Secure internet protocols are taking hold

top cybersecurity companies

The migration to modern internet protocols such as HTTPS and TLS is in full swing. However, there are deficits in the encryption algorithms.

Venafi presents the new “TLS Crawler Report” from security researcher and encryption expert Scott Helme, which is based on an in-depth security analysis of the world’s most important one million websites over the past 18 months. Driven by the acceleration of digital transformation and cloud migration during the pandemic, the analysis shows that the internet is becoming safer in many ways.

The use of encryption is increasing and the use of newer TLS protocols is increasing. However, despite the advent of stronger encryption protocols, many companies continue to use legacy RSA encryption algorithms to generate keys that, in conjunction with TLS certificates, act as machine identities that authorize secure connections between physical, virtual and IoT devices, APIs, applications and clusters. RSA algorithms are less secure than modern alternatives.

The main results include:

  • 72 percent of websites are now actively redirecting traffic to HTTPS (Hypertext Transfer Protocol Secure) – an increase of 15 percent since March 2020.
  • Almost one in five of the top 1 million websites is now using HSTS (HTTP Strict Transport Security) – up 44 percent since March 2020.
  • More than half of the top 1 million websites using HTTPS are using TLSv1.3, the latest version of TLS (Transport Layer Security) that superseded TLSv1.2 and is now the most popular version of the protocol.
  • The algorithms for digital signatures are still preferred (Rivest-Shamir-Adleman, RSA), 50.47 percent of the websites use it.
  • Let’s Encrypt is now the leading Certificate Authority (CA) for TLS certificates, used by 28 percent of websites.

Of the three categories of key generation algorithms commonly used for asymmetric encryption – RSA, DSA, and ECDSA – ECDSA (Elliptic Curve Digital Signature Algorithm) is the most secure because of its computational complexity. ECDSA generates much smaller authorization keys that require less bandwidth to establish an SSL / TLS connection. These smaller keys are ideal for mobile applications, and since they can be stored in devices with much more limited storage space, ECDSA keys are ideal for supporting mTLS stacks in IoT and embedded devices.

“I was hoping that the proliferation of TLSv1.3 would encourage people to use ECDSA keys instead of RSA keys for authentication because they are much more secure, but unfortunately that didn’t happen,” says Helme. “It seems that RSA is still the key algorithm of choice, and by a considerable margin. Companies say they are keeping RSA for older clients that do not yet support ECDSA, but the huge increase in usage of TLSv1.3 contradicts that notion as it is not supported by older clients either. “

“We continue to see a worrying number of RSA 3072 and RSA 4096 algorithms. This indicates that more needs to be done to educate website owners about the security and performance benefits of the newer ECDSA key algorithm, ”added Helme.

The research also shows that Let’s Encrypt is now leading the CA market for TLS – a particularly notable achievement considering that Let’s Encrypt was completely missing from the top 1 million in 2016. Twenty-eight percent of the websites scanned use Let’s Encrypt, with Let’s Encrypt and Cloudflare having more than half of the top 1 million TLS certificates in use. The rise of Let’s Encrypt is reflected in a sharp decline in the use of Extended Validation (EV) certificates. The number of the top 1 million sites using EV certificates is lower than it has ever been in the last six years of analysis.

“The rise of Let’s Encrypt marks a sharp decline in the perceived value of EV Certificates,” said Kevin Bocek, Vice President, Security Strategy and Threat Intelligence at Venafi. “Browsers no longer give EV certificates special treatment, and the speed of development today just doesn’t match the slow, manual approval processes that go with them. Cloud-native technologies require a much larger number of TLS certificates, and these technologies absolutely require automation for machine identities. Since EV certificates are not automation-friendly, their use and value will continue to decrease. “

Leave a Reply

Your email address will not be published. Required fields are marked *