Around the world with TLS 1.0 part 2 (Feb. 2020 edition)
Following a twitter conversation which was initiated by Hanno Böck, asking about experiences with disabling TLS1.0 and 1.1, I committed to writing an update on my late 2018 blog post, “Around the world with TLS 1.0”. This is that update.
I’ll keep this post brief and aim to keep the comparisons pretty direct. If you haven’t already, I’d recommend reading Around the world with TLS 1.0 for context and methodology. Let’s dive in…
Global view
First of all, I looked at our “global view” of TLS usage. This covers TLS usage on www.bbc.co.uk and www.bbc.com from every country we served:
November 2018 (original) data
February 2020 data
Context: We have two traffic edges currently (one of which replaced the traffic edge in the 2018 data), one for UK and mainland Europe (which supports TLS1.3), another for “rest of world” (which does not yet support TLS1.3)
UK, mainland Europe & “rest of world”:
This shows a ~68% reduction in TLS1.0 usage globally over the 15 months or so between the two datasets. That’s pretty significant and is more than I had expected.
Incidentally, if we look exclusively at our UK/mainland Europe traffic edge (where TLS1.3 is enabled) we see ~69% TLS1.3 — so the adoption rate is strong:
Per-Country view
Let’s examine how TLS1.0 usage has changed on a country-by-country basis. Again, we’ll find the percentage of HTTPS requests which used TLS1.0 for countries which made ≥ 10,000 HTTPS requests over 3 days. I’ll represent this as a comparison view for simplicity:
This shows some even more significant reductions in TLS1.0 usage for some countries, the mean reduction being ~77%.
Some interesting observations from these data:
- Hungary has both the largest reduction (99.24%) and the lowest percentage (0.15%) usage of TLS1.0
- Algeria saw the smallest reduction in TLS1.0 usage, at 37.65%
- China has the highest percentage usage of TLS1.0 at 19.79%
Let’s update our view for the UK and USA against the 2018 data:
This is interesting in its own right, both the UK and USA have smaller (albeit it only a little smaller for the USA) reductions than the mean from the “2018 worst offenders” list, above. This is perhaps because the UK and USA have a smaller base of real users on TLS1.0, with more usage being “is the internet working” checks running on old platforms, corporate proxies etc. (we seem to be used for lots of these sorts of tests, which is hopefully a compliment!).
It’s worth updating the countries which have the largest percentage usage of TLS1.0 — the list above was the “worst of” 2018. Here’s the top 10 countries with the highest percentage of TLS1.0 usage in Feb. 2020:
Yikes, lots of countries with 100% (rounded to 2 DP) TLS1.0 usage. It seems that most of these countries are relatively small (in comparison to the “worst offenders” in 2018) so maybe the above is the result of one or a few legacy systems in each country/territory.
Clients
As in 2018, it’s useful to know what is making all these TLS1.0 requests. The table below is slightly improved over the 2018 data (please see the original post for info). These data are global and show the top 10 by “Operating system” and “User Agent” fields which are parsed from the User Agent request header as a normalisation stage:
“Unknown” means that the parser library doesn’t know what the Operating System / User Agent is — either because it’s uncommon or ancient! What we see here are very outdated Operating Systems and User Agents — essentially these seem to be combinations of:
- Old Operating Systems with old TLS stacks and User Agents which use the Operating System TLS stack
- Old User Agents with old TLS stacks which don’t use the (sometimes more modern) Operating System TLS stack
The top 10 User Agents whose Operating system and User Agent are both unknown are:
- Nokia6280/2.0 (03.60) Profile/MIDP-2.0 Configuration/CLDC-1.1
- CITRIXRECEIVER
- <empty>
- Mozilla/5.0 (compatible; Genieo/1.0 http://www.genieo.com/webfilter.html)
- SGOS/6.7.3.9 (S400–30; Proxy Edition)
- Mozilla/5.0 (compatible; PRTG Network Monitor (www.paessler.com); Windows)
- Dorado WAP-Browser/1.0.0
- Mozilla/4.0 (ISA Server Connectivity Check)
- ProxySG Appliance
- WinampMPEG/2.00
So yep, as expected, generally ancient User Agents and the usual suspects. Most notably, it appears we have essentially fewer “real” (as in “used by people”) User Agents which negotiate TLS1.0, leaving a higher proportion of TLS1.0 usage from what appear to be automated systems. This makes sense if you consider the changes in Operating systems over the 15 month span between my two datasets — Windows 10, for instance, has gone from around 38% to 57% (desktop) market share (largely replacing Windows 7) and brings with it a much more modern TLS stack. Similarly, many users will have upgraded mobile phones, tablets and other devices.
Conclusion
TLS1.0 has seen a significant reduction in usage of around 77% for our audiences over the 15 months since I wrote the original blog post but usage of TLS1.0 in some geographies remains stubbornly high. The trend is clear though, TLS1.0 usage is absolutely on the wane and whilst the long tail of this usage will undoubtedly drag last for years, usage patterns are moving in the right direction (at least in our audience).
We operate with a single edge configuration (in terms of TLS) around the world so we need to take a decision on when the right time to remove TLS1.0 (and 1.1) support is — balancing the security risks against the hard cut-off for users. Something we have put some thought into is a mechanism for warning our audience of such breaking changes — we’re not there yet with it but it’s definitely something I’d like to have as a deprecation process which aims to inform the end user and ideally, show them a workable upgrade path so they can continue to use our services, if they so choose.
Let me know if you have questions or would like more detail on an element shown here and I’ll do my best to get you the information. Please either leave a comment below or send me a message on Twitter.
