Notifications
Clear all
Topic starter
25/06/2026 10:37 pm
TL;DR: Google’s plan to deprecate DHE-based cipher suites in Chrome reflects a wider move away from weak or legacy TLS settings, with Chrome observing 95% of DHE connections still using 1024-bit groups and forward secrecy already dependent on ECDHE, according to DigiCert. The practical lesson is that transport security now depends as much on cipher lifecycle governance as on certificate issuance.
NHIMG editorial — based on content published by DigiCert: Google Plans to Deprecate DHE Cipher Suites
By the numbers:
- 95% of DHE connections continue to use 1024-bit DHE.
Questions worth separating out
Q: How should teams handle DHE cipher deprecation in production TLS environments?
A: Teams should inventory every TLS endpoint that still negotiates DHE, confirm ECDHE support, and test handshake behaviour before browser policy changes take effect.
Q: Why does deprecating DHE matter if certificates are still valid?
A: A valid certificate does not guarantee a secure session if the handshake negotiates a weak or outdated cipher suite.
Q: When should security teams prioritise cipher suite updates over other TLS work?
A: Teams should prioritise cipher suite updates when browser vendors, libraries, or platform baselines begin retiring legacy algorithms that services still depend on.
Practitioner guidance
- Audit all TLS endpoints for DHE negotiation paths Identify every public and internal service that still accepts DHE-based cipher suites, then verify whether ECDHE is already enabled and preferred in each environment.
- Tie cipher retirement to certificate lifecycle work Add cipher suite review to certificate renewal and service change workflows so that cryptographic defaults are checked before new browser behaviour affects production traffic.
- Measure forward secrecy at the service layer Validate that critical services actually negotiate ECDHE and not legacy DHE, because a valid certificate does not guarantee forward secrecy if the handshake path is outdated.
What's in the full article
DigiCert's full post covers the operational detail this post intentionally leaves for the source:
- Chrome 49 handshake behaviour and the exact fallback sequence when DHE is no longer offered first
- The browser compatibility implications of moving from DHE to ECDHE across real-world server fleets
- The practical reconfiguration changes needed on servers that still depend on DHE-based cipher suites
👉 Read DigiCert’s analysis of Google’s plan to deprecate DHE cipher suites →
DHE cipher deprecation: what it means for TLS teams?
Explore further
25/06/2026 11:14 pm
Cryptographic deprecation is a governance event, not a browser quirk. When a major browser removes DHE from the initial handshake, it is enforcing a security baseline that many servers have not yet matched. That creates operational exposure for teams that still rely on legacy cipher negotiation, especially where ownership of TLS settings is fragmented between platform, application, and infrastructure groups. The practitioner conclusion is that cipher lifecycle decisions belong in governance, not ad hoc remediation.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which shows that technical policy changes still depend on human execution quality.
A question worth separating out:
Q: What is the difference between certificate renewal and TLS cipher governance?
A: Certificate renewal replaces trust material, while TLS cipher governance controls how that trust is used during negotiation. A service can have a current certificate and still use weak or deprecated ciphers. Teams need both disciplines because browser deprecation often breaks the handshake path rather than the certificate itself.
👉 Read our full editorial: Google's DHE deprecation and the shift to ECDHE
