Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Scott Helme Profile picture
@Scott_Helme
Dec 9, 2021 14 tweets 9 min read Read on X
Scrolly
It's been a while since I've had chance to sit down and produce a report on the security of the Top 1 Million sites, but thanks to @Venafi's support, the crawler project lives on and a brand new report is out! venafi.com/blog/crawler-r…
It takes a lot of resources to gather this data and a lot of time to analyse it all and write the report, so genuinely, it wouldn't have happened without them. There hasn't been a report for 18+ months so let's take a look at what changed! 😎
HTTPS adoption continues to surge 🔐📈

72% of sites in the Top 1M are now actively redirecting HTTP --> HTTPS 🤩

We're using more HTTPS right now than at any point in history... 😮
Redirecting to HTTPS isn't quite enough though, sites also need to use HSTS and we've seen strong growth there too! ✔

scotthelme.co.uk/hsts-the-missi…
scotthelme.co.uk/hsts-preloadin…
Without any doubt, credit has to be given to @letsencrypt as the largest issuing CA in the Top 1M sites by quite some margin! 💪

Almost 25% of the Top 1M sites are using a @letsencrypt certificate, 240,461 sites!
The presence of @letsencrypt is smaller in the largest sites as they are still using more traditional CAs.

@letsencrypt isn't the only big change in the CAs though, we can see a large shift towards automated or service provided certificates!
As HTTPS surges, it seems sites are choosing DV over EV when it comes to certificates. EV is now at the lowest usage levels I've recorded. 📉

My suspicions:
1. EV certs are 💰💰💰
2. EV certs are harder to automate 🔄
3. EV UI removed in the browser ❌🔒
Another very notable trend in the Top 1M sites is the use of @Cloudflare! ⛅

You can see their presence in the certificate stats above, but it really shows when you look at the server headers of sites and see they're the clear choice 🥇
I suspect this large presence of @Cloudflare is largely responsible for some other positive trends we've seen. ⛅📈🔒

For example, the new TLSv1.3 protocol has seen faster adoption than I expected since it's standardisation in 2018.
Adoption of TLSv1.3 changes the preferred cipher suites for the Top 1M sites. 🧾

The clear winner is a TLSv1.3 suite, whilst TLSv1.2 suites still hold firm in 2nd and 3rd place.

🥇TLS_AES_256_GCM_SHA384
🥈ECDHE-RSA-AES256-GCM-SHA384
🥉ECDHE-RSA-AES128-GCM-SHA256
An interesting trend in cipher suite data; sites at the top of the ranking tend to prefer AES128 more than AES256. 🔑 <-> 🗝️

This is particularly noticeable in the TLSv1.2 data and still a clear trend in the TLSv1.3 data! Are they worried about performance? 🤔
Talking of performance, looking at the auth keys that sites are using does raise some questions! 🔏

RSA is still the clear winner, beating ECDSA by quite some margin. Weirdly, though, there's still a lot of use of RSA3072 and RSA4096(!). 😲
Another important performance metric is the adoption of HTTP/2.0 which has taken a big leap! 🔥

Enabled by the rise in HTTPS support (prerequisite for h2), we see a sharp rise in adoption in the higher ranked sites looking to go faster. 🏎
It's nice to see sites deploying a security.txt file too! 📞

If you don't have one, you should check out this blog post: scotthelme.co.uk/say-hello-to-s…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Scott Helme

Scott Helme Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Scott_Helme

Scott Helme Profile picture
Jul 3, 2022
Listen to that sound!!! 😮🏎💨
The Red Arrows are here ✈️
Driving around Silverstone with Chris Harris chasing me down in a massive truck 😅
Read 20 tweets
Scott Helme Profile picture
Jul 2, 2022
Awesome viewing for FP3 today!!
😎
A screen for timing and info along with the live action. Russell on a push lap!
Read 7 tweets
Scott Helme Profile picture
Jul 1, 2022
This weekend is going to be MEGA!!
😎🏎💨🍾🥂🎉 ImageImageImage
Time for a walk around the paddocks! ImageImageImageImage
Pirelli are here with the wheels and tyres on display for the weekend. ImageImageImageImage
Read 13 tweets
Scott Helme Profile picture
Jun 30, 2022
I converted my car to Flex-Fuel over the weekend! First long trip today and it’s performed flawlessly running on a high concentration of ethanol! 🌽🏎💨

The only hardware required was an Ethanol Content Analyser and the rest was done in software. Here’s the hardware kit:
The ECA itself is installed on the main feed from the Low Pressure Fuel Pump on top of the fuel tank. It’s an inline sensor that reads the fuel as it passes through.
Pop off the fuel line, connect the sensor to the pump and then connect the fuel line to the sensor. Of course the next part is getting the reading to the DME (ECU).
Read 14 tweets
Scott Helme Profile picture
Mar 11, 2022
Given the sanctions against Russia, it seems that CAs are now ceasing issuance for Russian domains and even going so far as to revoke certificates previously issued for Russian domains. Here are some for a Russian bank revoked by Thawte CA: crt.sh/?id=5828347935
Several others have been reported:
crt.sh/?id=5828347935
crt.sh/?id=6218871547
crt.sh/?id=4582341817
crt.sh/?id=2713661323
This is of course problematic because websites still need certificates and they have to come from somewhere. It seems now that Russia intends to setup a government operated CA. You can download the Root Certificate at the 3rd button here: gosuslugi.ru/tls
Read 8 tweets
Scott Helme Profile picture
Mar 9, 2022
Welcome to Reykjavík, should I resist? 😎
Driving out of the city with @stebets, this place is mega!! ❄️🔥🇮🇸
Of course I had to visit @CCPGames while I was here! Eve Online player since 2006 😅
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(