Almost a third of the world wide web's top million sites are still not using HTTPS by default, according to infosec researcher Scott Helme's analysis.
In his Top 1 Million Analysis, in which he runs crawlers over a guessable number of websites, Helme published his findings on a variety of common internet security technologies. Broadly, he found that most security measures were on the top – except for extended verification (EV) certificates.
On HTTPS, Helme found that 71.7 per cent of sites he scanned actively redirected his crawler to use HTTPS-encrypted connections, a figure he said had improved markedly from 57.6 per cent in September 2019.
Similarly, TLS v1.1 – which browser-maker Mozilla said it would actively block from March 2020 onwards – has completely disappeared from Helme's analysis, while v1.3 has spread from around 16 per cent of websites to 37 per cent of the million sites analysed, itself an increase of 129 per cent over the last 18 months.
"It seems like industry-wide efforts to focus on deploying more and better encryption are really paying off and I hope that focus and drive can start to spread to other areas of security as we approach the saturation point for HTTPS," Helme told The Register.
To EV or not to EV? Sod it, ditch 'em
Not all is good news, depending on your point of view. EV certificates are dying out at a rate of knots with just 10,174 sites using them – a sharp drop since August 2018's high point of 25,000 sites, according to Helme's figures.
EV certificates used to be displayed fairly prominently in browsers and included the certified organisation's physical address. A couple of years ago Google all but hid the EV details in its dominant Chrome browser, on the grounds that ordinary users didn't care about the details. Shortly afterwards Mozilla followed suit in Firefox.
"The rise of Let's Encrypt marks a sharp drop in the perceived value of EV certificates," said Kevin Bocek, veep of security strategy and threat intelligence at Venafi (which sponsored Helme's report). "Browsers no longer give EV certificates any special treatment, and the speed of development today simply does not accommodate the slow, manual approval processes connected with them... Given that EV certificates are not automation friendly, their usage and value is going to continue to drop."
Keys to victory
Authentication key usage to secure the initial stages of negotiating an HTTPS connection was something that surprised Helme, as he told us. His figures showed that RSA keys are generally more prevalent than ECDSA among website operators.
Helme told El Reg: "RSA3072 is notably slower than RSA2048 and the performance hit for jumping up to RSA4096 is really quite something. If sites are taking the performance hit in the pursuit of stronger keys for better security, they should be switching to ECDSA which will give them better security and better performance at the same time, which is a rare thing as usually when you try to increase performance or security, one will cost you the other."
- OpenSSL alpha adds TLS 1.3 support
- Google to bury indicator for Extended Validation certs in Chrome because users barely took notice
- It's not easy being green: EV HTTPS cert seller Sectigo questions Chrome's logic in burying EV HTTPS cert info
- These truly are the end times for TLS 1.0, 1.1: Firefox hopes to 'eradicate' weak HTTPS standard by blocking it
Back in 2014 as public outrage over US dragnet internet surveillance was at its peak, the IETF briefly mulled deprecating RSA altogether from TLS v1.3.
This eventually happened in 2018, but the widespread use of TLS v1.2 means RSA is still a feature of the wider internet for now.
Helme added that his gut feeling was that most operators are content with what they've got and haven't figured out that ECDSA might come with performance benefits.
The full report can be read on Helme's website, free from paywalls or payment-by-handing-over-email-address mechanisms. You can even view the raw data. ®