A third of you slackers out there still aren't using HTTPS by default

2021-12-09 19:46

Almost a third of the world wide web's top million sites are still not using HTTPS by default, according to infosec researcher Scott Helme's analysis.

TLS v1.1 - which browser-maker Mozilla said it would actively block from March 2020 onwards - has completely disappeared from Helme's analysis, while v1.3 has spread from around 16 per cent of websites to 37 per cent of the million sites analysed, itself an increase of 129 per cent over the last 18 months.

"It seems like industry-wide efforts to focus on deploying more and better encryption are really paying off and I hope that focus and drive can start to spread to other areas of security as we approach the saturation point for HTTPS," Helme told The Register.

EV certificates are dying out at a rate of knots with just 10,174 sites using them - a sharp drop since August 2018's high point of 25,000 sites, according to Helme's figures.

Authentication key usage to secure the initial stages of negotiating an HTTPS connection was something that surprised Helme, as he told us.

Helme told El Reg: "RSA3072 is notably slower than RSA2048 and the performance hit for jumping up to RSA4096 is really quite something. If sites are taking the performance hit in the pursuit of stronger keys for better security, they should be switching to ECDSA which will give them better security and better performance at the same time, which is a rare thing as usually when you try to increase performance or security, one will cost you the other."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/12/09/top_1_million_report_scott_helme/

#http #https