Around the world with TLS 1.0

Recently, a draft IETF proposal to formally deprecate TLS 1.0 and TLS 1.1 was published and soon afterwards, Mozilla, Google, Apple and Microsoft coordinated their announcements that they intend to remove TLS 1.0 and TLS 1.1 from new versions of their primary web browsers.

Removing TLS 1.0 and TLS 1.1 in newer web browsers is a good step forward, which I hope will drive up the number of websites and services offering TLS 1.2 and TLS 1.3.

Some of the above announcements provided statistics on TLS 1.0 and TLS 1.1 usage in modern browsers, since it’ll be modern browsers from which TLS 1.0 and TLS 1.1 are removed. The numbers I saw stated in the announcements (TLS 1.0 at 1.1% and TLS 1.1 at 0.1% usage) looked much lower than some I had seen in our per-geography data — likely because their data is globally aggregated.

“Best check our data to see how it’s looking, eh?” I thought…so I did.

Methodology

I put in some work earlier this year to make it easier to use the HTTP access log data from BBC traffic management services. We now have an automated ingestion pipeline which takes the access logs from their existing AWS S3 storage buckets, verifies, parses, enriches and transforms them before loading them into Google BigQuery (in a GDPR-compliant manner, of course). The net result is that we can now perform SQL queries across all of our traffic management layer’s access logs in a very short timeframe. This has been a game-changer in my opinion, we’re using the data to discover all sorts of things we never knew about usage of our services.

The data I used for this particular study show HTTPS (only, not HTTP) requests to www.bbc.co.uk and www.bbc.com from November 10th-13th 2018 — a total of just over 2 billion requests from 250 countries (including country: “unknown”).

Global view

First of all, I looked at our “global view” of TLS usage. This covers TLS usage on www.bbc.co.uk and www.bbc.com from every country we served:

So whilst our global aggregate view of TLS usage differs a little from e.g. the Firefox metrics, it’s not vastly different.

Per-Country view

As I mentioned earlier, the main purpose of this study was to look at how TLS usage varies by geography, as a contrast to the global view for our audience. My query counted the number of HTTPS requests and grouped them by the negotiated TLS version and also by the country (using the IANA name) from which the request originated. I then filtered out countries with less than 10,000 requests as they’re probably less reliable, statistically. Since the result set is pretty large, I then filtered to only include countries which have greater than 5% of TLS 1.0 usage. The results are as follows (ordered from highest to lowest percentage of TLS 1.0 usage):

It’s pretty clear that there are very significant differences across the world in TLS 1.0 usage from country to country. We’ll dig into this in a little bit more detail in a moment but I should just mention for now that the data from China might be inaccurate as (to the best of my knowledge), www.bbc.co.uk and www.bbc.com are currently blocked in China (following our migration to HTTPS) so this could well be proxied/VPN’d traffic rather than traffic direct from users.

It’s interesting to make a comparison with the two countries which make up our largest user-base by request count:

These data show what you’d probably guess, they’re similar and are just a little bit below the global values.

Clients

The next most obvious question is perhaps “what is making all these TLS 1.0 requests?”. The global most popular 20 (from over 90,000) user agents are:

So we can see that there are some old desktop web browsers, some feature phones, some proxies and some HTTP libraries, mostly running on older Android versions (mainly Android 2 and 4). Further down the list there are lots more HTTP libraries and web browsers running on Android 2 and 4. We can compare this global view with the 20 most popular user agents from Bosnia and Herzegovina:

Here we see fewer HTTP libraries, no feature phone or proxies but a greater proliferation of old desktop web browsers, notably lots of Chrome 24 (2013) and Firefox 15 (2012) & 16 (2012). There’s lots of old Android (especially v4, ~2013) in both result sets. Of course the user agent HTTP header is completely spoof-able so there may be some inaccuracies.

The concentration of year of client release is interesting though, I wonder why 2012 and 2013 are so common? It doesn’t seem to be tied directly to a TLS version change since TLS 1.0 was 1999, TLS 1.1 was 2006 and TLS 1.2 was 2008 (though it was revised in 2011). Answers on a postcard (or in a comment) please!

Is there anything we can do to reduce the TLS 1.0 usage?

The short answer, sadly, is “not really”. The longer answer involves waiting for the natural reduction in older Android versions as the devices running those OS’s fail and are replaced, hopefully with something which supports better crypto! The complication to this is in geographies which are not so wasteful as most “western” economies. In India, for example, older devices are much more frequently repaired than in the “west”, often by local repair agents whose skill and ingenuity can keep devices running for much longer than they do elsewhere.

What about TLS 1.1?

As it is for the rest of the industry, our TLS 1.1 usage is much, much lower than TLS 1.0 and TLS 1.2. This is typically because most user agents/Clients which support TLS 1.1 also support TLS 1.2, so TLS 1.1 doesn’t get a big slice of the action. Our data shows no countries with over 10,000 requests in the 3 days of data which also have TLS 1.1 usage above 1%.

Recommendations

Whichever metric(s) you’re looking, ensure that you don’t just look at the global/overall aggregated numbers, which often mask large regional/subset variations. The constituent communities of your audience often differ significantly, so it’s really important to understand how that affects your data and therefore your decision making process.

The same goes for percentages versus absolute numbers — for example, 0.2% of a large number of users is, in absolute numbers, still a lot of users. Don’t discount seemingly small fractions of a large user base without checking how many people that fraction represents!

P.S. Thanks to my children, Polly and Stanley, for the illustrations. I couldn’t find any suitable pictures so they drew some for me.