There are two “Ps” with which consumers are concerned these days: performance and privacy. The former is driven by an increasingly mobile world, a platform on which resources – memory, compute, and network – are constrained. The latter by concerns driven to the top of consumer awareness by sensational news of breaches that invariably lead to one of those letters (or e-mail). They’re like “Dear John” letters, and you feel just as sick inside at receiving one.
Consumers want reassurance that those brands we interact with are doing everything they can to ensure their privacy and the safety of their data. We want it faster, but we want it safer, too.
Now most consumers aren’t intimately familiar with secure protocols and cryptography in the first place. Heck, most IT folks can’t tell you the difference between them. But they don’t need to understand that certain ciphers are insecure (or even how ciphers relate to secure HTTP in the first place), how CA trust works, or how it is that man-in-the-middle attacks actually work. All they need to know is that you’re doing everything you can to make sure that no man gets in the middle of their safe transactions, and that no one is watching every letter they type.
Enter PFS. Perfect Forward Secrecy.
PFS, of course, is not a cipher or an algorithm, but rather a method of handling keys. It relies on ephemeral (i.e. throw-away) keys that are generated once and only once, per session. In the context of app security, this became significant after Heartbleed was disclosed, as it became possible to “steal” private keys and potentially decrypt transactions.
PFS is a lot like one-time, per-person passcodes to a party. Rather than everyone using the same password, each person gets their own, personal, private password that only you, as the host, can validate as authentic. That means even if Bob shares his password with Alice, you know she wasn’t invited because she’s reusing a password.
The mechanics aren’t as important as the reassurance it provides to consumers that you’re serious about ensuring privacy of their data. Consider a 2016 survey conducted by Baymard Institute on the topic. Of the reasons given for abandonment during checkout, 18% stated they “didn’t trust the site with my credit card information.” The same survey tested perception of trust of various “seals” placed on sites and noted with surprise that in 2016 the most “trust” inspiring seals were trust seals, not SSL seals. These seals were not necessarily industry standard or recognized, either. Many were simply an iconic representation of the effort being made by the company to ensure the safety of consumer data and transactions.
Perfect Forward Secrecy (PFS) is a technical method that provides greater safety for transactions due to its “personal” nature. By adopting PFS and letting consumers know you’ve taken steps to increase the safety of transactions through technology, you engender a greater degree of trust and potentially reduce the negative impact of abandonment on the bottom line.
The fear on the business side is, of course, that increasing safety often comes at the cost of decreasing performance. After all, generating keys on a per-session basis can be taxing on the infrastructure and application. The result is often slower apps that are just as frustrating to consumers and also cause lost revenue.
To combat that, it’s recommended that you implement PFS with the right service; one that’s upstream from the servers and provides greater scale and performance because it’s purpose built to handle the taxing cryptographic calculations required to provide for consumer safety. Such purpose-built security services are designed to take advantage of specialized hardware (in both custom and commercial hardware) that speeds up the calculations and improves performance to ensure consumers have a safer and faster experience.
PFS is a good way not only to protect consumers, but corporate assets, as well. It increases the cost of obtaining private information and makes you a less appealing target to attackers, whilst simultaneously assuring consumers that you care about the safety of their personal, private data enough to use the latest technology to keep it personal and private.
Privacy matters, but so does performance. Safety doesn’t have to come at the expense of speed. Performance can be maintained even when adopting higher standards of security if care and consideration is taken in its implementation to select the right services, in the right architectural location.
About the Author
Related Blog Posts
The everywhere attack surface: EDR in the network is no longer optional
All endpoints can become an attacker’s entry point. That’s why your network needs true endpoint detection and response (EDR), delivered by F5 and CrowdStrike.
F5 NGINX Gateway Fabric is a certified solution for Red Hat OpenShift
F5 collaborates with Red Hat to deliver a solution that combines the high-performance app delivery of F5 NGINX with Red Hat OpenShift’s enterprise Kubernetes capabilities.
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
