TLS v1.0 Refuses to Die
The TLS v1.0 cryptographic protocol, released in 1999, has various known vulnerabilities and security experts have recommended to disable it for a while now. However, Panorays research into 1,150 organizations (with a total of 29,000 websites) shows that 52% of organizations still use TLS v1.0 throughout all of their websites.
A further 45% of organizations had at least one website running the old TLS v1.0 protocol.
As of June 30 2018, PCI added a mandatory requirement to disable TLS v1.0 for PCI DSS compliance. From a regulatory aspect, 97% of the organizations we assessed would now fail the PCI compliance.
Vulnerabilities in TLS v1.0 have been public since 2011. Most notable among these are POODLE and BEAST. Given this information, it’s no surprise that PCI decided to disable the old TLS v1.0 protocol. In fact, it has been a long time coming, as the original PCI deprecation date was planned for 2016.
It should be noted that there is active debate to the practicality of these vulnerabilities. But since disabling the protocol is relatively painless you would expect organizations to play it safe.
At Panorays we have a broad view of organizations’ cyber posture and, as part of our research, we took a look at how organizations behave in regard to TLS v1.0.
To start, let’s take a look at which SSL/TLS protocols are supported across all the websites we tested:
Figure 1: Panorays protocol support graph
Comparing our results to the Qualys SSL Labs Pulse report shows similar results in terms of SSL/TLS support:
Figure 2: Qualys SSL Labs protocol support graph
These graphs indicate that TLS v1.0 is still widespread; a whopping 80% of these websites still support this outdated and vulnerable protocol.
Is TLS v1.0 being phased out?
At Panorays we observe how organizations behave over time. With this in mind, we reviewed how many websites have disabled TLS v1.0 during the last year:
Figure 3: Percentage of websites supporting TLS v1.0 over time
We can see there is movement toward disabling TLS v1.0, but it isn’t dramatic.
So, is that it; does the world not care about updating their cryptographic protocols?
Until now we viewed the data from a single website perspective. But before we jump into conclusions let’s take a look at the numbers from an organizational standpoint. This perspective is especially important since an organization may have numerous websites and applications.
Figure 4: TLS v1.0 support from a company perspective
As shown, 3% of the organizations are regulated and have completely disabled TLS v1.0.
The majority of those that disabled the old protocol are in the financial sector like WorldPay, which actually posted about this topic.
From the organizations that have partly disabled TLS v1.0, 28% of their websites are disabled. This is much higher than the 16% we saw in the general websites figure. The most likely reason for this is that it takes time for organizations to update all of their websites; certain assets are more important and receive more security attentiveness, so those get priority.
The most surprising figure was the 52% of organizations that completely support the use of TLS v1.0 in all of their websites.
This quickly recalls the results we found at organizations in regard to updating process for CMS system: if the company has a problematic upgrading process, it’s not confined to a single website but across all the organizational websites.
Reasons for Keeping Vulnerable Protocols
Even though it is considered “not secure” and easy to fix, we’ve seen that nearly all organizations still support TLS v1.0 in parts or all of their websites.
Here are a few likely reasons:
- Business needs. There are still many end-point users with old browsers and applications that don’t support newer versions of TLS. Their organizations made a conscious decision to keep using TLS v1.0 to keep their business “open” for these outdated users.
- Lack of awareness. Many organizations are not aware that this is an issue they need to consider.
- Regulation is young. PCI has just deprecated TLS v1.0 and it will take time for organizations to update all of their assets and for the rest of the organizations to follow.
- TLS v1.0 vulnerabilities are hard to execute and rare. Some security personnel consider them low risk.
Panorays’ research shows that business needs receive a much higher priority than security. But at the end of day, security still affects the business. The bottom line here is that it’s up to regulation to get organizations to use newer cryptographic protocols, ciphers, and key exchange algorithms.
Even when the vulnerabilities don’t pose a clear and immediate threat, organizations should not wait for disaster to happen – and keep up with the latest patches and best practices. Companies that are more mature in terms of security (i.e. correlates to a higher Cyber Posture) are, to begin with, less likely to be targeted. Additionally, these more security-aware companies are better prepared to handle real incidents when those do occur.