What is even harder to determine is what percent of traffic comes from the consumer software used by organic, squishy humans on the internet, and what percent is coming from other computers running web servers, API endpoints, and other software. They recently shared about 11% of traffic on their network uses TLS 1.0 (with only a tiny portion (0.38%) using TLS 1.1). One good indicator is data from Cloudflare, which, as one of the world’s largest CDNs, has good visibility into things happening at internet-scale. Measuring TLS protocol use across the internet is very hard. Internet Explorer didn’t support TLS 1.2 until 2013’s release of version 11 and Android versions prior to 5.0 (released 2014) only supported TLS 1.0, which represents nearly 18% of Android devices still in use today. Despite being released in 2008, TLS 1.2 support was absent from some major platforms and browsers for some time. However, a small portion of users may not be ready for the switch due to outdated software. This is the only version of the protocol that is recommended by cryptographers and considered to be “modern.” How widely used are older versions of TLS?Īlmost everyone reading this post-and in fact, most of the internet-is using TLS 1.2, the current latest version of the protocol (though TLS 1.3 is around the corner, more on that later).
This year a large number of websites and services are finally ending support for TLS 1.0 and 1.1 (including DigiCert).
It may seem obvious that it’s time to stop using these dated versions of the protocol that back HTTPS, but on the internet there’s a big difference between nearly dead and dead. Yet, of the 150,000 HTTPS-enabled sites monitored by SSL Pulse, 88% support TLS 1.0 and 85% support TLS 1.1. These versions are rarely used by clients, falling to single-digit percentages of all HTTPS connections made for many sites. In most software it was leapfrogged by TLS 1.2 and it’s rare to see TLS 1.1 used. TLS 1.1 is the forgotten “middle child.” It doesn’t have any known protocol vulnerabilities, though does share support for bad cryptography like its younger sibling. It has been known to be vulnerable to attacks-such as BEAST and POODLE-for years, in addition to supporting weak cryptography, which doesn’t keep modern-day connections sufficiently secure. TLS 1.0 was released in 1999, making it a nearly two-decade-old protocol. There are currently three versions of the TLS protocol in use today: TLS 1.0, 1.1, and 1.2.
0 kommentar(er)
