Rajiv Aaron Manglani

Rollout of Ephemeral Ciphers (Forward Secrecy and PFS)

Blog Post created by Rajiv Aaron Manglani Employee on Feb 23, 2015

As part of our continuing efforts to introduce new features and capabilities to our Secure Platform, ephemeral ciphers (also known as Forward Secrecy or PFS) will be added to the default cipher profile. Modern web browsers and other clients will be able to take advantage of the increased security. Older clients will continue to work as before. For the interim, RC4 ciphers will continue to remain in the default cipher profile and we will provide a separate notification before they are removed.

 

This upgrade does not apply to certificate configurations (i.e. slot configurations) using custom cipher profiles (i.e., slots with hard-coded ciphers, or slots that use non-default cipher profiles).

 

The rollout will be done in phases, starting March 2, 2015. We will be monitoring the network carefully during each phase of this rollout and expect the rollout will be completed around April 6, 2015. We do not expect any adverse impact as a consequence of this enhancement. No action is required on your part.

 

Once the PFS upgrade is complete, these ciphers will be enabled (in this order): ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-SHA, AES256-SHA, DES-CBC3-SHA, AES128-SHA, IDEA-CBC-SHA, RC4-SHA, RC4-MD5, DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-RC4-MD5.

 

If you or your users experience any problems or issues using the Secure Network platform for any reason, please contact Customer Care.

Outcomes