[abrodersen]

Browser vendors should show a security warning when encountering this behavior. Default configurations of all software must be to disallow. The burden should be on the enterprise to configure their client devices to allow MITM.

[atonse]

This theoretically seems like a good way to alert users, but what exactly would you even tell users? Most users barely understand past "make sure the padlock is there" – and many more technical users that I've observed don't even understand SSL warnings apart from "it's still SSL, make the warning go away" – so, showing a prompt about something even more obscure like static key exchange, will be lost on all but the most advanced security people.

There are already plenty of ways for enterprises to get around this, like having their own CA and deploying that as a trusted CA to their machines. Then they can issue certs that their proxies could use, and their machines would just trust those certs.

Why don't they just use that method?

[infogulch]

The same thing you do with any other invalid configuration like SHA1 or expired certificates. Show a warning and a big red x through the padlock.

[cesarb]

"The enterprise" already controls the servers (otherwise, they wouldn't be able to configure a static ECDH key on them). Having control of the servers is already equivalent to having full access to the plain text. This only enlarges the security boundary from the server to every machine which could possibly, now or in the future, have access to that static ECDH key. And the default would still be to use a dynamic ECDH key.

Also, how would a browser know it has encountered this behavior? A key might be rotated every few minutes, so just seeing the same key twice is not enough; and the key could be derived from a static key and the TLS nonces, so seeing a different key also means nothing.

That said, I think server vendors should not implement this option. It's too risky, since it could be enabled by accident, incompetence, or malice. It's better to force the few who believe they really need this option to implement it themselves.