[Dylan16807]

> I wonder what the motivation behind that was --- I'm no cryptographer, but setting up what is effectively an anonymous (EC)DH session first seems to provide no extra protection from an active MITM because it's unauthenticated.

So first let's explicitly point out that it stops passive snooping.

Even in the presence of MitM, it provides protection. An attacker can get access to a specific handshake, but the client will know and can kill the connection and alert the user. It can't be done behind the scenes on every connection.