They have largely disappeared from use across the top one million sites, although a small number of web servers, 0.4 percent, still select one of them during an HTTPS connection.
TLS 1.0 and 1.1 are now officially deprecated due to known security flaws. RSA handshakes are allowed by 52 percent of web servers, SSL v3 is enabled on 2 percent of sites, and 2.5 percent of certificates had expired. Despite widespread TLS 1.3 adoption, old and vulnerable protocols are being left enabled. The move to elliptic curve cryptography is slow but steady, with 25 percent of certificates now signed with the Elliptic Curve Digital Signature Algorithm (ECDSA) and over 99 percent of servers choosing non-RSA handshakes when possible. In some countries, such as the United States and Canada, as many as 80 percent of web servers choose it, while in others, such as China and Israel, only 15 percent of servers support it. TLS 1.3, now just over two years old, has risen to become the preferred protocol for 63 percent of the top one million web servers on the Internet. Here are some detailed stats on what’s good, what’s bad, and what’s troubling in the world of TLS: Security teams and website operators can use this to evaluate the cryptographic posture of their own sites and even bake it into their DevSecOps workflows for fully automated HTTPS auditing. In order to collect the data for this report, we have continued to develop our own TLS scanning tool, Cryptonice, which is now free and open source. Attackers have learned how to use TLS to their advantage in phishing campaigns, governments worldwide seek to subvert encryption to their benefit, and fingerprinting techniques raise questions about the prevalence of malware servers in the top one million sites on the web. On top of that is the potential use or abuse of web encryption for malicious purposes. Websites that routinely fail to follow TLS best practices are also found to be running old (and likely vulnerable) web servers. Attackers know there is a correlation between poor HTTPS configurations and a vulnerable web server. 1Īs this report shows, the issue is not so much the lack of adopting new ciphers and security features but the rate at which old and vulnerable protocols are removed. 
In fact, Transport Layer Security (TLS) and HTTPS misconfigurations are now so commonplace that in the 2021 OWASP Top 10, Cryptographic Failures now comes in second place. As old protocols prove to be insecure and new standards emerge, it has never been more important to keep HTTPS configurations up to date. Creating an encrypted HTTPS website depends on a lot more than simply throwing a digital certificate at it and hoping for the best.
0 kommentar(er)
