Key Takeaways from F5 Labs’ 2021 TLS Telemetry Report

David Warburton サムネール
David Warburton
Published October 20, 2021

The state of encryption on the web is a case of taking two steps forward and one step back. Compared with our last report from early 2020, the 2021 TLS Telemetry Report shows that web encryption has improved in several respects. Adoption of Transportation Layer Security (TLS) 1.3 has grown, which has simplified the huge variety of previously available cipher suites and put to bed some that were inarguably past their prime.

At the same time, because of the flexible nature of HTTPS and cipher suite negotiation, stagnation or regression in many areas is undoing some of the progress. SSL 3 (the predecessor to TLS) just won’t die, half of all web servers allow the use of insecure RSA key exchanges, certificate revocation is problematic at best, and old, rarely updated servers are visible everywhere.

Of course, the potential use or abuse of web encryption for malicious purposes persists. Attackers have learned how to use TLS to their advantage in phishing campaigns, governments worldwide seek to subvert encryption to their benefit, and fingerprinting techniques raise questions about the prevalence of malware servers in the top 1M sites on the web.

Read on for detailed stats on what’s good, what’s troubling, and what’s bad in the world of TLS encryption.

The Good

The faster, more secure TLS 1.3 is gaining ground, certificate lifespans are dropping, and the use of advanced encryption and hashing algorithms is rising.

  • For the first time, TLS 1.3 was the encryption protocol of choice on the majority of webservers on the Tranco 1M list. Nearly 63% of servers now prefer TLS 1.3, as do over 95% of all browsers in active use.
  • Canada and the United States are significantly ahead of the pack, with Canadian servers preferring TLS 1.3 nearly 80% of the time, and the U.S. just over 75%.
  • More than three-quarters of every TLS connection across the top 1M sites make use of AES (with a 256-bit key) and the SHA-2 hashing algorithm (with a 384-bit output size).
  • TLS 1.3 removes the risk of using the less-secure RSA key exchange, since it permits only ECDHE key agreements. ECC certificates using the elliptic-curve digital signature algorithm (ECDSA) have been increasing as a result. Just over 24% of top sites use 256-bit ECDSA certificates, while around 1% use 384-bit ECDSA certs.
  • The maximum lifespan of newly issued certificates dropped significantly in September 2020, from three years to just 398 days. There’s a growing movement toward extremely short-term certificates too as the single most common lifespan was 90 days, accounting for 38% of all certificates.

The Not So Good

Too many sites continue to support older cryptographic protocols and RSA certificates.

  • DNS CAA records grew in prevalence from 2019 (1.8% of sites) to 2021 (3.5%). This shows a positive and steady increase but also demonstrates how few sites still use them.
  • The top 100 sites were more likely to still support SSL 3, TLS 1.0, and TLS 1.1 than servers with much less traffic.
  • 2% of sites still have SSL 3 enabled, which represents some progress towards its removal from the web but not enough in our book.
  • 52% of servers still allow the use of insecure RSA key exchanges, if that is all the client supports.
  • Of the 1M sites we scanned, 0.3% used RSA certificates with 1024-bit keys, which haven’t been available from trustworthy CAs since 2013.
  • 70% of sites using 1024-bit certs are running Apache, and 22% are running Apache 2.0. Since Apache 2.0 was released in 2002 and last patched in 2013, this strongly suggests that many web servers are configured once and are touched again only when it is time to renew the cert.
  • Certificate revocation methods are almost entirely broken, driving a growing desire across the CA and browser industry to move toward extremely short-term certificates.

The Just Plain Bad

Phishing is running rampant, and it won’t be going away anytime soon.

  • The number of phishing sites using HTTPS with valid certificates to appear more legitimate to their victims grew from 70% in 2019 to nearly 83%. Roughly 80% of malicious sites come from just 3.8% of the hosting providers.
  • In terms of service providers, phishers tended to slightly prefer Fastly, with Unified Layer, Cloudflare, and Namecheap just behind it.
  • Facebook and Microsoft Outlook/Office 365 were the brands most commonly spoofed in phishing attacks. Stolen credentials from these sites have great value, in part because so many other accounts tend to rely on these as identity providers (IdP) or a password reset function.
  • Webmail platforms constituted 10.4% of impersonated web functions, almost as high as Facebook. This means phishing attacks are as common against webmail as they are against Facebook accounts.

The Work Continues

It’s clear that we’re facing two important realities heading into 2022. One is that the desire to intercept, circumvent, and weaken encryption has never been greater; nation-states and cybercriminals are working to defeat the problems that strong encryption causes them, looking for creative ways to intercept or capture information before or after it’s encrypted. The other is that the greatest weaknesses come not from the latest features we struggle to adopt but the old ones we are reluctant to disable. Until both of them are addressed, make it a priority to use supporting protocols, such as DNS CAA and HSTS, to ensure that the minor gaps in the strength of HTTPS can’t be exploited.

Click here to view or download the complete 2021 TLS Telemetry Report.

About the Study

The majority of data in this study is from our Cryptonice scans of the most popular sites listed in the Tranco top 1M list, which ranks 1M popular domains. We also look at phishing sites as reported by OpenPhish and supplement our findings with client (browser) data captured by Shape Security to get a clear understanding of the most frequently used browsers and bots. Visit F5 Labs for more detail.