ECDH doesn't seem to enable forward secrecy

[bbc2]

On https://tls.imirhil.fr/ciphers, I can see that cipher suites like ECDH-ECDSA-AES256-GCM-SHA384 have the PFS badge. However, unlike suites using ECDHE, they don't seem to enable forward secrecy because the server certificate is supposed to contain a Diffie-Hellman key [1]. Therefore, if you compromise the server at a later time, I think you can recover the exchanged secret from the server DH private key and the (optionally ephemeral [2]) client DH public key sent on the wire.

That's not a proof but I guess it makes this ECDH algorithm worthy of further investigation, to remove the PFS badge if necessary.

[1] https://tools.ietf.org/html/rfc4492#section-2.1 [2] https://tools.ietf.org/html/rfc4492#section-3.2

[aeris]

Seems you’re right https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER-STRINGS I ask a TLS expert for real confirmation.

I will fix this ASAP if confirmed.

[aeris]

OK, confirmed by Ivan Ristic : https://twitter.com/ivanristic/status/667317257270267905

Corrected on prod. Will commit change this evening.

[aeris]

Corrected on 4237a25ab97efbb594733b5bf289409c5eed0a28 Thanks !