Diff: PerfectForwardSecrecy

Differences between current version and predecessor to the previous major change of PerfectForwardSecrecy.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 3 Last edited on Friday, December 5, 2003 8:32:27 pm by CraigBox
Older page: version 2 Last edited on Friday, June 20, 2003 3:48:37 pm by CraigBox Revert
@@ -1,8 +1,12 @@
 The idea of an encrypted communication channel regularly changing it's key. Thus if one of the keys is ever compromised (for what ever reason), then the attacker can use that to read all future traffic, but not any older traffic. 
 Nifty no? 
+[Apple|AppleCorporation]'s and [Microsoft|MicrosoftCorporation]'s [L2TP]/[IPSec] clients do not enable PFS. FreeSwan, on the other hand, enables PFS by default. (One could only speculate why PFS is not used by Apple and Microsoft as a default. Is it because of the <insert your favourite 3-letter government agency>?).  
+Note that FreeS/WAN will use PFS when the client asks for it, even when pfs=no is specified in the FreeS/WAN configuration. FreeS/WAN will ignore the pfs=no for that particular client because PFS is more secure and if the client supports it, why not use it? If you set pfs=no, it allows you to connect with clients that are configured with or without PFS.  
 See [ISAKMP].