Perfect Forward Secrecy Checker — PFS Verification

Verify ECDHE or DHE key exchange for perfect forward secrecy.

The Perfect Forward Secrecy (PFS) Checker confirms that a server uses ephemeral key exchange—typically ECDHE or DHE—so that each session has a unique key. If the server's long-term key is later compromised, past traffic cannot be decrypted. The tool connects and reports the key exchange method; if you see ECDHE or DHE in the negotiated cipher suite, PFS is in use. TLS 1.3 mandates PFS; for TLS 1.2, ensure your server is configured to prefer ephemeral key exchange and avoid static RSA key exchange for confidentiality.

Frequently Asked Questions

What is perfect forward secrecy?

Session keys are ephemeral so compromise of the server's long-term key does not reveal past session traffic.

How do I get PFS?

Use cipher suites with ECDHE or DHE key exchange; TLS 1.3 provides PFS by design.

Is RSA key exchange bad?

Static RSA key exchange does not provide PFS; prefer ECDHE/DHE for forward secrecy.

Does TLS 1.3 have PFS?

Yes. TLS 1.3 only allows ephemeral key exchange, so all 1.3 connections have PFS.

What if PFS is not supported?

Update server TLS config to enable and prefer ECDHE/DHE cipher suites, or move to TLS 1.3.

More Tls Tools

Explore Other Tool Hubs