Skip to main content
banner image
venafi logo

Top 1 Million Analysis - June 2022

Top 1 Million Analysis - June 2022

tls-one-million-analysis-june-2022
June 29, 2022 | Featured Blogger: Scott Helme

Thanks to the sponsorship provided by Venafi for this post, we have another Top 1 Million Analysis just 6 months after the last one in November 2021! Let's take a look at what's changed in the last 6 months and see if there are any new trends emerging.

Venafi TLS Protect can protect machine identities from outages and quickly respond to certificate vulnerabilities. Find out how.
">

The Crawl

As with all of my previous reports, the data for this report was taken from my Crawler.Ninja project. You can head over to the site and get the raw data from every single crawl that I've done daily for over 7 years!!

One of the problems with running these crawls, storing that much data and writing these reports is that all of those activities require resources in either time, money, or both. I've struggled to set aside time for projects recently so the support from Venafi has been fundamental in making sure I can carve out time to continue this work and make it available for free to everyone!

Venafi

As I mentioned in my previous Top 1 Million Analysis in November 2021,  Venafi noticed I hadn't done one for a while and reach out to see why. When I explained it was just a time and funding shortage, they stepped up to help by funding two reports, with this being the second of the two!

As with the first report, this one will also be cross-posted onto the Venafi site so be sure to stop by and show them some appreciation for supporting my work. 

June 2022

In the last report in November I hadn't done an analysis for ~18 months and as a result, we saw some pretty big changes. Because it's only been 6 months since the Nov 2021 report, we're going to see some smaller changes this time around and something else is becoming clear in the data.

Table

Description automatically generated

Looking at the numbers here, it might seem at first glance that things are moving backwards, but looking a little bit deeper at the data, we can see that things have plateaued. The crawler had a marginally higher failure rate for the day in question (June 3rd) than it did for the scan back in Nov 2021 so whilst, for example, the number of sites with a CSP seems to be lower, it you factor in the failure rate, it has remained pretty constant.

HTTPS

As we may have expected over the last few years, the progress of deploying encryption across the Web has slowed significantly. Again, we have to factor in the transient error rate of the crawler, but if we do that, we can see that very little progress has been made in deploying more encryption over the last 6 months.

This is both a good thing and a bad thing as we have made phenomenal progress over the last few years in getting the vast majority of the Web encrypted, but, we're now slowing significantly as we approach ~75% of sites using HTTPS. I continue to speculate on whether these are just sites that nobody is maintaining, but then, how do they remain in the Top 1 Million sites online? It's certainly an interesting question, for which I don't currently have an answer, but here's a better look at the plateau in our progress.

Chart, line chart

Description automatically generated

Table

Description automatically generated

HTTP Strict Transport Security

As we have seen historically, the trends with the adoption of other security mechanisms follow closely to the deployment of HTTPS and HSTS has continued to do so.

Graphical user interface, chart

Description automatically generated

The June 2022 scan shows us that the rate of usage of HSTS has plateaued with HTTPS, which makes sense as HTTPS is a prerequisite for HSTS, but I have a feeling this trend will continue into other metrics too.

Certificates

After seeing tremendous success since starting in 2015, Let's Encrypt have stormed to the top of leader board for the number of sites using them. In this latest analysis, Let's Encrypt remain at the top of the leader board and maintain their advantage. 

Whilst Let's Encrypt do stay out in the lead, we can see that Cloudflare has made up some ground and closed the gap a little, at the cost of other CAs in the list. Another interesting point to note is the seemingly rapid rise in the ECDSA intermediate for Let's Encrypt doing a noticeable amount of issuance. Back in Nov 2021 the E1 intermediate didn't even make it into the top 10 issuers but this time around it has jumped right in at number 5!

C = US, O = Let's Encrypt, CN = R3 209,527

C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3 138,081

C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA 37,423

C = US, O = Amazon, OU = Server CA 1B, CN = Amazon 29,053

C = US, O = Let's Encrypt, CN = E1 20,273

C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2 19,990

C = US, ST = TX, L = Houston, O = "cPanel, Inc.", CN = "cPanel, Inc. Certification Authority" 16,837

C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 12,716

C = US, O = DigiCert Inc, CN = RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1 8,071

C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1 5,246

 

Whilst the absolute number of sites using HTTPS hasn't really changed, and thus the number of sites using certificates hasn't really changed, we still continue to see a decline in the use of EV certificates.

Chart, histogram

Description automatically generated

This is really quite noticeable when you look at the absolute numbers and even factoring in the success/failure rate of the crawler, there is still quite a significant decline in the use of EV certificates.

Table

Description automatically generated

 

Chart, line chart

Description automatically generated

Certificate Authority Authorisation

Whilst we haven't seen much growth in the use of HTTPS and certificates, the usage of CAA has been quite low in recent years so there is some opportunity for significant growth in the use of CAA and we have seen some increase in adoption.

In Nov 2021, only 31,533 sites were using CAA but in Jun 2022 that number has risen to 35,537 which is almost a 13% increase! Looking at the 5 most common CAA configurations, it seems that Google owned properties might be responsible for most of that increase, but Let's Encrypt continue to show their dominance even in the CAA records!

 

CAA     0 issue "digicert.com; cansignhttpexchanges=yes"

CAA     0 issuewild "digicert.com; cansignhttpexchanges=yes"

CAA     0 issue "comodoca.com"

CAA     0 issue "letsencrypt.org"

CAA     0 issue "pki.goog; cansignhttpexchanges=yes"

CAA     0 issuewild "comodoca.com"

CAA     0 issuewild "letsencrypt.org"

CAA     0 issuewild "pki.goog; cansignhttpexchanges=yes"

 6,226

CAA     0 issue "letsencrypt.org"

 3,062

CAA     0 issue "digicert.com; cansignhttpexchanges=yes"

CAA     0 issuewild "digicert.com; cansignhttpexchanges=yes"

CAA     0 issue "comodoca.com"

CAA     0 issue "letsencrypt.org"

CAA     0 issuewild "comodoca.com"

CAA     0 issuewild "letsencrypt.org"

 1,460

CAA     0 issue "comodoca.com"

CAA     0 issue "digicert.com; cansignhttpexchanges=yes"

CAA     0 issue "letsencrypt.org"

CAA     0 issue "pki.goog; cansignhttpexchanges=yes"

CAA     0 issuewild "comodoca.com"

CAA     0 issuewild "digicert.com; cansignhttpexchanges=yes"

CAA     0 issuewild "letsencrypt.org"

CAA     0 issuewild "pki.goog; cansignhttpexchanges=yes"

 1,227

CAA     0 issue "pki.goog"

 555

 

TLS versions

Whilst TLSv1.2 was clearly the protocol of choice a couple of years ago, it's safe to say that TLSv1.3 is now the favourite protocol with over 2x as many sites choosing it.

Table

Description automatically generated

Despite the slow down in the adoption of HTTPS, TLSv1.3 has continued to see an increase in adoption meaning that the sites using HTTPS are upgrading their TLS protocol versions over time. If we take a look at the top 10 server header values for sites that use TLSv1.3, we can see why that might be.

SELECT server, count(*) as count FROM `results` WHERE httpVer = "http/2.0"

GROUP BY server ORDER BY count DESC

SERVER

COUNT

cloudflare

165,484

nginx

66,440

Apache

45,532

NULL

19,224

LiteSpeed

16,050

AmazonS3

4,337

openresty

3,327

nginx/1.18.0 (Ubuntu)

2,930

Apache/2.4.41 (Ubuntu)

2,899

Apache/2.4.29 (Ubuntu)

2,652

Almost 50% of the sites that support TLSv1.3 are using Cloudflare as their CDN provider who will make sure they have TLSv1.3 support without any additional work. It's quite a sizeable chunk of the modern protocol support that we might not have otherwise.