Outdated cryptographic protocols put vast amounts of network traffic at risk
Cryptography is largely taken for granted – rarely evaluated or checked – a practice that could have devastating consequences for businesses as attack surfaces continue to expand, the cost of a data breach rises year-over-year, and the age of quantum computing nears, according to Quantum Xchange.
Examining more than 200 terabytes of network traffic – or the total sum of all packets, for all connections, between all pairs – up to 80% was found to have some defeatable flaw in its encryption and 61% of the traffic unencrypted.
56.5% of the single, bi-directional TCP or UDP connections analyzed are unencrypted, compared to 43.4% of encrypted connections.
Persistent use of outdated cryptographic protocols raises concerns
Old, outdated cryptographic protocols TLS 1.0 and SSL v3 are still in wide use today with industries like healthcare and higher education slow to change. More alarming still, up to 92% of all traffic on a hospital network uses no encryption at all. This suggests a laissez faire attitude and general reluctance to update “working” systems that are in production.
Strong cryptography is a basic requirement for insurance coverage. It is frightening to see healthcare falling so far behind.
45% of host pairs communicate via an unencrypted channel. 87% of encrypted, host-to-host relationships still use TLS 1.2, demonstrating that a large migration to TLS 1.3 is still forthcoming – not a trivial upgrade given the significant differences between versions.
Industries, such as healthcare, have a significant long tail of TLS 1.1 and 1.0 usage, even SSL v3 can be found at scarily high volumes. This suggests an “if it ain’t broke don’t fix it” attitude and a general reluctance to update working, albeit outdated, systems that are in production.
“These findings serve as a snapshot of what’s taking place within enterprise systems worldwide,” said Vince Berk, Chief Strategist at Quantum Xchange. “Zero trust is meaningless if your encryption is not bulletproof. We’re trying to bring awareness to the here-and-now problem with cryptography so that organizations can shore up these weaknesses and better protect their systems from everyday cybersecurity risks and yet-to-be-discovered threats.”