With the end of the year quickly approaching, it is undoubtedly a good time to take a look at what has changed during the past 12 months. One security-related area, which deserves special attention in this context, is related to the use of different versions of SSL and TLS on various servers on the internet, since information about support for these protocols can provide us with a good informal indicator for the overall “level of security” on the global network as a whole.

This is true especially when it comes to web servers, since there are a lot of them, and the continued support for deprecated[1] versions of the aforementioned cryptographic protocols (i.e., SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1) on a specific web server shows quite well that the server is not configured in line with current security best practices (and it gives a good indication that it probably lacks important updates and patches as well).

In order to show how the support for various SSL/TLS versions has changed, we will use data gathered from Shodan, mostly using my TriOp tool[2].

Going by this data, Shodan scans detected between 124 and 166 million web servers accessible from the internet during the course of the year. Or – to be more specific – the scans detected these numbers of public IP addresses responding to traffic on port 443. And while most (though not all) of these IP addresses have hosted a web server of some sort, in some cases, these servers were only very simple ones, intended only to display a configuration interface of a specific device (e.g., a SOHO router).

In any case, as you can see from the following chart, support for TLS 1.3 on web servers has increased significantly during 2024 – from approximately 25% at the beginning of the year to over 30% at the end. TLS 1.2 has seen similar increase (from 38% to nearly 44%), while support for TLS 1.1 and TLS 1.0 has stayed nearly the same throughout the year (around 22%).

While overall support for SSLv3 has also remained largely unchanged throughout the year (~1.43%), support for SSLv2 has decreased a little (from ~0.3% to ~0.25%).

One additional type of systems that deserves a short mention when discussing SSL and TLS support are e-mail servers. As a security community we generally tend to focus more on the use of cryptographic protocols to protect web traffic, but their use to protect e-mail communication is arguably just as important (though their use in this area is generally much more opportunistic in its nature).

The good news, when it comes to e-mail, is that support for TLS 1.3 has grown to be approximately the same as support for TLS 1.0 and TLS 1.1 on all three relevant ports (TCP/25, TCP/465 and TCP/587) – i.e., TLS 1.3 now seems to be supported by approximately 30% of SMTP servers on the internet.

Detailed overview of the changes in SSL/TLS support on e-mail servers can be seen in the following charts from Shodan Trends.

While it seems that some SSL 3.0 and even SSL 2.0-enabled systems will remain with us for the foreseeable future, it is clear that the overall SSL/TLS situation has certainly improved in the past 12 months. Let us hope that this trend will continue in 2025…

[1] https://en.wikipedia.org/wiki/Transport_Layer_Security#History_and_development
[2] https://isc.sans.edu/diary/27034

-----------
Jan Kopriva
LinkedIn
Nettles Consulting