do something with security.tls.version.enable-deprecated

Protocol Support: 99.5% of sites support TLS1.2
Best Protocol: TLS1 + TLS1.1 combined ~ 0.5%

From 150k sites based on Alexa top sites. I would assume the tail is very long and the less popular a site the more likely it uses < TL1.2. Anyway you shake it, 0.5% of a gazillion is still a lot.

Load https://tls-v1-0.badssl.com:1010/ . The resulting interstitial has a button to Enable TLS 1.0 and 1.1 . If you click it and continue, you will continue to your site (note: the padlock in the urlbar has a warning symbol but it's not noticeable - black and white iconography and tiny warning symbol). This change is not site specific, but a permanent catch-all. The pref security.tls.version.enable-deprecated gets flipped to true and all future downgrades are silently downgraded .. we can do better than that, right?

Possible solutions

reset the pref at runtime (bootstrap? newnym?), so at least any change would be session only
lock the pref (and edit the interstitial, e.g. remove button and edit text)
wait for "TLS 1.0 and TLS 1.1 will be permanently disabled in a future release" to be handled upstream (boo!!)

@sysrqb