In the pantheon of security configuration duties for organizations running internet assets, maintaining the latest TLS encryption protocols to keep the cryptographic apparatus at full strength is one of the most fundamental. TLS provides cover for the most sensitive personal and financial information that moves across the internet. As experts in measuring and monitoring third-party risk, RiskRecon and the data scientists from Cyentia Institute recently published a new report that leveraged unique scan data from millions of web servers around the world, via the RiskRecon platform, to see where the rollout of TLS 1.2 is going smoothly and where it is meeting resistance.
Together with its precursor SSL, TLS has long been in the crosshairs of both attackers and security researchers who understand that a weak or non-existent deployment of the protocol makes it trivial enough to carry out man-in-the-middle and other attacks against the vulnerable target. In the last five years, SSL/TLS has been one of the most likely components tied to branded vulnerabilities, a la Heartbleed, POODLE, BEAST, DROWN, you name it. This high-profile activity has driven the crypto community to keep working hard to refine TLS. It’s why the biggest standards bodies and regulators, including the Internet Engineering Task Force, the National Institute for Standards and Technology, and the Payment Card Industry Security Standards Council, mandate that operators of web servers ensure that they’re using the most up-to-date version of the protocol, TLS 1.2 before the end of 2020.
Additionally, TLS 1.0 and 1.1 have been (or are in the process of being)
deprecated in one way or another by major browsers. This means that major web browsers are also planning on turning the screws to organizations in the latter half of 2020, warning that they’ll soon throw up browser warnings when a user visits a site that doesn’t support TLS 1.2.
The data scientists from Cyentia Institute examined RiskRecon scan data and found that not only are a statistically significant number of organizations running out-of-date versions of TLS but that problems with this protocol are often an excellent bellwether for broader security hygiene issues.
The good news is that the report concluded that the vast majority of the internet is now running TLS 1.2. Only about 2.2% of web hosts don’t support it. However, digging deeper into the analysis, the data scientists found that many, many organizations don’t support TLS 1.2 across all of their deployments, and a lot of the holes are found on servers that deal with private data.
Given that promising 2.2% number, it’s easy to conclude that TLS 1.2 support is something organizations as a whole are doing well, however as RiskRecon not only collects data on individual hosts but can determine what organizations control those hosts, this allows us to ask a perhaps more pertinent question, “What percentage of organizations have not yet fully rolled out TLS 1.2 across their web infrastructure?” The answer is a less heartening 22.2%, and in fact, varies quite a bit across industries.
Sectors such as Education (47%), Energy (40%), and Public Administration (37%) have struggled to implement TLS 1.2 protocols. This revelation led us to ask another question – “Are these hosts collecting and transmitting important information using vulnerable protocols?” The RiskRecon portal also determines web host value by examining whether a website collects and transmits important PII or credential information. If we restrict our view to just these high-value hosts, we can zero in on where the lack of TLS 1.2 represents a substantial risk: 1 in 10 organizations transmit private information over flawed protocols.
While our study found that this fundamental protocol lacks attention from some IT Security teams, it does not need any further introduction to those who would look to exploit any vulnerability in web communications. The clock is ticking to properly secure your lines of internet communications, standard bodies and web browsers have put out their warnings, and there is no time like to present to get up to speed.