The report – sponsored by Venafi and prepared by security researcher and TLS expert Scott Helme – looked at the world's top one million sites and found that while some progress has been made, machine identities are not always used in the most effective way.
The good news is that the use of TLSv1.2 has declined by 13% over the last six months, and v1.3 is now used by almost half of the top sites.
This is said to have been driven by digital transformation initiatives, cloud migration, and new cloud-native stacks that default to TLSv1.3.
However, the adoption of TLSv1.3 has not been accompanied by a move to stronger keys for TLS machine identities.
According to the report, industry-standard ECDSA keys are now used by 17% of the top million sites (up from 14% six months ago), with slower and less secure RSA keys still being used by 39% of them.
And the adoption of HTTPS has stalled at 72%.
'The fact that companies are deploying TLS v1.3 with machine identities using RSA keys shows there is still a lot of progress to be made with machine identity management. A strong algorithm means very little if it is used in conjunction with a weak key – it's akin to building a stone fortress but leaving the wooden gate unprotected," explained Helme, who is also the founder of Report URI.
"The adoption of newer, more efficient and more secure EDCSA keys has been negligible over the last six months. This, coupled with the fact that HTTPS adoption has plateaued over the last six months, shows that the internet is no safer than it was half a year ago. Cybercriminals are constantly upping the ante, so it's disheartening to see that companies aren't following suit."
Improvement has also been seen in the number of sites using Certificate Authority Authorization (CAA), which is up 13%.
CAA enables organisations to create a list of approved Certificate Authorities, thus making it harder for attackers to introduce bogus certificates from less-rigorous sources.
"The recent boom in cloud migration means every business needs many more TLS machine identities to secure communication between devices, clouds, software, containers and APIs," said Venafi vice president of security strategy and threat intelligence Kevin Bocek.
"The fact that more and more companies are making use of CAAs is a positive sign that companies are waking up to the need for machine identity management. CAA adoption also underscores the urgent need for a machine identity management control plane that can automate the use of machine identities in increasingly complex cloud environments."