[iso1631]

> variant of TLS 1.2 that most people have deprecated long ago.

I agree with most of your post, but not this part. 1.2 is still out there on a large number of sites, but even worse 1.0 and 1.1 are there on many of the most popular sites. Google.com for example, despite all major browsers now having deprecated 1.0 and 1.1.

[tialaramex]

It's true that most sites support TLS 1.2, but between clients and servers the no-FS RSA kex is rarely negotiated. Any vaguely modern browser can do better given the opportunity and only a very small fraction of sites that do TLS 1.2 (and so would actually talk to a modern browser out of the box) don't prefer ECDHE.

My guess is that we're a year or three, or one major related security incident from browsers either removing RSA kex or gating it behind default-off enterprise feature switches. We know it's a bad idea, but a bunch of organisations that lay people think of as "secure" (like banks) do it anyway, mostly for really stupid reasons. If an incident makes it necessary to pick between real security versus imagined, the browsers are going to pick real as they have before, even if that means First Bank of Springfield doesn't work in your browser. Normal churn means the banks are slowly adopting Forward secret capable upgrades anyway, so that's where my other timeline comes from. Three years from now products that once treated RSA kex as the bees knees will have aged out, capex justification to replace them is just "it's rusted" rather than explaining to somebody who control your budget that you picked a deliberately poor key exchange method because you're bad at your job and trusted a sales person.