, present or the future, all your information could be used for identity theft, steal money from your bank account or purchase things using your credit card.

How to check if a website uses Perfect Forward Secrecy?

All websites that are using HTTPS come with public Security Certificates which makes it easier to check which type of encryption your connection is using. To know how to, all you have to do is to follow the steps below:

  1. Click on the lock icon which you will be able to find on your browser bar
  2. Click the connection tab on the pop up window that will appear on your screen.

This will show you if the website you have visited comes with Perfect Forward Secrecy and if it is enabled.

If you find ECDHE_RSA key exchange mechanism on the popup window, then this only shows that the site that you have visited is using an elliptic curve Diffie-Hellman exchange which sends 128-bit AES encryption key to your web browser.

Perfect Forward Secrecy and NSA Surveillance

Without the protection of a Perfect Forward Secrecy, encryption keys could easily be guessed, stolen or asked for not only by other third parties but also by NSA surveillance. Hence once your

key has been in the possession of NSA, they could decrypt all of your past present and future encrypted communications and we all know that NSA stores encrypted online traffic.

However, through Perfect Forward Secrecy the NSA will have to decrypt every session separately as each session, as mentioned earlier comes with unique private key.


With this article we hope we were able to provide you a pretty solid understanding about Perfect Forward Secrecy. Having an enabled Perfect Forward Secrecy has amazing benefits, advantages and additional security measures to your online browsing activities.

Renee Biana

VPN Pick brings you all the latest vpn news, reviews and discounts.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also
Back to top button
Exclusive Offer: Get a 49% Discount off ExpressVPNGet This Deal