Small clarification: As Ryan Sleevi pointed out over Twitter, it may sound a lot like I'm giving advice and discouraging the use of session tickets. I don't want to encourage anyone to disable session tickets and make TLS so slow that they're switching back to HTTP for good. Having TLS without PFS is a lot better than having no TLS. The post was mainly written to explore options and show that there are tradeoffs to think about with current setups, especially if you're interested in going all the way and provide PFS.
No comments yet.