Recently, was published and soon afterwards, , , and coordinated their announcements that they intend to remove TLS 1.0 and TLS 1.1 from new versions of their primary web browsers.
Removing TLS 1.0 and TLS 1.1 in newer web browsers is a good step forward, which I hope will drive up the number of websites and services offering TLS 1.2 and TLS 1.3.
Some of the above announcements provided statistics on TLS 1.0 and TLS 1.1 usage in modern browsers, since it’ll be modern browsers from which TLS 1.0 and TLS 1.1 are removed. The numbers I saw stated in the announcements (TLS 1.0 at 1.1% and TLS 1.1 at 0.1% usage) looked much lower than some I had seen in our per-geography data鈥—鈥妉ikely because their data is globally aggregated.
“Best check our data to see how it’s looking, eh?” I thought…so I did.
Methodology
I put in some work earlier this year to make it easier to use the HTTP access log data from 主播大秀 traffic management services. We now have an automated ingestion pipeline which takes the access logs from their existing AWS S3 storage buckets, verifies, parses, enriches and transforms them before loading them into Google BigQuery (in a GDPR-compliant manner, of course). The net result is that we can now perform SQL queries across all of our traffic management layer’s access logs in a very short timeframe. This has been a game-changer in my opinion, we’re using the data to discover all sorts of things we never knew about usage of our services.
The data I used for this particular study show HTTPS (only, not HTTP) requests to and from November 10th-13th 2018鈥—鈥奱 total of just over 2 billion requests from 250 countries (including country: “unknown”).
Global view
First of all, I looked at our “global view” of TLS usage. This covers TLS usage on and from every country we served:
|
TLS Version |
Number of requests |
Percentage |
|
TLSv1.2 |
2,002,516,373 |
97.96% |
|
TLSv1.1 |
4,529,764 |
0.22% |
|
TLSv1.0 |
37,160,210 |
1.82% |
hosted with 鉂y
So whilst our global aggregate view of TLS usage differs a little from e.g. the Firefox metrics, it’s not vastly different.
Per-Country view
As I mentioned earlier, the main purpose of this study was to look at how TLS usage varies by geography, as a contrast to the global view for our audience. My query counted the number of HTTPS requests and grouped them by the negotiated TLS version and also by the country (using the IANA name) from which the request originated. I then filtered out countries with less than 10,000 requests as they’re probably less reliable, statistically. Since the result set is pretty large, I then filtered to only include countries which have greater than 5% of TLS 1.0 usage. The results are as follows (ordered from highest to lowest percentage of TLS 1.0 usage):
|
Country |
Number of requests |
Percentage of TLS 1.0 usage |
|
Bosnia and Herzegovina |
35,031 |
100.00% |
|
China |
2,261,506 |
86.93% |
|
Montenegro |
28,712 |
48.74% |
|
Croatia |
113,948 |
43.75% |
|
Uganda |
150,225 |
34.48% |
|
Honduras |
97,644 |
29.55% |
|
Ethiopia |
180,473 |
26.04% |
|
Democratic Republic of the Congo |
12,775 |
25.67% |
|
Nigeria |
1,224,923 |
25.13% |
|
Cote d'Ivoire |
14,717 |
23.68% |
|
Myanmar |
164,751 |
21.25% |
|
Hungary |
175,327 |
20.20% |
|
Cameroon |
11,618 |
15.02% |
|
Tanzania |
76,469 |
14.93% |
|
Somalia |
189,509 |
12.98% |
|
Sudan |
16,273 |
12.93% |
|
Mozambique |
10,348 |
12.39% |
|
Taiwan |
195,132 |
11.01% |
|
Zambia |
29,070 |
10.41% |
|
Morocco |
32,932 |
10.04% |
|
Uzbekistan |
17,135 |
9.38% |
|
Japan |
489,215 |
9.15% |
|
Hong Kong |
426,542 |
8.97% |
|
Algeria |
24,760 |
8.97% |
|
Romania |
62,019 |
8.79% |
|
Zimbabwe |
19,253 |
8.15% |
|
Egypt |
52,061 |
7.60% |
|
Turkey |
234,372 |
7.32% |
|
Philippines |
94,536 |
6.95% |
|
Ghana |
44,913 |
6.71% |
|
Belarus |
28,211 |
6.68% |
|
Kenya |
73,939 |
6.39% |
|
Nepal |
38,569 |
6.00% |
|
Bulgaria |
27,659 |
5.96% |
|
Malawi |
15,501 |
5.85% |
|
Jordan |
13,419 |
5.73% |
|
Indonesia |
119,720 |
5.40% |
|
Ukraine |
86,505 |
5.35% |
|
Republic of Korea |
83,370 |
5.33% |
|
Saudi Arabia |
79,834 |
5.21% |
hosted with 鉂y
It’s pretty clear that there are very significant differences across the world in TLS 1.0 usage from country to country. We’ll dig into this in a little bit more detail in a moment but I should just mention for now that the data from China might be inaccurate as (to the best of my knowledge), www.bbc.co.uk and www.bbc.com are currently blocked in China (following our migration to HTTPS) so this could well be proxied/VPN’d traffic rather than traffic direct from users.
It’s interesting to make a comparison with the two countries which make up our largest user-base by request count:
|
Country |
Number of requests |
Percentage of TLS 1.0 usage |
|
Great Britain |
23,778,043 |
1.43% |
|
USA |
2,373,620 |
1.47% |
hosted with 鉂y
These data show what you’d probably guess, they’re similar and are just a little bit below the global values.
Clients
The next most obvious question is perhaps “what is making all these TLS 1.0 requests?”. The global most popular 20 (from over 90,000) user agents are:
|
User Agent |
Browser/OS |
Number of requests |
|
Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0 |
Firefox 26 / Windows 7 |
2,243,786 |
|
CITRIXRECEIVER |
Citrix receiver |
1,762,744 |
|
Nokia6280/2.0 (03.60) Profile/MIDP-2.0 Configuration/CLDC-1.1 |
Nokia model 6280 |
1,054,119 |
|
HTTPClient/3.4.0 (Linux; Android 4.0.3; KFTT Build/IML74K) |
HTTPClient / Android 4 |
1,045,245 |
|
Mozilla/5.0 (compatible; Genieo/1.0 ) |
Firefox / Genio search addon |
892,453 |
|
SGOS/6.7.3.9 (S400-30; Proxy Edition) |
Symantec SGOS (proxy) |
479,035 |
|
Dorado WAP-Browser/1.0.0 |
Dorado |
468,775 |
|
Mozilla/4.0 (ISA Server Connectivity Check) |
Microsoft ISA server (proxy) |
453,251 |
|
Mozilla/6.0 (Windows NT 6.2; WOW64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1 |
Firefox 16 / Windows 8 |
439,674 |
|
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 |
Safari 6 / OSX 10.7 |
387,037 |
|
HTTPClient/4.0.0 (Linux; Android 4.4.4; SM-T560 Build/KTU84P.T560XXU0APL1) |
HTTPClient / Android 4 |
369,724 |
|
Mozilla/5.0 |
Possibly Bluecoat (proxy) |
342,443 |
|
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10 |
Safari 5 / OSX 10.6 |
302,765 |
|
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) |
IE 9 / Windows 7 |
291046 |
|
Mozilla/4.0 |
Possibly Bluecoat (proxy) |
247,455 |
|
ProxySG Appliance |
Symantec SGOS (proxy) |
246,598 |
|
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB7.5; EasyBits GO v1.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; yie8) |
Yahoo IE 7 / Windows XP |
242,294 |
|
HTTPClient/4.0.0 (Linux; Android 4.4.2; SM-T310 Build/KOT49H.T310XXSBQB4) |
HTTPClient / Android 4 |
218,775 |
|
MediaCAT/4.5.1 |
? |
216,015 |
|
HTTPClient/3.4.0 (Linux; Android 4.3; GT-I9300 Build/JSS15J.I9300XXUGMK6) |
HTTPClient / Android 4 |
213,459 |
hosted with 鉂y
So we can see that there are some old desktop web browsers, some feature phones, some proxies and some HTTP libraries, mostly running on older Android versions (mainly Android 2 and 4). Further down the list there are lots more HTTP libraries and web browsers running on Android 2 and 4. We can compare this global view with the 20 most popular user agents from Bosnia and Herzegovina:
|
User Agent |
Browser/OS |
Number of requests |
|
Mozilla/6.0 (Windows NT 6.2; WOW64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1 |
Firefox 16 / Windows 8 |
18,137 |
|
Mozilla/5.0 (compatible; Genieo/1.0 ) |
Firefox / Genio search addon |
1,344 |
|
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) |
IE 9 / Windows ? |
1,251 |
|
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.15 (KHTML, like Gecko) Chrome/24.0.1295.0 Safari/537.15 |
Chrome 24 / Windows 8 |
1,240 |
|
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) |
IE 10 / Windows 7 |
1,229 |
|
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7) |
IE 9 / Windows 7 |
1,228 |
|
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17 |
Chrome 24 / OSX 10.8 |
1,213 |
|
Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1 |
Firefox 16 / Windows 8 |
1,213 |
|
Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2 |
Firefox 15 / Windows 7 |
1,194 |
|
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.14 (KHTML, like Gecko) Chrome/24.0.1292.0 Safari/537.14 |
Chrome 24 / Windows 8 |
1,174 |
|
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0) |
IE 9 / Windows ? |
1,171 |
|
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1 |
Firefox 16 / Windows 8 |
1,168 |
|
Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US)) |
IE 10 / Windows ? |
1,156 |
|
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) |
IE 10 / Windows 7 |
1,143 |
|
HTTPClient/3.4.0 (Linux; Android 4.1.2; LG-E440 Build/JZO54K) |
HTTPClient / Android 4 |
164 |
|
Mozilla/5.0 (Linux; U; Android 4.1.2; fr-fr; LG-E610 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 |
Webkit ? / Android 4 |
132 |
|
Mozilla/5.0 (Linux; U; Android 4.2.2; hr-hr; TPC-71203G Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 |
Webkit ? / Android 4 |
125 |
|
HTTPClient/3.4.0 (Linux; Android 4.4.4; E2105 Build/24.0.A.5.14) |
HTTPClient / Android 4 |
98 |
|
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_5_8) AppleWebKit/534.50.2 (KHTML, like Gecko) Version/5.0.6 Safari/533.22.3 |
Safari 5 / OSX 10.5 |
54 |
|
Mozilla/5.0 (Linux; U; Android 4.3; en-; SGH-T999 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 |
Webkit ? / Android 4 |
46 |
hosted with 鉂y
Here we see fewer HTTP libraries, no feature phone or proxies but a greater proliferation of old desktop web browsers, notably lots of Chrome 24 (2013) and Firefox 15 (2012) & 16 (2012). There’s lots of old Android (especially v4, ~2013) in both result sets. Of course the user agent HTTP header is completely spoof-able so there may be some inaccuracies.
The concentration of year of client release is interesting though, I wonder why 2012 and 2013 are so common? It doesn’t seem to be tied directly to a TLS version change since TLS 1.0 was 1999, TLS 1.1 was 2006 and TLS 1.2 was 2008 (though it was revised in 2011). Answers on a postcard (or in a comment) please!
Is there anything we can do to reduce the TLS 1.0 usage?
The short answer, sadly, is “not really”. The longer answer involves waiting for the natural reduction in older Android versions as the devices running those OS’s fail and are replaced, hopefully with something which supports better crypto! The complication to this is in geographies which are not so wasteful as most “western” economies. In India, for example, older devices are much more frequently repaired than in the “west”, often by local repair agents whose skill and ingenuity can keep devices running for much longer than they do elsewhere.
What about TLS 1.1?
As it is for the rest of the industry, our TLS 1.1 usage is much, much lower than TLS 1.0 and TLS 1.2. This is typically because most user agents/Clients which support TLS 1.1 also support TLS 1.2, so TLS 1.1 doesn’t get a big slice of the action. Our data shows no countries with over 10,000 requests in the 3 days of data which also have TLS 1.1 usage above 1%.
Recommendations
Whichever metric(s) you’re looking, ensure that you don’t just look at the global/overall aggregated numbers, which often mask large regional/subset variations. The constituent communities of your audience often differ significantly, so it’s really important to understand how that affects your data and therefore your decision making process.
The same goes for percentages versus absolute numbers鈥—鈥奻or example, 0.2% of a large number of users is, in absolute numbers, still a lot of users. Don’t discount seemingly small fractions of a large user base without checking how many people that fraction represents!
P.S. Thanks to my children, Polly and Stanley, for the illustrations. I couldn’t find any suitable pictures so they drew some for me.