Ssl Tls Server Refuses Pfs Connections

Description

This detector checks whether a web server refuses connections that only offer Perfect Forward Secrecy (PFS) cipher suites. PFS is a critical security feature that ensures past communications remain secure even if the server's private key is compromised in the future. A server that refuses PFS-only connections may force clients to use less secure cipher suites.

Weakness:

133 - Insecure encryption algorithm - Perfect Forward Secrecy

Category: Information Collection

Detection Strategy

• Connect to the server and attempt TLS handshakes for each supported TLS version (except TLS 1.3)

• Send a ClientHello message offering only cipher suites that support Perfect Forward Secrecy (DHE, ECDHE, SRP, ECCPWD)

• A vulnerability is reported if the server explicitly rejects the connection with an alert instead of selecting one of the offered PFS cipher suites

• Each TLS version that results in a connection rejection is included in the vulnerability report

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.