[sonotmyname]

> If in the future there was some method to crack the TLS or the appropriate keys/certs were leaked, any recorded traffic could be retroactively cracked.

This is incomplete. TLS does allow for ciphers that enable Perfect Forward Secrecy (PFS) to prevent this. Those ciphers are not the most commonly used ones, but to describe TLS the way you do implies it's a flaw in TLS.

[johncolanduoni]

I thought ECDHE or X25519 suites were pretty common these days; I appear to get the latter when connecting to Cloudflare hosts for example.

[bArray]

> This is incomplete. TLS does allow for ciphers that enable

> Perfect Forward Secrecy (PFS) to prevent this.

Sure, it was simplified. I can't remember exactly what the support was like for PFS? And given it probably requires additional exchange for DH, I imagine it would be disabled due to resources reasons.

[johncolanduoni]

Apparently TLS 1.3 only supports cipher suites with ephemeral key exchange: https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

[kubanczyk]

There is this study back from 2013 (claimed by OP early days of da internetz) which says that out of 1M top sites, 74.5% of those that support SSL/TLS also supported DH/DHE (supported the perfect forward secrecy).

It was a substantial rise comparing to 2006 survey that got 57.5%.

AFAIK the contemporary browser versions preferred DH/EDH as soon as they got them.

https://blkcipher.pl/assets/pdfs/ecc-pfs.pdf