Test our VPN and Smart DNS services
No credit card is requiredTry it Now
If you’ve heard about VPN encryption, you’ve probably heard someone mentioning how PFS offers even more security at least once.
But what is PFS in VPN connections, actually?
Well, here’s everything you need to know about it:
The easiest way to understand PFS is to first understand how VPN encryption works.
The simplest way to describe it is to think of a VPN connection (also called a VPN session) as a lock-key combination. The VPN client and server “lock” the traffic, making sure nobody can monitor it, and only they can “unlock” it with the right encryption/decryption key – which only the client and server have.
If you want an in-depth explanation, check out this article.
PFS (Perfect Forward Secrecy) is a way to make VPN connections more secure than they already are.
Basically, PFS ensures that the VPN server and client use different encryption/decryption keys for each individual session – instead of a single Master Key as they normally do.
So with PFS in VPN connections, even if a cybercriminal were to somehow get their hands on the encryption/decryption key for one of your VPN sessions, they wouldn’t be able to learn much since they wouldn’t have access to your other connections.
PFS in VPN connections takes place during the following stages:
Basically, there are four main reasons you should use a VPN that offers Perfect Forward Secrecy:
Yes, VPN connections are already a good start, but here’s the problem – what if surveillance agencies log your encrypted traffic, and store it until they find a way to break it?
Sounds like mere speculation?
Well, it isn’t. For example, the NSA can actually store any encrypted data they log, and keep it for as long as it takes them to crack it.
Safe to say government surveillance agencies from other countries do the same thing.
Well, with PFS in VPN connections, that’s no longer a problem. If the NSA (or any other surveillance agency) would want to do that, they’d have to log every single one of your VPN sessions, and try to find a different key for each one.
That’s something even the NSA can’t handle. They likely won’t even bother because of how difficult and time-consuming it would be.
If government surveillance agencies won’t bother with breaking PFS, you can rest assured that cybercriminals will think twice before trying to target a VPN client or server that uses PFS.
It would simply require too much more effort on their part, and the risk might not even be worth the payoff.
If you’re not familiar with the Heartbleed Bug, it’s an OpenSSL vulnerability that leaks keys, login credentials, emails, messages, and more. Even worse, there’s no way to detect the use of the bug since it doesn’t leave any trace.
Luckily, PFS can prevent cybercriminals from abusing Heartbleed to steal session keys. Even if they got their hands on one, it wouldn’t help them decrypt the rest of the traffic.
VPN providers can actually configure PFS to refresh encryption/decryption keys during the connection, not just every time the user initiates a session.
That makes the connection even more secure, and further limits any data a hacker could potentially steal if they somehow managed to steal a temporary key. Not to mention it makes it even less likely that someone would try to crack your traffic.
Generally, if a provider offers access to protocols like OpenVPN, SoftEther, IKEv2, L2TP/IPSec, SSTP, and WireGuard, they can offer PFS.
Though, that’s just in theory.
Just because you see any of those protocols on a provider’s website doesn’t mean you will automatically get PFS. That’s because the provider needs to enable PFS on their connections since it’s disabled by default.
Overall, it’s hard to say how many providers offer PFS in VPN connections. Your best bet is to check their FAQ section or ask their customer reps. If you don’t have time for that, just check out SmartyDNS – we enable PFS by default on OpenVPN and SoftEther connections.
In theory, there is a chance it might take longer for you to establish a VPN connection because PFS requires more processing power.
Of course, “take longer” could just mean a few extra milliseconds. Also, if you have a powerful computer, and the VPN provider uses decent, well-optimized servers, that likely won’t happen.
Even if it does, you probably won’t notice it.
As for the connection speeds themselves, they normally shouldn’t take a hit. But again, that depends on a lot of factors – like how strong your CPU is, what encryption you’re using, or how far you are from the VPN server.
We’ve got you covered – SmartyDNS provides access to highly-secure protocols like SoftEther and OpenVPN, and you get an extra layer of security since we enabled Perfect Forward Secrecy by default on them.
On top of that, we use military-grade encryption (AES) to secure your traffic and data even more.
Oh, and we have a clear no-log policy at SmartyDNS. We go the extra mile to make sure you enjoy top-notch privacy.
And feel free to test-drive our service free of charge first. We offer a free three-day trial – no credit card details needed. That, and we provide a 30-day money-back guarantee too.
PFS stands for Perfect Forward Secrecy, and it’s a system that handles encryption differently.
Normally, the VPN client and server reuse the same key (called a Master Key) for every VPN connection you run. With PFS, however, every time you use a VPN, the client and server use a different Master Key.
So, you get different keys for different sessions, making sure nobody can crack your traffic even if they were to somehow get access to one session key.
Not all VPN providers offer PFS security, though. If you’re looking for one, check out our services.
Get SmartyDNS for $2.33/mo!