Adam Back
Forward secrecy is a good step, and its confusing why not everyone is using it.
At a guess, I'd say a mix of laziness, inconsistent (client and server) software support, and worries about additional CPU overhead. Really high traffic sites are incentivized to use the least resource intensive SSL algorithms they can, and generally speaking the forward secrecy algorithms take more CPU time and more entropy for key exchange. How many web servers these days are running on VMs like AWS where entropy is a precious resource? Apache 2.2 and earlier, without specific patches, didn't support forward secrecy for a majority of browsers. I had to pull Apache 2.4 out of Sid on the cpunks.org machine to get forward secrecy working with all modern browsers. Speaking of browsers, there are still a huge number of really old browsers out there that won't or can't (corporate policy, et cetera) be updated any time in the near future. Turning off non-FS algos breaks SSL for a *lot* of people. Oh, and don't forget, OpenSSL 0.98(ish) and before didn't support the FS algorithms. So the many servers where OpenSSL isn't getting upgraded any time soon can't do it either. Even if you do happen to have a conforming version of the appropriate software server-side, you've still got to worry about actually setting up the key order preferences appropriately. Few if any vendors are shipping default configs that enable FS. At least this last one is something we stand a chance of changing, though: perhaps a start would be to submit bugs against the web server packages from the usual suspects (debian et al) asking them to turn on forward secrecy by default? -=rsw