SSL Survey: How many sites support TLS 1.1 and better?
In the last two weeks there's been a lot of chatter about a new attack against SSL and a tool called BEAST. You can find some coverage here, here, and here. The public has not seen any details of the attack yet (they are expected to be released at the ekoparty security conference), but crypto experts have a good idea what it is.
As it appears that the attack wouldn't work against TLS 1.1 and better, suddenly everyone is interested in how many web sites support the newer protocol versions. Virtually none. To illustrate, I am including a slide from my recent Black Hat presentation, where you will see that, even though TLS 1.1 is a 5-year old protocol, there is virtually no support for it.
If you're interested in what exactly is supported in various products, Thierry Zoller has a very good overview. If you want to know more about how SSL is deployed in practice, read our full survey results.
Note: The above slides shows results from an analysis of about 300,000 SSL sites from Alexa's top 1m most popular list. In a separate analysis we also looked at all SSL sites (1.2 million of them), and the numbers are practically identical.
Glad to finally see a figure about TLS 1.+ support, I was looking for this thing !
While trying to find the market share of TLS v1.+, I figured out I would make my own unscientific investigation: disable SSLv3 and TLSv1.0 and try for a few days if I can continue to surf.
Woah, that was fast... Didn't take me more than a minute to make me out of a dozen of web sites ! :-)
It striked me first there is no client-side support (disabled by default in IE and not available in FF) and second there is no support at server-side (even security consious web sites -- mmh, let's pick ssllabs.com ! :-) -- don't support it).
What? No support at both ends ?!?
Well, turns out to be a server interoperability issue apparently:
"
Misbehaving HTTPS Servers impair TLS 1.1 and TLS 1.2
(...) if they enable these new protocols, some secure sites will fail to load (...) If you examine the “Encrypted Alert” from the server, you will see that it contains the byte sequence “02 46”, meaning Fatal Alert: Protocol Version. (...) The server isn’t supposed to behave this way (...)
"
http://blogs.msdn.com/b/ieinternals/archive/2011/03/25/misbehaving-https-servers-impair-tls-1.1-and-tls-1.2.aspx
So, we can't solve the issue with TLSv1.0 by adopting TLSv1.+ because it would break the web ? And this is because years ago TLSv1.+ wans't adopted because it would break the web ?
Sounds familiar ? Well, not sure but I seem to remember of a story where servers would still support the broken SSLv2 because it would otherwise break clients...
Oh, no, that can't be true, I must be mistaken... :-)
Posted by: Ben_ | September 23, 2011 at 12:26 PM