The current state of TLS
In this study we decided to explore the state of TLS right now. We used a subset of the Cisco Umbrella 1 Million (a free list of the top 1 million most-popular domains) for the experiment.
There are several reports published by providers from their point of view, looking at TLS versions and ciphers advertised by browsers, and it was interesting for us to try doing it from the client perspective, to see which parameters end up being negotiated upon successful connection to actual websites.
The experiment was conducted on the top 100,000 host names. Using the latest OpenSSL binary packaged with AWS lambda seemed like a good way to run multiple short queries to get the most up-to-date information in a fast and cost-effective way.
As we are using the list of popular domains, a significant portion of hosts denied connections (for example, some require specific SNI extension data to succeed). As a result, about 79% of attempts were successful, and about 21% failed to connect. However, 79% out of 100,000 is still a great number to collect and analyze information.
For the purpose of the analysis, we will consider 78,344 names that resulted in an established connection.
TLS 1.2 turned out to be the most popular as expected, dominating the scene with a whopping 94%. Emerging TLS 1.3 took the second place with 5%, and TLS 1 and 1.1 shared the leftover 1%. It is regretful to see TLS 1.3 still being so low, even though the protocol specification is close to being ratified as a standard. ECDHE clearly dominates, which is good news. ECDHE-ECDSA is still lagging, taking a third place, being dwarfed by ECDHE-RSA varieties.
Another interesting observation is that CHACHA20-POLY1305 is quite high in the list, in fourth place.
For ephemeral key exchanges, server temporary key breakdown shows the dominance of P-256 elliptic curves and David Bernstein's X25519 curve (named after the prime number used, 2255-19). The popularity of that curve can probably be attributed to a few factors—it is not covered by patents and it is one of the fastest.
Only 3,777 sites do not seem to support ephemeral key exchanges. Permanent keys do have some advantages as they make life easier for monitoring solutions, but this cannot be an excuse to not implement stronger and safer security solutions for the sake of customers. The last bit of information that caught our eye is a list of certificate root authorities. Here are the top 25.
But, if you look at the whole list, there are 425 entries there, including self-signed certificates, at a time when Let’s Encrypt offers free and automated certificate authority.
The final results were a mixed bag for us. It was great that most websites were using stronger TLS 1.2 and moving away from older unsecured options like SSLv3. It was disappointing to see that TLS 1.3 wasn’t picking up the pace, as the standard promises the dual advantage of being more secure and faster. We hope that TLS 1.3 becomes the new standard for modern Internet encryption in near future. The issues like usage of permanent private keys at the server side or self-signed certificates by some sites, popular enough to be in the top 1M list, show that there is still work to be done making the Internet more secure and safer.