[seiji]

Good to see my conclusions from two years ago still hold: http://matt.io/technobabble/hivemind_devops_alert:_nginx_doe... (or its HN thread meritt kindly dug up: https://news.ycombinator.com/item?id=2759596)

Sadly, these days we want PFS everywhere to stop the snooping apparati, but if you're not really important and just want to stop local network or MiTM snooping, removing PFS should be okay (at least for my boring sites).

[JshWright]

With ECDHE cipher suites, you can get the best of both worlds.