Many of the world’s top websites still support older, deprecated security protocols

New analysis suggests that many web servers are configured once and never touched again

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The top 100websitesroutinely fail to follow Transport Layer Security (TLS) best practices and still support older, deprecated protocols, suggests a new report.

Compiled bycybersecurityfirm F5 Labs, the 2021 TLS Telemetry Report analyzes how successful the busiest websites on the internet are at implementing best practices aroundHTTPS and TLSusing data from scans of the web’smost popular websites.

“As old protocols prove to be insecure and new standards emerge, it has never been more important to keep HTTPS configurations up to date…As this report shows, the issue is not so much the lack of adopting new ciphers and security features but the rate at which old and vulnerable protocols are removed,”readsthe report.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

Commenting on the importance of this information, F5 says that websites that routinely fail to follow TLS best practices are also usually the ones that run old and like vulnerableweb servers.

Two steps forward…

David Warburton, Principal Threat Research Evangelist (EMEA) at F5 Networkswritesthat the report shows that while webencryptionhas improved in several respects, as compared to last year, stagnation or even regression in many other areas is negating some of the progress.

The report notices several positives, such as the wide adoption of TLS 1.3, which has finally become the encryption protocol of choice on the majority of web servers in the top one million websites.

Furthermore, the maximum lifespan of newly issuedSSL certificatesalso registered a significant drop in September 2020, coming down from three years to just 398 days.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

…and one step back

On the flip side though, the report revealed that the top 100 sites were more likely to still support the older SSL 3, TLS 1.0, and TLS 1.1 protocols than servers with much less traffic.

More worryingly, it found that 22% of the web servers were running Apache 2.0, which was released in 2002 and last patched in 2013.

The report also observed that the number ofphishingsites that used HTTPS with valid certificates to appear more legitimate grew from 70% in 2019 to nearly 83%.

“It’s clear that we’re facing two important realities heading into 2022. One is that the desire to intercept, circumvent, and weaken encryption has never been greater…The other is that the greatest weaknesses come not from the latest features we struggle to adopt but the old ones we are reluctant to disable,” concludes Warburton.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

LG Electronics sets ambitious B2B revenue goal to offset declining consumer demand