Why 20% of my traffic is TLS v1.2 and 3% is not secure?

Hi,

I’ve got a ‘Pro Plan’ in CloudFlare and I’ve set the SSL/TLS encryption in Full mode.

Now, I’ve been checking the statistics of the last 24h of the traffic served over TLS, and found:

  • 77% over TLS v1.3 (ok, as far as I underdstand, this is the optimal traffic, isn’t it?)
  • 20% over TLS v1.2
  • 3% over none (not secure)

I’m wondering why the 100% of the traffic is not TLS v1.3. How can I check any error?

As information, I have the following configurations on the ‘Edge Certificates’ section:

  • Always Use HTTPS: On
  • HTTP Strict Transport Security (HSTS): Disabled
  • Minimum TLS Version: TLS 1.0
  • Opportunistic Encryption: On
  • TLS 1.3: On
  • Automatic HTTPS Rewrites: Off
  • Certificate Transparency Monitoring: Off

Thank you!

TLS v1.3 is still relatively new, and not all user agents support it. Detail on deployment is available on https://caniuse.com/#search=TLS%201.3

77% v1.3 is high compared to my own data, I do not think anything is amiss there.

You could set the minimum TLS to v1.2 if you are satisfied nothing too important will lose access. The major browsers (Mozilla, Chrome, Edge and Safari will stop supporting 1.1 and 1.0 in the next few weeks, and some major websites have announced that they will soon do the same. Doing so will cut off old devices and browsers.

You could reduce the 3% none by enabling HSTS and potentially HSTS preload, but all of your HTTP requests currently hit a redirect due to the “Always Use HTTPS”.

1 Like

The 3% of not secure are most likely redirects (the first hit will always be counted as not secure if on HTTP and it will incur in a redirect to HTTPS), the other may be a group of devices that do not support TLSv1.3, it’s still there and it will be for a while.

If you want to improve things enable HSTS (if you are sure you can sustain HTTPS only everything forever, especially if you preload it), set the minimum TLS version to 1.2.

1 Like

You beat me to it! Dang.

PS: @motop, you should set SSL/TLS mode to Full (Strict) if possible, making sure the origin has a valid certificate. That helps more security wise than trying and forcing everyone to TLSv1.3

I may as well hijack this thread for something I spotted recently. It appears that the AMP Real URL feature makes requests over HTTP, and do not get the Always Use HTTPS redirect. A snippet from my Cloudflare Logs is below. Is this normal? Are such requests appearing as ‘none’ in my TLS statistics?

{
	"ClientASN": 132892,
	"ClientRequestPath": "/cdn-fpw/sxg/amp/<redacted>/google;v="1..2"/text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8/",
	"ClientRequestProtocol": "HTTP/1.1",
	"ClientRequestReferer": "",
	"ClientRequestURI": "/cdn-fpw/sxg/amp/<redacted>/google;v="1..2"/text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8/",
	"ClientRequestUserAgent": "",
	"ClientSSLCipher": "NONE",
	"ClientSSLProtocol": "none",
	"EdgeResponseStatus": 200,
}

I’m not sure if this is helpful, but upon only getting a B in qualsys testing it was found that changing the cf settings per https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols?_ga=2.27302332.1675864726.1582487346-454849376.1582487346
has me now an A+

I’m using the cf hsts also though (not sure if that matters).
You can check your site here: https://www.ssllabs.com/ssltest/index.html

As far as TLSv1.2+ as minimum is recommended because starting in March, as @Michael said, the previous versions will be dropped and are already deprecated. You get penalized for having them enabled.

HSTS gives a boost, it’s recommended, but one must be sure to be able to support it long term.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.