Welcome back to the SSLreminder blog. Today we’re looking at the current state of the SSL ecosystem with regards to TLS (SSL) protocol support by modern websites.
In order to get the data we have turned to SSL Pulse, a monitoring tool by SSL Labs. It is a continuous and global dashboard for monitoring the quality of SSL/TLS support over time across 150,000 SSL- and TLS-enabled, most popular websites in the world.
There are six SSL/TLS protocols in total, however not all of them are safe to use in 2020. Commonly employed approach is to use TLS v1.2 as the main protocol and TLS v1.3, if possible, based on server configuration. Such setup will make sure that all modern clients will “talk” TLS v1.2 to your server, while newer devices can select v1.3 during connection negotiations. It is important to not use SSL v2.0 and SSL v3.0, because they are insecure. Also, it is advised against the usage of TLS v1.0 and TLS v1.1.
From the chart below it is evident that as of May 2020 there is quite significant support of TLS v1.0 (57% of the websites support it) and TLS v1.1 (65% websites support it). About 6% of the websites still support SSL v2.0 and SSL v3.0, which is certainly worrying. Remember, we’re talking about some of the most popular sites in the world!
So what exactly is the danger in having outdated protocols enabled?
As a simple illustration, imagine that a client device selects an insecure protocol during connection establishment phase. There can be many reasons to that, like someone using an outdated browser or simply an old device. Then, even though the browser reports that the connection is secure, it is in fact not. The dangerous part is that old protocols are vulnerable to Man In The Middle (MITM) attacks allowing a third party to intercept, modify and decipher transferred data.
Did you know that SSL Labs also offers a specialized tool to check the correctness of your web server setup? Head to https://www.ssllabs.com/ssltest/, put in your website address and hit “Submit”. One of the sections of the detailed report produced is all about secure connection configuration on your server and supported protocols. Here’s an example: