Paragraph 2:
OLD
While ephemeral (EC) Diffie-Hellman is in nearly all ways an
improvement over the TLS RSA handshake, the use of these mechanisms a
limitation in certain enterprise settings. Specifically, the use of
ephemeral ciphersuites that provide Forward Secrecy is not compatible
with enterprise network monitoring tools such as the use of Intrusion
Detection Systems (IDS) and application monitoring systems to
passively monitor intranet TLS connections made between endpoints
under the enterprise's control.
NEW
While ephemeral (EC) Diffie-Hellman is in nearly all ways an
improvement over the TLS RSA handshake, the use of these mechanisms a
limitation in complicates certain enterprise settings. Specifically, the use of
ephemeral ciphersuites that provide Forward Secrecy is not compatible
with current enterprise network monitoring tools, such as the use of Intrusion
Detection Systems (IDS) and application monitoring systems, to
which leverage the current TLS RSA handshake to passively monitor intranet TLS connections made between endpoints
under the enterprise's control.
From Tim Polk:
Paragraph 2: OLD While ephemeral (EC) Diffie-Hellman is in nearly all ways an improvement over the TLS RSA handshake, the use of these mechanisms a limitation in certain enterprise settings. Specifically, the use of ephemeral ciphersuites that provide Forward Secrecy is not compatible with enterprise network monitoring tools such as the use of Intrusion Detection Systems (IDS) and application monitoring systems to passively monitor intranet TLS connections made between endpoints under the enterprise's control.
NEW While ephemeral (EC) Diffie-Hellman is in nearly all ways an improvement over the TLS RSA handshake, the use of these mechanisms a limitation in complicates certain enterprise settings. Specifically, the use of ephemeral ciphersuites that provide Forward Secrecy is not compatible with current enterprise network monitoring tools, such as the use of Intrusion Detection Systems (IDS) and application monitoring systems, to which leverage the current TLS RSA handshake to passively monitor intranet TLS connections made between endpoints under the enterprise's control.