A Small Orange Now Supports Forward Secrecy

eyecon-black-200A Small Orange is committed to keeping our customers’ information safe and secure, so we’re quite pleased to share that we now support Forward Secrecy across our Secure Socket Layer (SSL) offerings for shared and business shared products. We have also updated our provisioning templates to ensure our Cloud and Dedicated server customers receive Forward Secrecy support.

If you signed up for a Cloud or Dedicated server in the last 3 months, chances are you have forward secrecy support and can begin to utilize it simply by installing an SSL certificate. For customers on all other product lines, we have you covered and Forward Secrecy support is something we manage for you.

Why is Forward Secrecy Important?

To understand why Forward Secrecy is important, we first need to understand how the current HTTPS (SSL/TLS) implementation puts you at risk. Bear with us for a moment for a quick primer on secure web communication.

When you initiate a connection to a secure HTTPS (SSL/TLS) web site, your web browser is conducting a complex set of exchanges with the web site to establish the secure connection. This exchange happens transparently and very fast, in hundredths of a second, but is very important in determining the degree to which your privacy is protected.

All web sites that are powered by HTTPS (SSL/TLS) utilize a secret key that only the web server knows and uses to encrypt all subsequent communication. From this “secret key” is generated a “session key” that is communicated between the web site and your web browser to allow your browser to understand the otherwise encrypted and indecipherable communication from the web sites secure HTTPS address.

In a perfect world, this post would end around here, you’ve established a secure connection to a web site (such as https://blog.asmallorange.com) and your privacy is protected. However, rarely are things that simple.

There exists a long known flaw to the current implementation of HTTPS (SSL/TLS) communications on the Internet today. If the web site you are communicating with ever has their “secret key” disclosed, compromised or otherwise becomes available to attackers or organizations conducting Internet surveillance (insert 3 letter acronyms here), all the recorded communications you have ever conducted with said web sites can be decrypted and read in plain human readable text. This scenario is not hypothetical and exists in the real world today. There are more than just a handful of instances of web site secret key disclosures (both compromised and legally compelled disclosures) along with cryptographic flaws which put our privacy at risk online.

How does Forward Secrecy protects me?

The use of forward secrecy, is a protocol feature within modern HTTPS (SSL/TLS) implementations that exist today. It is not new and has been around for a little while, however it gained significant prominence recently due to 2013’s Global Surveillance disclosures.

When you communicate with HTTPS (SSL/TLS) web sites that support Forward Secrecy, they protect your communication by constantly changing the secret keys used to encrypt data between the web site and your web browser. This constant ratcheting of the keys with Forward Secrecy web sites ensures that if the secret key on the web site you are communicating with is ever compromised or disclosed, that it can not be used to decipher previously recorded information you may have had with the web site, ensuring your privacy is maintained.

How can I verify my website or web host supports Forward Secrecy?

ssllabs_gradeThere is currently an excellent service offered by Qualys that provides an SSL grading system and scanning tool for websites available at SSL Labs.com. This scanning service requires no signup, costs nothing and takes only a minute to run on any HTTPS (SSL/TLS) enabled web site.

The straight forward grading system makes it clear to separate secure from insecure web sites. With anything graded an A rating (A-, A, A+) generally being considered secure, sites with a B rating considered secure but not optimally configured and sites rated C, D, E or F falling into the insecure category or those with glaring configuration issues.

A recent change by Qualys to the SSL grading system now preferences sites with Forward Secrecy support as a pre-requisite for an A or A+ rating, any site that does not support Forward Secrecy is automatically capped at an A- rating. As such, if your web host or sites you communicate with regularly do not rate an A or A+ grade, then they are not using Forward Secrecy.

You can further verify that Forward Secrecy is provided by scrolling to the bottom of SSLLabs server test reports and checking to ensure “Robust” Forward Secrecy support is provided by the web server.


We challenge you to test your web host, if they are putting your privacy first by supporting Forward Secrecy and if they are making the grade. You should accept nothing less than an A in our opinion.

Find out more about Forward Secrecy and Internet Surveillance

We take pride at A Small Orange in being one of the, if not, the first web host to offer robust Forward Secrecy support to our customers and also take part in grass roots initiatives such as “The Day We Fight Back” campaign to end mass surveillance along with our past position on SOPA/PIPA.

There have been a number of high profile web sites that have recently implemented Forward Secrecy support, such as Twitter and Github along with the planned implementation by Yahoo Mail and Microsoft Live/Outlook.com. This is in addition to an array of web sites, such as Google services (e.g: gmail, docs etc..)  and many others that offer “some” support for Forward Secrecy. The “some” part is relative to if you are using a modern web browser (read: up to date) then you can leverage Forward Secrecy with their services.

You can find some additional reading on Forward Secrecy at the following web sites:


Along with these web sites that are committed to Internet privacy and stopping Internet surveillance:



  1. […] indicated in A Small Orange’s Blog post on the topic, you are recommended now to ensure that your site meets at least the A Grade if you are […]

    A Small Orange Now Supports Forward Secrecy - Best Host News
  2. How about supporting Strict Transport Security (HSTS) too please?

    • STS has no server side dependency and can be configured within a htaccess file in the following manner:

      To force STS for the top level domain:
      Header set Strict-Transport-Security “max-age=16070400”

      Or, to force STS for top level domain and subdomains (use with caution!):
      Header set Strict-Transport-Security “max-age=16070400; includeSubDomains”

Comments are closed.