Fortified Castles with Wooden Doors: Weak Keys and Outdated Machine Identity Management Compromises TLSv1.3 Adoption


SALT LAKE CITY–(BUSINESS WIRE)–Venafi®, the leading inventor and provider of machine identity management, today announced the findings of a new report on crawlers by security researcher and TLS expert, Scott Helme. The report, sponsored by Venafi, assesses the use of encryption at the world’s one million largest sites over the past six months and reveals the need for a control plane to automate machine identity management in environments increasingly complex clouds.

Research suggests that while progress has been made in some areas, more education is needed to ensure that machine identities are used in the most effective way to protect our online world:

  • Usage of TLSv1.2 has decreased by 13% over the past six months, with v1.3 being used by nearly 50% of sites, more than twice as many sites as v1.2. Adoption of v1.3 is driven by widespread digital transformation, initiatives, cloud migration, and new cloud-native stacks that default to v1.3.

  • Even as organizations adopt stronger TLS protocols, they fail to couple this with a move toward stronger keys for TLS machine identities.

  • Industry-standard ECDSA keys are now only used by 17% of websites, down from 14% six months ago. Slower, less secure RSA keys are still used by 39% of the top 1 million websites.

  • HTTPS adoption growth stabilized at 72%, the same level as in December.

“The fact that enterprises are deploying TLS v1.3 with machine identities using RSA keys shows that there is still a lot of progress to be made with machine identity management. A strong algorithm means very little if used in conjunction with a weak key – it’s like building a stone fortress but leaving the wooden door unprotected,” explained Scott Helme, security researcher and founder of Report URI. . “Adoption of newer, more efficient and more secure EDCSA keys has been negligible over the past six months. This, coupled with the fact that HTTPS adoption has plateaued over the past six months, shows that The internet is no safer than it was six months ago Cybercriminals are constantly upping the ante, so it’s disheartening to see companies not following suit.

Let’s Encrypt continues to be the certificate authority (CA) of choice for the top 1 million, but Cloudflare is catching up. This adoption appears to be driving the adoption of TLS v1.3, with 50% of websites deploying v1.3 doing so through Cloudflare. The decline in the use of Extended Validation (EV) certificates has also continued, with a 16% drop in the last six months, following changes made by browser manufacturers that significantly reduced the value of EV certificates for website owners.

There is good news in this analysis. The data suggests that organizations are taking more steps to manage their machine identity environments. Since December, there has also been a 13% increase in the number of sites using Certificate Authority Authorization (CAA), which allows companies to create a list of trusted certificate authorities that can be used within of their organization. The adoption of this control is a positive sign that organizations seem to be aware of the importance of machine identities in overall security and are being more vigilant in how they manage them.

“The recent boom in cloud migration means that every business needs many more TLS machine identities to secure communication between devices, clouds, software, containers and APIs,” said Kevin Bocek , Vice President, Security Strategy and Threat Intelligence at Venafi.. “The fact that more and more companies are using CAA is a positive sign that companies are realizing the need for machine identity management. The adoption of CAA also underscores the urgent need for a machine identity management control plane that can automate the use of machine identities in increasingly complex cloud environments.

For more information on the report, please visit the blog.

About Venafi

Venafi is the cybersecurity market leader in machine identity management. From ground to cloud, Venafi solutions manage and protect the identities of all types of machines, from physical and IoT devices to software applications, APIs and containers. Venafi provides global visibility, lifecycle automation, and actionable insights for all types of machine identities and their associated security and reliability risks.

Jetstack, a Venafi company, is a strategic consulting and cloud-native products company working with enterprises using Kubernetes and OpenShift.

An open source pioneer, Jetstack has achieved notable industry recognition as the creator of cert-manager, the open source industry standard for cloud-native machine identity management. Jetstack’s open source products and solutions protect the application environments and platform infrastructure of global banks, multinational retailers and defense organizations by providing platform and security teams with the power to build, scale and secure their cloud infrastructure.

With more than 30 patents, Venafi provides innovative machine identity management solutions for the most demanding and security-conscious organizations and government agencies, including the top five US health insurers; the five major US airlines; the four major credit card issuers; three of the four major accounting and consulting firms; four of the top five US retailers; and the top four banks in each of the following countries: the United States, the United Kingdom, Australia and South Africa.

For more information, visit and


Comments are closed.