I disagree with RFC6797 on HTTP Strict Transport Security, especially Section 12.1: No User Recourse. If you want to stop users to randomly press the big red BYPASS button because they have no clue what they are doing, you might as well stop them to use a computer.
Here we go again (The Logjam Attack):
“We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed:
- Logjam Attack against the TLS Protocol. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. (…)
- Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections. (…) We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. (…) A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.”