Search This Blog

Showing posts with label Crypto Keys. Show all posts

Half of Sites Still Using Legacy Crypto Keys

 

While the internet is growing more secure gene but slightly more than half of the websites' cryptographic keys are still generated using legacy encryption algorithms, as per the new research.

Security firm Venafi enlisted the assistance of renowned researcher Scott Helme to examine the world's top one million websites over the last 18 months. The TLS Crawler Report demonstrated some progress in a few areas. 

Nearly three-quarters of websites (72 per cent) now actively redirect traffic to HTTPS, a 15 per cent increase since March 2020. Even better, more than half of the HTTPS sites evaluated are using TLSv1.3, the most recent version of TLS. It has now surpassed TLSv1.2 as the most widely used protocol version. 

Furthermore, nearly one in five of the top one million websites now use the more secure HSTS (HTTP Strict Transport Security), which increased 44 per cent since March 2020. Even better, in the last six years of monitoring, the number of top one million sites using EV certificates has dropped to its lowest level ever. These are known for their slow, manual approval processes, which cause end users too much discomfort. 

Let's Encrypt, on the other hand, is now the most popular Certificate Authority for TLS certificates, with 28 per cent of sites using it. There is, however, still more to be done. 

According to the report, approximately 51% of sites still produce authentication keys using legacy RSA encryption techniques. These, along with TLS, help to verify and secure connections between physical, virtual, and IoT devices, APIs, applications, and clusters. 

ECDSA, a public key cryptography encryption technique with increased computational complexity and smaller authorization keys, is a far more secure alternative to RSA. As per Venafi, this implies they require less bandwidth to establish an SSL/TLS connection, making them perfect for mobile apps and IoT and embedded device support. 

Helme explained, "I would have expected that the rise in adoption of TLSv1.3 usage would have driving the ECDSA numbers up much more. One of the main reasons to keep RSA around for authentication is legacy clients that don't support ECDSA yet, but that seems at odds with the huge rise in TLSv1.3 which isn't supported by legacy clients. We also continue to see the use of RSA 3072 and RSA 4096 in numbers that are concerning.” 

“If you're using larger RSA keys for security reasons then you should absolutely be on ECDSA already which is a stronger key algorithm and offers better performance. My gut feeling here is that there's a lot of legacy stuff out there or site operators just haven't realized the advantages of switching over to ECDSA.”