The shift from fully-ephemeral ECHDE to partially static ECDHE
affects the security properties offered by the TLS 1.3 handshake
by eliminating the Forward Secrecy property provided by the
server. If a server is compromised and the private key is
stolen, then an attacker who observes any TLS handshake (even one
that occurred prior to the compromise) will be able to recover
traffic encryption keys and will be able to decrypt traffic.
NEW
The shift from fully-ephemeral (EC)DHE to use of static (EC)DHE
server keys affects the security properties offered by the TLS 1.3
handshake by eliminating the Forward Secrecy property. If a
server is compromised and the private key is stolen, then an
attacker who observes any TLS handshake (even one that occurred
prior to the compromise) performed with this static (EC)DHE key pair
will be able to recover session encryption keys and will be able to decrypt
traffic.
rdroms
commented
7 years ago
From Tim Polk:
OLD