[bArray]

> This is incomplete. TLS does allow for ciphers that enable

> Perfect Forward Secrecy (PFS) to prevent this.

Sure, it was simplified. I can't remember exactly what the support was like for PFS? And given it probably requires additional exchange for DH, I imagine it would be disabled due to resources reasons.

[johncolanduoni]

Apparently TLS 1.3 only supports cipher suites with ephemeral key exchange: https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

[kubanczyk]

There is this study back from 2013 (claimed by OP early days of da internetz) which says that out of 1M top sites, 74.5% of those that support SSL/TLS also supported DH/DHE (supported the perfect forward secrecy).

It was a substantial rise comparing to 2006 survey that got 57.5%.

AFAIK the contemporary browser versions preferred DH/EDH as soon as they got them.

https://blkcipher.pl/assets/pdfs/ecc-pfs.pdf