EV certificate usage declining: Is the internet becoming more secure?

Driven by the acceleration of digital transformation and cloud migration during the pandemic, the analysis of the world’s top 1 million sites over the last 18 months shows that in many ways, the internet is becoming more secure. Use of encryption is increasing and the adoption of newer TLS protocols is rising, a Venafi report reveals.

However, despite the adoption of stronger encryption protocols, many companies continue to use legacy RSA encryption algorithms to generate keys, which in conjunction with TLS certificates, act as machine identities that authorize secure connections between physical, virtual and IoT devices, APIs, applications and clusters. RSA algorithms are significantly less secure than modern alternatives.

Key findings

• 72% of sites now actively redirect traffic to use HTTPS (Hypertext Transfer Protocol Secure)—a 15% increase since March 2020.
• Almost one in five of the top 1 million sites now use HSTS (HTTP Strict Transport Security)—a 44% increase since March 2020.
• More than half of the top 1 million sites that use HTTPS are using TLSv1.3, the latest version of TLS (Transport Layer Security), which has overtaken TLSv1.2 to become the most popular protocol version.
• RSA continues to be preferred in digital signature algorithms, with 50.47% of sites using it.
• Let’s Encrypt is now the leading CA (Certificate Authority) for TLS certificates, with 28% of sites using it.

Of the three categories of key generation algorithms commonly used for asymmetric encryption – RSA, DSA and ECDSA – ECDSA is the most secure due to the computational complexity. ECDSA generates significantly smaller authorization keys, which require less bandwidth to set up an SSL/TLS connection. These smaller keys are ideal for mobile applications, and since they can be stored in devices with much more limiting memory constraints, ECDSA keys are ideal to support mTLS stacks in IoT and embedded devices.

“I was hoping that the uptake in TLSv1.3 would push people to use ECDSA keys for authentication instead of RSA because they are much more secure, but sadly, that hasn’t happened,” said Scott Helme, security researcher and encryption expert.

“It seems that RSA is still the preferred key algorithm by quite a considerable margin. Organizations say they keep RSA around for legacy clients that don’t yet support ECDSA, but the huge rise in TLSv1.3 use is at odds with that notion because it isn’t supported by legacy clients either.”

“We also continue to see use of RSA 3072 and RSA 4096 algorithms in numbers that are concerning. This suggests that more work is needed to inform site operators about the security and performance advantages of the newer ECDSA key algorithm,” added Helme.

Newer TLS protocols topping the CA rankings

The research also shows that Let’s Encrypt now leads the CA market for TLS — a particularly notable achievement, given that in 2016 Let’s Encrypt was completely absent from the top 1 million. Twenty-eight percent of sites scanned use Let’s Encrypt, with Let’s Encrypt and Cloudflare accounting over half of the top 1 million TLS certificates in use.

The rise of Let’s Encrypt has been mirrored by a sharp decline in the use of extended validation (EV) certificates. The number of top 1 million sites using EV certificates is at its lowest point ever in the last six years of analysis.

“The rise of Let’s Encrypt marks a sharp drop in the perceived value of EV certificates,” said Kevin Bocek, VP, security strategy and threat intelligence at Venafi. “Browsers no longer give EV certificates any special treatment, and the speed of development today simply does not accommodate the slow, manual approval processes connected with them. Cloud-native technologies require much larger numbers of TLS certificates, and these technologies absolutely require automation for machine identities. Given that EV certificates are not automation friendly, their usage and value is going to continue to drop.”