Forward secrecy

TL;DR: Forward secrecy means that if your server’s private key leaks tomorrow, anyone who has been quietly recording your encrypted traffic for years still can’t read a single old session. It’s free, it’s mandatory in TLS 1.3 by protocol, and on TLS 1.2 it just means turning off the static-RSA cipher suites. Insurers are starting to require it. There is no good reason to be without it in 2026.

What is it?

Every TLS connection needs to agree on a fresh session key — a symmetric secret that both ends use to encrypt the actual traffic. The interesting question is how the two sides agree on that key without an eavesdropper learning it. Two approaches have been used historically:

Static RSA key exchange. The client picks a random session key, encrypts it under the server’s long-term RSA public key (the one inside its certificate), and sends the ciphertext over the wire. The server decrypts it with its long-term RSA private key. Done. This works, but it has a fatal property: the same long-term private key is used for every session, forever. If that key ever leaks — years from now, via court order, insider, breach, or future cryptanalytic break — anyone who recorded the ciphertext can retroactively decrypt every session that ever happened.

Ephemeral Diffie-Hellman (ECDHE or DHE). Each side generates a fresh, throwaway key pair for this session only and exchanges public values. Both sides combine their own private value with the other’s public value to compute the same shared secret — without that secret ever being sent over the wire. The long-term key in your cert is still used, but only to sign the exchange (proving “the server you think you’re talking to is really us”). It does not encrypt anything. After the handshake, both sides discard the ephemeral private values. Future compromise of the long-term key reveals nothing about past sessions, because the long-term key was never the thing protecting them.

That second property — past sessions stay private even if the long-term key is later compromised — is what “forward secrecy” means.

Why does it matter?

The threat model isn’t hypothetical, and it isn’t about today’s attacker. It’s about the patient one.

State-level adversaries are widely understood to record large volumes of encrypted internet traffic and warehouse it. They don’t need to be able to decrypt it today; they only need one of two things to happen later:

1. The long-term key leaks. Server breach, ex-employee, court order, supply-chain compromise, lost backup tape. Without forward secrecy, every recorded session against that server becomes plaintext the moment the key surfaces.
2. A future cryptanalytic advance. RSA-2048 is fine today. It may not be fine in 2040. The classic worry here is a sufficiently large quantum computer running Shor’s algorithm — but classical advances have broken algorithms before too. With forward secrecy, even a future break of the long-term key reveals nothing about old sessions, because the actual session keys came from per-session ephemeral material that no longer exists.

This is the so-called harvest-now-decrypt-later threat, and it’s the reason cyber liability underwriters in 2026 increasingly require forward secrecy as a renewal condition. It’s also why the TLS 1.3 working group decided to make FS mandatory by protocol: they removed static-RSA key exchange from the standard entirely.

If your server already speaks TLS 1.3, you already have forward secrecy — there is no TLS 1.3 deployment without it. The factor only really matters for TLS 1.2 deployments that still negotiate static-RSA cipher suites with older clients.

Real-world analogy

Forward secrecy is like using a different one-time pad for every conversation, then burning the pad. Capture the pad later — get nothing. Each conversation was sealed with a key that exists nowhere anymore.

Static RSA is the opposite: it’s a single master key that decrypts every conversation you’ve ever had, from the first one onward, locked in your safe. The day someone gets the master key — even years from now, even after you’ve moved on — every recorded conversation pops open at once.

A note on TLS 1.3

TLS 1.3 made forward secrecy structurally mandatory. The standard ships with exactly three families of key-exchange modes — DHE, ECDHE, and PSK — and all three provide forward secrecy by construction. Static-RSA key exchange was removed. There is no way to negotiate a TLS 1.3 connection that lacks FS; the protocol won’t let you.

The practical consequence: if you upgrade your stack to TLS 1.3, WEBQ-88 scores 100 automatically, with no further config. This is the cheapest fix in the entire TLS factor list. Most of the remaining static-RSA exposure on the public web in 2026 is on TLS 1.2-only servers serving older enterprise or embedded clients that haven’t been updated.

How WQI measures this

We grade forward secrecy as factor WEBQ-88 in the Security category. We see it directly in the negotiated key exchange algorithm reported by the TLS handshake — either via Cloudflare URL Scanner’s securityDetails.keyExchange field (captured from Chrome DevTools), or via our Container probe when that’s not available.

Result	What it means
Pass (100)	TLS 1.3 negotiated (FS guaranteed by protocol) or ECDHE / DHE / X25519 key exchange observed in TLS 1.2.
Warn (60)	Key exchange algorithm reported but unclassifiable.
Fail (0)	Static RSA key exchange observed.

TLS 1.3 detection is an automatic pass — there is no FS-less 1.3 deployment to worry about.

What good looks like

Pass on WEBQ-88, every audit, every domain. Two paths get you there:

1. Enable TLS 1.3. This is the cleanest answer. Every modern web server, CDN, and reverse proxy supports it. Done.
2. On TLS 1.2, disable static-RSA cipher suites. If you have to keep 1.2 around for some reason (older client compatibility), make sure your cipher suite list excludes the static-RSA options. Every negotiated suite should start with ECDHE- or DHE-, never plain RSA-.

How to fix it

If you’re already on TLS 1.3, stop here — you’re already passing.

For TLS 1.2 deployments, disable static RSA in your cipher list:

Nginx:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:!aNULL:!eNULL:!RSA;
ssl_prefer_server_ciphers on;

The critical bit is !RSA — that’s what excludes static-RSA key exchange. (It does not exclude RSA certificates; ECDHE-RSA-* suites still work fine. It only kills the static-RSA key exchange mode.)

Apache:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!RC4:!MD5:!RSA
SSLHonorCipherOrder on

Caddy: Forward-secrecy-only suites are the default. No config needed.

Cloudflare: TLS 1.3 is on for every proxied domain. No action needed.

Verify with nmap:

nmap --script ssl-enum-ciphers -p 443 yourdomain.com

Read the output. Every listed cipher should start with ECDHE_ or DHE_ (or be a TLS 1.3 suite, which all provide FS by definition). If you see lines like TLS_RSA_WITH_AES_128_GCM_SHA256 or TLS_RSA_WITH_AES_256_CBC_SHA, those are static-RSA suites and need to go.

You can also check a single negotiated session with:

openssl s_client -connect yourdomain.com:443 -cipher 'AES256-SHA' </dev/null

If that command succeeds, your server still accepts a static-RSA suite. After the fix, it should fail with a handshake error (which is the desired behavior).

Common pitfalls

• Older Java clients. Some Java 7 / early Java 8 clients default to a cipher preference list that prefers static-RSA suites and will fail to connect to an ECDHE-only server. The fix is on the client side (upgrade JDK, or set https.cipherSuites), but you’ll see breakage if those clients matter to you.
• Embedded devices and IoT. Some IoT firmware shipped with hard-coded static-RSA cipher preferences and is not updatable. If you have a known fleet of these, plan a migration before hard-disabling static RSA on the server side.
• Old payment terminals and POS gear. PCI-flagged equipment in particular sometimes holds onto ancient TLS clients. Check with your processor before tightening.
• “I’m on TLS 1.3, why do I still see static-RSA suites in nmap?” TLS 1.3 cipher suites are a separate list from TLS 1.2’s. If you support both protocol versions, the 1.2 cipher list still has to be pruned independently — being on 1.3 doesn’t auto-disable static-RSA on the 1.2 side.

Further reading

• RFC 8446 §1.2 — TLS 1.3, Major differences from TLS 1.2 — the section that explains why static RSA was removed.
• Cloudflare — Why TLS 1.3 isn’t in browsers yet (and harvest-now-decrypt-later) — the canonical write-up on the recording threat.
• Mozilla SSL Configuration Generator — drop-in cipher lists for Nginx, Apache, HAProxy, and others, all FS-only.
• Related: Post-quantum key exchange — the next-generation answer to harvest-now-decrypt-later, layered on top of forward secrecy.