Short answer
Diffie-Hellman is a method where two parties each pick a secret value, exchange public values derived from them, and independently compute the same shared secret — without ever sending the secret itself. An eavesdropper sees only the public values and cannot derive the shared key. ECDHE is the ephemeral, elliptic-curve-based variant, and because the key is new for every session it provides forward secrecy.
The paint analogy
The classic explanation: Alice and Bob agree on a common colour (public). Each secretly mixes in their own colour. They exchange the mixed colours — an eavesdropper sees them but cannot "unmix" the secret colours back out. Finally each mixes their own secret colour into the other's mixture, and both end up with exactly the same final colour. That colour is the shared key, and the eavesdropper cannot reproduce it. Mathematically, "mixing" is modular exponentiation (classic DH) or point multiplication on an elliptic curve (ECDHE).
Why ephemeral is crucial: forward secrecy
The key letter is the E in ECDHE — ephemeral. It means the secret values are used for one session only and then discarded. The consequence is forward secrecy: even if an attacker records all your encrypted traffic today and later steals the server's private key, they still cannot decrypt the recorded traffic. Each session's key is gone forever.
Compare with the old static RSA key exchange (without DH), where the session key was encrypted with the server's long-term key. If that key ever leaked, all previously recorded traffic could be decrypted retroactively. That is why TLS 1.3 removed static RSA key exchange entirely — forward secrecy is now mandatory.
Recognise it in the cipher suite name
ECDHE-RSA-AES256-GCM-SHA384 └──┬──┘ └┬┘ │ └─ RSA = server authenticates with its RSA certificate └─────── ECDHE = key exchange is ephemeral ECDH → forward secrecy
Note: ECDHE (key exchange) and RSA (authentication) are two independent roles. RSA proves the server's identity; ECDHE makes the shared key. A suite without ECDHE/DHE — e.g. a plain RSA key exchange — lacks forward secrecy. See the full breakdown in what is a cipher suite.
DHE vs ECDHE
| DHE (classic) | ECDHE (elliptic curve) | |
|---|---|---|
| Mathematics | Modular exponentiation | Elliptic curves |
| Performance | Slower | Faster |
| Key size for ~128-bit | 3072-bit | 256-bit (P-256) |
| Forward secrecy | Yes | Yes |
| Recommendation | Fallback | Preferred |
The important limitation: DH does not stop a man-in-the-middle
Diffie-Hellman alone protects against a passive eavesdropper but not against an active attacker sitting in the middle. If nobody proves who they are talking to, an attacker can run one DH exchange with the client and another with the server, sitting between them and reading everything. This is exactly why the authentication part of the cipher suite (RSA or ECDSA) is necessary: the server's certificate proves that the DH value the client receives actually came from the real server and not from an attacker. Key exchange and authentication solve two different problems, and you need both.
Why the TLS 1.3 handshake is faster
In TLS 1.2 the ECDHE exchange happens after the client has seen the server's choice, which costs an extra round trip. TLS 1.3 lets the client guess the server's preferred group and send its ECDHE value already in the first message. If it guesses right — which it almost always does, typically X25519 — the key exchange is done in one round trip instead of two. This is a large part of why TLS 1.3 connections feel faster, and it changes nothing about security: the key is still ephemeral and still provides forward secrecy.
Confirm a server uses ECDHE
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \ | grep -E "Cipher|Server Temp Key"
Server Temp Key: X25519 or ECDH, P-256 confirms the connection used ephemeral ECDHE and therefore has forward secrecy. Note: X25519 is a modern, widely used curve specifically for ECDHE key exchange.
How CertControl looks for missing forward secrecy
A server can look secure but still offer a suite without ECDHE as a fallback — and then any client that hits that fallback loses forward secrecy. CertControl records the key exchange method per endpoint and flags servers that still accept non-ephemeral key exchange, so you can close the gap. The negotiation happens in the TLS handshake, and if it fails, our guide to handshake failures helps.
Frequently asked questions
What is forward secrecy in practice?
It is the guarantee that old recorded traffic stays secret even if the server's private key later leaks. Each session uses a new, temporary key that is discarded afterwards, so there is no long-term key that can unlock the past.
What is the difference between DH and DHE?
DHE is the ephemeral variant of Diffie-Hellman — a new key per session. Plain DH with static keys does not provide forward secrecy. In practice you should always use the ephemeral variant, and in TLS that is ECDHE.
Does ECDHE prove the server's identity?
No. ECDHE only makes the shared key. The server's identity is proven separately by the certificate's signature — the RSA or ECDSA part of the cipher suite. The two roles are distinct.
What is X25519?
X25519 is a modern elliptic curve optimised specifically for ECDHE key exchange. It is fast, secure and widely used in TLS 1.3, and is often seen in the "Server Temp Key" line.
Does TLS 1.3 always use forward secrecy?
Yes. TLS 1.3 removed static RSA key exchange entirely, so all key exchange is ephemeral (ECDHE or DHE). Forward secrecy is therefore mandatory in every TLS 1.3 connection.