Skip to main content

Fortified Castles With Wooden Gates: Weak Keys and Outdated Machine Identity Management Undermine TLSv1.3 Adoption

Venafi-sponsored report shows the internet is no safer than it was six months ago

Venafi®, the inventor and leading provider of machine identity management, today announced the findings of a new crawler report from security researcher and TLS expert, Scott Helme. The report, which Venafi sponsored, evaluates the use of encryption across the world’s top one million sites over the last six months and reveals the need for a control plane to automate the management of machine identities in increasingly complex cloud environments.

The research suggests that while progress has been made in some areas, more education is needed to ensure that machine identities are used in the most effective way to protect our online world:

  • Use of TLSv1.2 has declined by 13% over the last six months, with v1.3 in use by almost 50% of sites — more than twice as many sites as v1.2. The adoption of v1.3 is being driven by widespread digital transformation, initiatives, cloud migration and new cloud native stacks that default to v1.3.
  • Even though organizations are adopting stronger TLS protocols, they are failing to couple this with a move to stronger keys for TLS machine identities.
  • Industry-standard ECDSA keys are now used by just 17% of websites — up from 14% six months ago. Slower, less secure RSA keys are still used by 39% of the top one million websites.
  • Growth in the adoption of HTTPS has plateaued at 72% — the same level as in December.

“The fact that companies are deploying TLS v1.3 with machine identities using RSA keys shows there is still a lot of progress to be made with machine identity management. A strong algorithm means very little if it is used in conjunction with a weak key — it’s akin to building a stone fortress but leaving the wooden gate unprotected,” explained Scott Helme, security researcher and founder of Report URI. “The adoption of newer, more efficient and more secure EDCSA keys has been negligible over the last six months. This, coupled with the fact that HTTPS adoption has plateaued over the last six months, shows that the internet is no safer than it was half a year ago. Cybercriminals are constantly upping the ante, so it’s disheartening to see that companies aren’t following suit.”

Let’s Encrypt continues to be the Certificate Authority (CA) of choice for the top one million, but Cloudflare is making up ground. This uptake seems to be the driving force behind TLS v1.3 adoption, with 50% of the websites deploying v1.3 doing so through Cloudflare. The decline in use of Extended Validation (EV) certificates has also continued, with a 16% decrease in the past six months, following changes from browser makers that dramatically reduced the value of EV certificates to website owners.

There is some good news in this analysis. The data suggests that organizations are taking more steps to manage their machine identity environments. Since December, there has also been a 13% increase in the number of sites making use of Certificate Authority authorization (CAA), which enables companies to create a list of approved CAs that can be used within their organizations. The adoption of this control is a positive sign that organizations seem aware of the importance of machine identities in overall security and are showing increased vigilance in the ways in which they manage them.

“The recent boom in cloud migration means every business needs many more TLS machine identities to secure communication between devices, clouds, software, containers and APIs,” said Kevin Bocek, vice president, security strategy and threat intelligence at Venafi. “The fact that more and more companies are making use of CAA is a positive sign that companies are waking up to the need for machine identity management. CAA adoption also underscores the urgent need for a machine identity management control plane that can automate the use of machine identities in increasingly complex cloud environments.”

For more information on the report please visit the blog.

About Venafi

Venafi is the cybersecurity market leader in machine identity management. From the ground to the cloud, Venafi solutions manage and protect identities for all types of machines — from physical and IoT devices to software applications, APIs and containers. Venafi provides global visibility, lifecycle automation and actionable intelligence for all machine identity types and the security and reliability risks associated with them.

Jetstack, a Venafi company, is a cloud native products and strategic consulting company working with enterprises using Kubernetes and OpenShift.

An open source pioneer, Jetstack has achieved notable industry recognition as the creator of cert-manager, the open source industry standard for cloud native machine identity management. Jetstack’s open source products and solutions protect the application environments and platform infrastructure of global banks, multinational retailing companies and defense organizations by providing enterprise platform and security teams the power to build, scale and security their cloud infrastructure.

With more than 30 patents, Venafi delivers innovative machine identity management solutions for the world's most demanding, security-conscious organizations and government agencies, including the top five U.S. health insurers; the top five U.S. airlines; the top four credit card issuers; three out of the four top accounting and consulting firms; four of the five top U.S. retailers; and the top four banks in each of the following countries: the U.S., the U.K., Australia and South Africa.

For more information visit www.venafi.com and www.jetstack.io.

Contacts

Shelley Boose

408.398.6987

Stock Quote API & Stock News API supplied by www.cloudquote.io
Quotes delayed at least 20 minutes.
By accessing this page, you agree to the following
Privacy Policy and Terms and Conditions.