TLS Telemetry Report 2021 analyzes encryption and certificates. More than half of all web servers still allow the use of insecure RSA keys. At the same time, the revocation of certificates is still problematic. In addition, there are old, rarely updated servers almost everywhere.
This is shown by the TLS Telemetry Report 2021 from F5 Labs, which regularly examines the 1 million most important websites worldwide. According to the study, attackers are increasingly using Transportation Layer Security (TLS) to their advantage in phishing campaigns. In addition, new fingerprinting techniques raise questions about the spread of malware servers hiding in major websites.
Study TLS Telemetry Report 2021
"More than ever, both nation states and cybercriminals are trying to bypass the strong encryption," said David Warburton, senior threat research evangelist at F5 and author of the study. “With these pervasive risks, it has never been more important to have strong and up-to-date HTTPS configurations. This is especially true when using digital certificates from various services. "
According to F5 Labs, the faster and more secure TLS 1.3 protocol is increasingly used. For the first time, TLS 1.3 was the encryption protocol of choice for most web servers on the Tranco Top 1M list. Almost 63 percent of the servers now prefer TLS 1.3, as do over 95 percent of all actively used browsers. In the USA and Canada, up to 80 percent of web servers use TLS, while in China or Israel it is only 15 percent.
Web server: two steps forward, one step back
The DNS Certification Authority Authorization (CAA) can prevent the fraudulent issuance of certificates. From 2019 (1,8% of websites) to 2021 (3,5%) there was a significant increase in usage, but it remained at a very low level. It is also worrying that while almost all servers in the top list prefer secure Diffie-Hellman key agreements, 52 percent of the web servers still allow the insecure RSA key exchange.
In addition, F5 Labs' analyzes have shown that the key revocation methods are almost completely useless. Therefore, certification authorities (CAs) and browser manufacturers want to increasingly switch to extremely short-term certificates. Revoking a stolen certificate is much easier if it expires in a few weeks anyway. Currently, the most common lifetime of certificates is 90 days; this applies to a little more than 42 percent of all websites.
Increasing security risks
At the same time, the dangers increase. The number of phishing sites using HTTPS with valid certificates increased from 70 percent in 2019 to almost 83 percent in 2021. Around 80 percent of malicious websites come from just 3,8 percent of hosting providers. Phishers prefer Fastly, closely followed by Unified Layer, Cloudflare and Namecheap.
The most common fake brands used in phishing attacks are Facebook and Microsoft Outlook / Office 365. At the same time, stolen login details from these websites are of great value, also because many other accounts use them as an identity provider (IdP) or password reset function. In addition, F5 Labs found that webmail platforms are impersonated almost as often as Facebook, at 10,4 percent, in order to carry out phishing attacks. The full TLS Telemetry Report 2021 is available online.
More at F5.com
Via F5 Networks F5 (NASDAQ: FFIV) gives the world's largest companies, service providers, government agencies and consumer brands the freedom to deliver any app securely, anywhere, with confidence. F5 offers cloud and security solutions that enable companies to use the infrastructure they choose without compromising speed and control. Please visit f5.com for more information. You can also visit us on LinkedIn and Facebook for more information about F5, its partners and technologies.