The top 100 websites routinely fail to follow Transport Layer Security (TLS) best practices and still support older, deprecated protocols, suggests a new report.
Compiled by cybersecurity firm F5 Labs, the 2021 TLS Telemetry Report analyzes how successful the busiest websites on the internet are at implementing best practices around HTTPS and TLS using data from scans of the web’s most popular websites.
“As old protocols prove to be insecure and new standards emerge, it has never been more important to keep HTTPS configurations up to date...As this report shows, the issue is not so much the lack of adopting new ciphers and security features but the rate at which old and vulnerable protocols are removed,” reads the report.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
Commenting on the importance of this information, F5 says that websites that routinely fail to follow TLS best practices are also usually the ones that run old and like vulnerable web servers.
Two steps forward...
David Warburton, Principal Threat Research Evangelist (EMEA) at F5 Networks writes that the report shows that while web encryption has improved in several respects, as compared to last year, stagnation or even regression in many other areas is negating some of the progress.
The report notices several positives, such as the wide adoption of TLS 1.3, which has finally become the encryption protocol of choice on the majority of web servers in the top one million websites.
Furthermore, the maximum lifespan of newly issued SSL certificates also registered a significant drop in September 2020, coming down from three years to just 398 days.
...and one step back
On the flip side though, the report revealed that the top 100 sites were more likely to still support the older SSL 3, TLS 1.0, and TLS 1.1 protocols than servers with much less traffic.
More worryingly, it found that 22% of the web servers were running Apache 2.0, which was released in 2002 and last patched in 2013.
The report also observed that the number of phishing sites that used HTTPS with valid certificates to appear more legitimate grew from 70% in 2019 to nearly 83%.
“It’s clear that we’re facing two important realities heading into 2022. One is that the desire to intercept, circumvent, and weaken encryption has never been greater...The other is that the greatest weaknesses come not from the latest features we struggle to adopt but the old ones we are reluctant to disable,” concludes Warburton.