Align color-coding with scoring/standard levels

[janbrasna]

The current color scheme doesn't reflect the standardized observatory/infosec grading, the biggest issue being "Old" configs in grey, which is defined elsewhere by @mozilla as "low risk" — that is obviously not the case here:

At the same time the possible "threat" from using the defined configurations has lowered during the years through versions 4.x and 5.x effectively moving away from weak ciphers and flawed protocols even for the more compatible configs, with the recommendations today being relatively safe for "Intermediate" (that is TLS v1.2+ for some time now), even more true if/when the next spec revision drops the DHEs that were needed years ago for compatibility reasons, and even the "Old" where needed is relatively free from anything particularly dangerous (moved to TLS v1+ years ago, effectively only using what's available on the OS level nowadays) considering what it is intended for.

Years ago, probably even before the v5.x configs, what is "Old" today used to be the content for default/recommended "Intermediate", and that at the time deserved the currently used yellow as "high risk", but as that is now "Old" in v5.x and "Intermediate" doesn't really contain anything to be considered worse than "medium risk", I'd like to start using the blue color classification for "Intermediate", given its current content, and using the "high risk" yellow for "Old" configs, basically updating the threat levels to match the shift in individual recommendations' definitions over the years.

TL;DR — to get rid of the incorrectly used grey:

• Modern #99cc00 green is okay (least concern, good grading)
• Intermediate #ffcc66 yellow should change to #336699 blue (best effort, neutral)
• Old #cccccc grey is wrong and must be changed to #ffcc66 yellow (high risk, impact discussed)
• (+ there's always the implicit red "maximum risk" for plaintext or compromised configs that is not being used right now, but may e.g. be used in the future to mark ciphers in the overview table that are proven to be vulnerable etc.)

That would also nicely align with scoring levels, basically conveying the same message and giving similar recommendations:

I'd either update the colors after #296 or when a new minor/major version of the specs comes out.

The colors would shift like this (before/after):

which represents the levels more accurately.

[gstrauss]

The current color scheme doesn't reflect the standardized observatory/infosec grading

Fully agree; this should be corrected and your proposed changes LGTM.

Yes, the coloring should be consistent with the Mozilla standards and should help communicate risk. As you noted, the use of grey here is incorrectly used and suboptimal for communicating risk.

@gene1wood: please review and comment, too.

[gstrauss]

I'd either update the colors after #296 or when a new minor/major version of the specs comes out.

#296 has been merged. Do you have interest in putting together a PR to update the colors?