In a report on the state of TLS in the Alexa 1 million, security researcher and TLS expert Scott Helme uncovers trends that have emerged over the last 18 months since he last prepared the report. One key finding was that the gravitation to TLS 1.3 has been swift—but for reasons that may not have been predicted a year or so ago. While the pandemic has driven some transformation, it’s not the most salient reason. It is a function of chasing other benefits, according to Helme.
Indeed, the uptick in gravitation to TLS 1.3 was surprising. “Generally, I would not have expected people to chase a newer protocol version so quickly after release,” Helme said.
“If we look at the TLS 1.2 adoption, that was considerably slower in 2008. We really didn’t see a massive drive in adoption until 2013/2014 during the post-Snowden and post-Heartbleed era when people were chasing Forward Secrecy,” according to Helme.
What follows is an interview with Scott Helme about the move to TLS 1.3 and its significance.
What do you think is behind the move to TLS 1.3?
Scott Helme: The leap to TLS 1.3 happened during the pandemic. We saw a very significant spike in the adoption of TLS 1.3. But looking deeper into the data, it points to the fact that websites are using modern CDN (Content Delivery Network) providers and the fact that CDN providers have moved to newer protocol versions. That’s one of the main reasons for the big swing.
And it’s a good thing that we’re seeing an increase in adoption. Most people are very close to a cloud provider's edge node. So, between the browser and the local data center, there’s TLS 1.3 and modern ciphers. The “last mile” is where most of the threat typically resides. So, it's good that we are seeing that increase in adoption.
I think the performance aspect was probably a key contributing factor that drove this move to 1.3 at modern CDN and cloud providers. Customers needed to put their web services behind a modern CDN provider to make sure they're highly available. And the CDN provider will do all of this magic security stuff and we get it for free.
And while I think the pandemic has definitely driven some transformation, it’s perhaps not for the most obvious reason. That is, I don't think people were suddenly saying "Oh, we need to go and deploy TLS 1.3." That was more likely a byproduct of us chasing other benefits.
It’s about the ease of doing things. And not having to maintain and manage your own TLS and PKI configurations at your edge. Most of the CDN providers now will give a 10-year certificate for your origin. One cipher suite, one protocol, and you never have to reconfigure it again.
What role did TLS performance play?
Scott Helme: Like I mentioned before, I think the thing that most people were probably chasing with 1.3 is performance. Because there's not really any security benefit in 1.3 that you can't replicate in 1.2 with a good configuration. So, it's not like people are jumping to 1.3 because there's some amazing new security things. I can make 1.2 basically just as secure with a good config.
And there's just so many other additional benefits. You can get HTTP/2. You get massive performance optimizations going to 1.3 from most CDN providers. They're going to do things like TLS session resumption, OCSP stapling to try and mitigate performance and privacy impacts. Again, back at the TLS layer.
Remember that TLS 1.2 was the first ever protocol version that focused a lot on performance. All of the versions of SSL, TLS 1.0, 1.1 never really had any focus on performance. They were all about improving the protocol and making it more secure.
And most people that eventually deployed 1.2 were chasing the performance optimizations. And I think within TLS 1.3, again, there are some fantastic performance improvements. And now, performance on the web is critical. You can directly map page load time to eCommerce conversions and sales.
So, TLS 1.3 comes along and says, "Hello. We can now go potentially down to zero round trips on a handshake, and we have more efficient ciphers." The protocol itself is more efficient.
So, I think with the combination of HTTP/2 being a secure connection-only upgrade with massive performance advantages and TLS 1.3 being a protocol upgrade with potentially massive performance advantages, the majority of people have pushed to TLS 1.3 and HTTPS so quickly in the last few years because it's so much faster now. Performance is critical. That’s why organizations like Cloudflare are pushing 1.3 so aggressively onto their edge. Because it's fast and not necessarily because it's more secure.
What about the persistence of earlier versions of TLS?
Scott Helme: We’ve halved the usage pretty much of TLS V1. But half is not a lot. It's good to see 1.1 at zero though it’s not surprising given the complete lack of implementation and support for 1.1. But for 1.0, we found several hundred legacy websites out there that someone is just not maintaining anymore.
And it's odd that any of these are top one million sites and clearly not being maintained. Because when you look at the top one million sites, you must have at least some reasonable level of traffic volume in order to get there. So, it's very likely to be infrastructure that someone's operating that isn't being maintained.
For example, if you have Windows XP clients, you can keep those old protocol versions around for backwards compatibility. But that shouldn’t come at the sacrifice of supporting the new versions.
So technically, the numbers for V1 and 1.1 and 1.2 should all be zero. Now, someone might support 1.2, 1.1, and 1.0 for backwards compatibility. But that should never be the highest protocol version that you support.
Overall, I’m very happy to see the faster-than-expected transition to TLS 1.3. And because it’s likely that the move was driven by ease-of-use and automation, it’s a win-win for encryption as well as the adopting companies.
(This post has been updated. It was originally published on December 13, 2021.)