Fortified Castles With Wooden Gates: Weak Keys and Outdated Machine Identity Management Undermine TLSv1.3 Adoption

Kevin Bocek, Vice President, security strategy and threat intelligence at Venafi

Venafi®, the inventor and leading provider of machine identity management, today announced the findings of a new crawler report from security researcher and TLS expert, Scott Helme. The report, which Venafi sponsored, evaluates the use of encryption across the world’s top one million sites over the last six months.

The research suggests that while progress has been made in some areas, more education is needed to ensure that machine identities are used in the most effective way to protect our online world:

  • – Use of TLSv1.2 has declined by 13% over the last six months, with v1.3 in use by almost 50% of sites — more than twice as many sites as v1.2. The adoption of v1.3 is being driven by widespread digital transformation initiatives, cloud migration, and new cloud-native stacks that default to 1.3.
  • – Even though organisations are adopting stronger TLS protocols, they are failing to couple this with a move to stronger keys for TLS machine identities.
  • – Industry-standard ECDSA keys are now used by just 17% of websites — up from 14% six months ago. Slower, less secure RSA keys are still used by 39% of the top one million websites.
  • – Growth in the adoption of HTTPS has plateaued at 72%— the same level as in December.

“The fact that companies are deploying TLS v1.3 with machine identities using RSA keys shows there is still a lot of progress to be made with machine identity management. A strong algorithm means very little if it is used in conjunction with a weak key — it’s akin to building a stone fortress but leaving the wooden gate unprotected,” explained Scott Helme, security researcher and founder of Report URI. “The adoption of newer, more efficient and more secure EDCSA keys has been negligible over the last six months. This, coupled with the fact that HTTPS adoption has plateaued over the last six months, shows that the internet is no safer than it was half a year ago. Cybercriminals are constantly upping the ante, so it’s disheartening to see that companies aren’t following suit.”

Let’s Encrypt continues to be the Certificate Authority (CA) of choice for the top one million, but Cloudflare is making up ground. This uptake seems to be the driving force behind TLSv1.3 adoption, with 50% of the websites deploying v1.3 doing so through Cloudflare. The decline in use of Extended Validation (EV) certificates has also continued, with a 16% decrease in the past six months, following change from browser makers that dramatically reduced the value of EV certificates to website owners.

There is some good news in this analysis. The data suggests that organisations are taking more steps to manage their machine identity environments. Since December, there has also been a 13% increase in the number of sites making use of Certificate Authority authorisation (CAA), which enables companies to create a list of approved CAs that can be used within their organisations. The adoption of this control is a positive sign that organisations seem aware of the importance of machine identities in overall security and are showing increased vigilance in the ways in which they manage them.

“The recent boom in cloud migration means every business needs many more TLS machine identities to secure communication between devices, clouds, software, containers and APIs,” said Kevin Bocek, vice president, security strategy and threat intelligence at Venafi. “The fact that more and more companies are making use of CAAs is a positive sign that companies are waking up to the need for machine identity management. CAA adoption also underscores the urgent need for a machine identity management control plane that can automate the use of machine identities in increasingly complex cloud environments.”

For more information on the report please visit: