https://www.decadent.org.uk/ben/blog/securing-wwwdecadentorguk.html I read the above blog post. https://www.ssllabs.com/ssltest/ I tested the LUV web site with the above URL and got A-. https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and- openssl-for-forward-secrecy I followed the advice at the above URL and got B! https://blog.qualys.com/ssllabs/2013/03/19/rc4-in-tls-is-broken-now-what From the comments on the above blog post it seems that the only way to have PFS and not be vulnerable to other issues is to require TLS 1.2. The browser that is built in to Android (which is going to be a long-term issue as some people will use it until their phone breaks) only supports TLS 1.2 in Android 5.0 and above. The Samsung Galaxy Note 2 is currently not supported for Android 5.0 while the Galaxy Note 3 is. The Note 2 is still quite a decent phone. https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browse... The above page has TLS/SSL support of various browsers. If we require TLS 1.2 we exclude: The default Android browser before Android 5.0. Admittedly that browser always sucked badly and probably has lots of other security issues. Chrome versions before 30 didn't support it. But version 30 was released in 2013 and Google does a good job of forcing upgrades. A Debian/Wheezy system I run is now displaying warnings from the google-chrome package saying that Wheezy is too old and won't be supported for long! Firefox before version 27 didn't support it (the Wikipedia page is unclear about versions 27-31). 27 was released in 2014. Debian/Wheezy has version 38, Debian/Squeeze has Iceweasel 3.5.16 which doesn't support it. Would it be reasonable to assume that anyone who's still using Squeeze is using it for a server? IE version 11 supports it and runs on Windows 7+ (all supported versions of Windows). IE 10 doesn't support it and runs on Windows 7 and Windows 8. Are the free upgrades from Windows 7 to Windows 10 going to solve this problem? Windows mobile doesn't have enough users to care about. Opera supports it from version 17. This is noteworthy because Opera used to be good for devices running older versions of Android that aren't supported by Chrome. Safari supported it from iOS version 5, I think that's a solved problem there. Is breaking support for Debian/Squeeze, the built in Android browser on Android <5.0, and Windows 7 and 8 systems that haven't upgraded IE as a web browsing platform a reasonable trade-off for implementing the best SSL security features? For the LUV server as a stand-alone issue the answer would be no as the only really secret data there is accessed via ssh. For a general web infrastructure issue it seems that the answer might be yes. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/