If you’re familiar with VPN protocols, you probably know a thing or two about encryption. For those who don’t, here’s a quick explanation: In order for your data to remain private, VPN protocols transform it into a unique coded language, indecipherable to anyone that does not know the set of rules that were used to scramble it.
The rules are known as the key. And as you may have guessed, it represents a weak spot in this process. If hackers somehow manage to figure out the key, they can not only intercept, decrypt and record your activities going forward but also use it to decipher any and all previous communications and data.
Using Perfect Forward Secrecy means that the key used to encrypt and decrypt information changes frequently. In this scenario, if a key is compromised, only a small portion of the user’s data can be stolen. Obviously, the damage will be determined by how much data was sent using the cracked key, but all past and future messages will be safe.
For maximum security, Perfect Forward Secrecy can be set up to switch keys as frequently as every message in a conversation, every voice call, or every time a user loads a page on their browser.
Security experts also add that for a maximum level of security, decrypted messages (what you see on the screen) must be deleted or moved to a more secure device.
While several VPN protocols are PFS capable, it doesn’t necessarily mean that the method is on by default, implementing it requires specific configuration rules from the VPN provider’s end.
The vast majority of VPNs that support OpenVPN connections use forward secrecy by default. It is less common with L2TP on the other hand. The latter is PFS capable thanks to IKE and IKEv2, which make a Diffie-Hellman exchange possible.