F5 published The 2017 TLS Telemetry Report, the second in a series aimed to reveal the “cryptographic health” of the Internet. Having initiated this research in 2014, by 2016, the company began reporting on the state of TLS in its F5 Labs 2016 TLS Telemetry Report. With the benefit of nearly four years of data, they’ve observed some positive signs of progress and some lingering areas of concern.
In this second report, F5 shares its key findings for 2017, based on a sampling of more than 20 million SSL/TLS hosts worldwide:
- TLS’s predecessor, SSL 3.0—which is now prohibited from use by the Internet Engineering Task Force (IETF)—is taking its time disappearing entirely from the Internet. 11.2% of Internet hosts still support it.
- The transition from TLS 1.1 to TLS 1.2 has been steady, with 27% more hosts making the move in 2017. Currently, 89% of hosts are using TLS 1.2.
- IETF’s progress on TLS 1.3 has been slow for many reasons, not the least of which is debate about whether TLS 1.2 is really “broken” enough to require fixing.
- The HTTP Strict Transport Security (HSTS) header, important because it instructs the browser to always use a secure connection, is finally seeing some forward motion, even though numbers are still very low.Since the summer of 2014, HSTS usage has grown from a mere .33% to just over 4% in Q1 of 2018.
- Forward secrecy, a cryptographic technique designed to prevent adversaries in the future from decrypting captured, encrypted sessions from today, is steadily being adopted. Now, 88% of hosts prefer forward secrecy, up from about 30% in 2014.
- Self-signed certificates (those not signed by a trusted Certificate Authority) dropped from 15.2% in the first quarter of 2017 to 11.6% in Q1 of 2018. At the same time, free certifications from Let’s Encrypt jumped so sharply in 2017 that it is now the second most popular Certificate Authority website.
Here is a link to the full report: https://f5.com/labs/articles/threat-intelligence/ssl-tls/the-2017-tls-telemetry-report
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.