Evaluating the use of encryption across the world’s top one million sites
A new report from security researcher and TLS expert Scott Helme, evaluates the use of encryption across the world’s top one million sites over the last six months and reveals the need for a control plane to automate the management of machine identities in increasingly complex cloud environments.
The research suggests that while progress has been made in some areas, more education is needed to ensure that machine identities are used in the most effective way to protect our online world:
- Use of TLSv1.2 has declined by 13% over the last six months, with v1.3 in use by almost 50% of sites — more than twice as many sites as v1.2. The adoption of v1.3 is being driven by widespread digital transformation. initiatives, cloud migration and new cloud native stacks that default to v1.3.
- Even though organizations are adopting stronger TLS protocols, they are failing to couple this with a move to stronger keys for TLS machine identities.
- Industry-standard ECDSA keys are now used by just 17% of websites — up from 14% six months ago. Slower, less secure RSA keys are still used by 39% of the top one million websites.
- Growth in the adoption of HTTPS has plateaued at 72% — the same level as in December.
“The fact that companies are deploying TLS v1.3 with machine identities using RSA keys shows there is still a lot of progress to be made with machine identity management. A strong algorithm means very little if it is used in conjunction with a weak key — it’s akin to building a stone fortress but leaving the wooden gate unprotected,” explained Helme. “The adoption of newer, more efficient and more secure EDCSA keys has been negligible over the last six months. This, coupled with the fact that HTTPS adoption has plateaued over the last six months, shows that the internet is no safer than it was half a year ago. Cybercriminals are constantly upping the ante, so it’s disheartening to see that companies aren’t following suit.”
Let’s Encrypt continues to be the Certificate Authority (CA) of choice for the top one million, but Cloudflare is making up ground. This uptake seems to be the driving force behind TLS v1.3 adoption, with 50% of the websites deploying v1.3 doing so through Cloudflare. The decline in use of Extended Validation (EV) certificates has also continued, with a 16% decrease in the past six months, following changes from browser makers that dramatically reduced the value of EV certificates to website owners.
There is some good news in this analysis. The data suggests that organizations are taking more steps to manage their machine identity environments. Since December, there has also been a 13% increase in the number of sites making use of Certificate Authority authorization (CAA), which enables companies to create a list of approved CAs that can be used within their organizations. The adoption of this control is a positive sign that organizations seem aware of the importance of machine identities in overall security and are showing increased vigilance in the ways in which they manage them.
“The recent boom in cloud migration means every business needs many more TLS machine identities to secure communication between devices, clouds, software, containers and APIs,” said Kevin Bocek, VP, security strategy and threat intelligence at Venafi. “The fact that more and more companies are making use of CAA is a positive sign that companies are waking up to the need for machine identity management. CAA adoption also underscores the urgent need for a machine identity management control plane that can automate the use of machine identities in increasingly complex cloud environments.”