According to F5 Labs’ 2021 TLS Telemetry Report, which frequently scans 1 million of the world’s top websites, over half of all web servers still allow the use of insecure RSA key exchanges. At the same time, certificate revocation remains problematic, and old, rarely updated servers are visible everywhere.
The report found that attackers are increasingly learning how to use Transportation Layer Security (TLS) to their advantage in phishing campaigns. Alongside this, new fingerprinting techniques are raising questions about the prevalence of malware servers hiding in the top 1 million websites.
“More than ever, nation-states and cybercriminals alike are attempting to work around the problems caused by strong encryption. With these risks ever-present, it has never been more important to focus on strong and up-to-date HTTPS configurations, particularly when digital certificates are shared across different services,” said David Warburton, Senior Threat Research Evangelist at F5 and the author of the report.
Varied support
F5 Labs found that the faster, more secure TLS 1.3 protocol is gaining ground. For the first time, TLS 1.3 was the encryption protocol of choice for most webservers on the Tranco 1M list. Nearly 63% of servers now prefer TLS 1.3, as do over 95% of all browsers in active use.
Support can vary drastically, however. In some countries, such as the United States and Canada, as many as 80% of web servers choose it, while in others, such as China and Israel, only 15% of servers support it.
Meanwhile, DNS Certification Authority Authorization (CAA) records, which can help prevent the fraudulent issuance of certificates, grew in prevalence from 2019 (1.8% of sites) to 2021 (3.5%). F5 Labs believes this shows a positive and steady increase but also demonstrates how few sites still use them.
While almost all servers in the top list prefer secure Diffie-Hellman key agreements, 52% of servers were still allowing the use of insecure RSA key exchanges if that is all the client supports.
Revocation methods broken
F5 Labs’ research also showed how revocation methods are almost entirely broken. This is causing a soaring desire across the certificate authorities (CAs) and browser industry to move toward extremely short-term certificates. Revoking a stolen certificate becomes much less of an issue if it will expire in just a few weeks, driving a growing desire across the CA and browser industry to move toward extremely short-term certificates. The single most common certificate lifespan was 90 days, which accounted for just over 42% of all sites.
Increased security risks
Growing security-concerns are another key takeaway from the report. The number of phishing sites using HTTPS with valid certificates to appear more legitimate grew from 70% in 2019 to nearly 83% in 2021. Around 80% of malicious sites now come from just 3.8% of the hosting providers.
In terms of service providers, phishers tended to slightly prefer Fastly, with Unified Layer, Cloudflare, and Namecheap just behind. Facebook and Microsoft Outlook/Office 365 were the most commonly spoofed brands in phishing attacks. Stolen credentials from these sites have great value, partly because so many other accounts tend to rely on these as identity providers (IdP) or a password reset function.
F5 Labs also found that webmail platforms constituted 10.4% of impersonated web functions, which is almost as high as Facebook. This means phishing attacks are as common against webmail as they are against Facebook accounts.
Click here to view or download the report.
