If you’ve heard about VPN encryption, you’ve probably heard someone mentioning how PFS offers even more security at least once.
But what is PFS in VPN connections, actually?
Well, here’s everything you need to know about it:
The easiest way to understand PFS is to first understand how VPN encryption works.
The simplest way to describe it is to think of a VPN connection (also called a VPN session) as a lock-key combination. The VPN client and server “lock” the traffic, making sure nobody can monitor it, and only they can “unlock” it with the right encryption/decryption key – which only the client and server have.
If you want an in-depth explanation, check out this article.
PFS (Perfect Forward Secrecy) is a way to make VPN connections more secure than they already are.
Basically, PFS ensures that the VPN server and client use different encryption/decryption keys for each individual session – instead of a single Master Key as they normally do.
So with PFS in VPN connections, even if a cybercriminal were to somehow get their hands on the encryption/decryption key for one of your VPN sessions, they wouldn’t be able to learn much since they wouldn’t have access to your other connections.
PFS in VPN connections takes place during the following stages:
Basically, there are four main reasons you should use a VPN that offers Perfect Forward Secrecy:
Yes, VPN connections are already a good start, but here’s the problem – what if surveillance agencies log your encrypted traffic, and store it until they find a way to break it?
Sounds like mere speculation?
Well, it isn’t. For example, the NSA can actually store any encrypted data they log, and keep it for as long as it takes them to crack it.
Safe to say government surveillance agencies from other countries do the same thing.
Well, with PFS in VPN connections, that’s no longer a problem. If the NSA (or any other surveillance agency) would want to do that, they’d have to log every single one of your VPN sessions, and try to find a different key for each one.
That’s something even the NSA can’t handle. They likely won’t even bother because of how difficult and time-consuming it would be.
If government surveillance agencies won’t bother with breaking PFS, you can rest assured that cybercriminals will think twice before trying to target a VPN client or server that uses PFS.
It would simply require too much more effort on their part, and the risk might not even be worth the payoff.
If you’re not familiar with the Heartbleed Bug, it’s an OpenSSL vulnerability that leaks keys, login credentials, emails, messages, and more. Even worse, there’s no way to detect the use of the bug since it doesn’t leave any trace.
Luckily, PFS can prevent cybercriminals from abusing Heartbleed to steal session keys. Even if they got their hands on one, it wouldn’t help them decrypt the rest of the traffic.
VPN providers can actually configure PFS to refresh encryption/decryption keys during the connection, not just every time the user initiates a session.
That makes the connection even more secure, and further limits any data a hacker could potentially steal if they somehow managed to steal a temporary key. Not to mention it makes it even less likely that someone would try to crack your traffic.
Generally, if a provider offers access to protocols like OpenVPN, SoftEther, IKEv2, L2TP/IPSec, SSTP, and WireGuard, they can offer PFS.
Though, that’s just in theory.
Just because you see any of those protocols on a provider’s website doesn’t mean you will automatically get PFS. That’s because the provider needs to enable PFS on their connections since it’s disabled by default.
Overall, it’s hard to say how many providers offer PFS in VPN connections. Your best bet is to check their FAQ section or ask their customer reps. If you don’t have time for that, just check out SmartyDNS – we enable PFS by default on OpenVPN and SoftEther connections.
In theory, there is a chance it might take longer for you to establish a VPN connection because PFS requires more processing power.
Of course, “take longer” could just mean a few extra milliseconds. Also, if you have a powerful computer, and the VPN provider uses decent, well-optimized servers, that likely won’t happen.
Even if it does, you probably won’t notice it.
As for the connection speeds themselves, they normally shouldn’t take a hit. But again, that depends on a lot of factors – like how strong your CPU is, what encryption you’re using, or how far you are from the VPN server.
We here at SmartyDNS offer high-speed VPN servers with military-grade 256 bit AES encryption and highly-secure VPN protocols (OpenVPN, SoftEther and IKEv2) and we adhere to a strict no-log policy.
Our VPN servers double as proxy servers and we also offer a Smart DNS service that lets you unblock Netflix, BBC iPlayer and other 300+ worldwide geo-restricted websites.
We offer user-friendly VPN apps for Windows, Mac, iPhone/iPad, Android, and Fire TV/Stick and browser extensions for Chrome and Firefox.
Oh, and we’ll also have your back with our 30-day money-back guarantee.
PFS stands for Perfect Forward Secrecy, and it’s a system that handles encryption differently.
Normally, the VPN client and server reuse the same key (called a Master Key) for every VPN connection you run. With PFS, however, every time you use a VPN, the client and server use a different Master Key.
So, you get different keys for different sessions, making sure nobody can crack your traffic even if they were to somehow get access to one session key.
Not all VPN providers offer PFS security, though. If you’re looking for one, check out our services.
Get SmartyDNS for $3.7/mo!