Thousands of unsecure servers at popular websites
More than half of all web servers still allow the use of insecure RSA keys. At the same time, revoking certificates is still problematic. In addition, old, rarely updated servers are still in place almost everywhere. These vulnerabilities are often abused for phishing campaigns.
The TLS Telemetry Report 2021 by F5 Labs, a cloud and security solutions provider, studied 1 million of the world's top websites. According to this study, attackers are increasingly using Transportation Layer Security (TLS) to their advantage in phishing campaigns. TLS, also known as Secure Sockets Layer (SSL), is an encryption protocol for secure data transmission on the Internet, so its misuse is understandably all the more serious. More than half of all web servers still allow the use of insecure RSA keys.
Insecure servers behind important websites
Additionally, according to F5 Labs, new fingerprinting techniques raise questions about the proliferation of malware servers hiding in key websites. "More than ever, both nation-states and cybercriminals are trying to circumvent strong encryption," said David Warburton, senior threat research evangelist at F5 and author of the study. "Given these pervasive risks, it has never been more important to use strong and up-to-date HTTPS configurations. This is especially true when using digital certificates from various services."
Two steps forward, one step back
According to F5 Labs, the faster and more secure TLS 1.3 protocol is increasingly being used. For the first time, TLS 1.3 was available for most web servers on the Tranco Top 1M List the encryption protocol of choice. Almost 63 percent of servers now prefer TLS 1.3, as do over 95 percent of all actively used browsers. In the U.S. and Canada, as many as 80 percent of web servers use TLS, compared to only 15 percent in China or Israel.
DNS Certification Authority Authorization (CAA) can prevent the fraudulent issuance of certificates. From 2019 (1.8 % of sites) to 2021 (3.5 %), usage shows a significant increase, but it remains at a very low level. Also of concern is that while almost all servers in the top list prefer secure Diffie-Hellman key agreements, 52 percent of servers still allow the insecure RSA key exchange mentioned at the beginning.
In addition, F5 Labs' analyses have shown that key revocation methods are almost completely useless. Therefore, certification authorities (CAs) and browser manufacturers increasingly want to move to extremely short-term certificates. Revoking a stolen certificate is much easier if it expires in a few weeks anyway. Currently, the most common certificate lifespan is 90 days, which applies to just over 42 percent of all websites.
Increasing security risks
The number of phishing sites using HTTPS with valid certificates increased from 70 percent in 2019 to nearly 83 percent in 2021. About 80 percent of malicious websites originated from only 3.8 percent of hosting providers. Phishers prefer Fastly here, closely followed by Unified Layer, Cloudflare and Namecheap.
The most frequently spoofed brands in phishing attacks are Facebook and Microsoft Outlook/Office 365. At the same time, stolen credentials from these sites have great value, in part because many other accounts use them as an identity provider (IdP) or password reset function. In addition, F5 Labs found that webmail platforms are imitated almost as often as Facebook to conduct phishing attacks, at 10.4 percent.
Source: F5 Labs
