Weak Keys and Outdated Machine Identity Management Undermine TLSv1.3 Adoption: Venafi

Venafi, the inventor and leading provider of machine identity management, today announced the findings of a new crawler report from security researcher and TLS expert, Scott Helme. The report, which Venafi sponsored, evaluates the use of encryption across the world’s top one million sites over the last six months and reveals the need for a control plane to automate the management of machine identities in increasingly complex cloud environments.

The research suggests that while progress has been made in some areas, more education is needed to ensure that machine identities are used in the most effective way to protect our online world: 

  • Use of TLSv1.2 has declined by 13% over the last six months, with v1.3 in use by almost 50% of sites — more than twice as many sites as v1.2. The adoption of v1.3 is being driven by widespread digital transformation. initiatives, cloud migration and new cloud native stacks that default to v1.3.
  • Even though organizations are adopting stronger TLS protocols, they are failing to couple this with a move to stronger keys for TLS machine identities.
  • Industry-standard ECDSA keys are now used by just 17% of websites — up from 14% six months ago. Slower, less secure RSA keys are still used by 39% of the top one million websites.
  • Growth in the adoption of HTTPS has plateaued at 72% — the same level as in December.

Let’s Encrypt continues to be the Certificate Authority (CA) of choice for the top one million, but Cloudflare is making up ground. This uptake seems to be the driving force behind TLS v1.3 adoption, with 50% of the websites deploying v1.3 doing so through Cloudflare. The decline in use of Extended Validation (EV) certificates has also continued, with a 16% decrease in the past six months, following changes from browser makers that dramatically reduced the value of EV certificates to website owners. 

There is some good news in this analysis. The data suggests that organizations are taking more steps to manage their machine identity environments. Since December, there has also been a 13% increase in the number of sites making use of Certificate Authority authorization (CAA), which enables companies to create a list of approved CAs that can be used within their organizations. The adoption of this control is a positive sign that organizations seem aware of the importance of machine identities in overall security and are showing increased vigilance in the ways in which they manage them.

For more information on the report please visit the blog.

Leave a Reply

%d bloggers like this: