TLS scan results for November 2015
by Hubert Kario
Not much changes since October, mostly continuation of established
trends. Curiously, percentage of servers supporting just AES ciphers
jumped suddenly just over 3%.
More detailed analysis on my blog:
https://securitypitfalls.wordpress.com/2015/12/07/november-2015-scan-resu...
SSL/TLS survey of 530912 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate
installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 457179 86.112
3DES Only 577 0.1087
AES 523844 98.6687
AES Only 40463 7.6214
AES-CBC 523220 98.5512
AES-CBC Only 10280 1.9363
AES-GCM 398334 75.0283
AES-GCM Only 481 0.0906
CAMELLIA 217685 41.0021
CAMELLIA Only 1 0.0002
CHACHA20 67665 12.7451
CHACHA20 Only 2 0.0004
Insecure 60479 11.3915
RC4 191727 36.1128
RC4 Only 977 0.184
RC4 Preferred 21462 4.0425
RC4 forced in TLS1.1+ 11194 2.1084
x:FF 29 RC4 Only 1213 0.2285
x:FF 29 RC4 Preferred 23754 4.4742
x:FF 29 incompatible 400 0.0753
x:FF 35 RC4 Only 1476 0.278
x:FF 35 RC4 Preferred 23839 4.4902
x:FF 35 incompatible 402 0.0757
y:DHE-RSA-SEED-SHA 65003 12.2436
y:IDEA-CBC-SHA 59414 11.1909
y:SEED-SHA 76068 14.3278
z:ADH-AES128-GCM-SHA256 396 0.0746
z:ADH-AES128-SHA 744 0.1401
z:ADH-AES128-SHA256 292 0.055
z:ADH-AES256-GCM-SHA384 408 0.0768
z:ADH-AES256-SHA 756 0.1424
z:ADH-AES256-SHA256 293 0.0552
z:ADH-CAMELLIA128-SHA 374 0.0704
z:ADH-CAMELLIA256-SHA 382 0.072
z:ADH-DES-CBC-SHA 303 0.0571
z:ADH-DES-CBC3-SHA 756 0.1424
z:ADH-RC4-MD5 616 0.116
z:ADH-SEED-SHA 305 0.0574
z:AECDH-AES128-SHA 10719 2.019
z:AECDH-AES256-SHA 10755 2.0258
z:AECDH-DES-CBC3-SHA 10685 2.0126
z:AECDH-NULL-SHA 63 0.0119
z:AECDH-RC4-SHA 10125 1.9071
z:DES-CBC-MD5 11270 2.1228
z:DES-CBC-SHA 36559 6.8861
z:DES-CBC3-MD5 23236 4.3766
z:ECDHE-RSA-NULL-SHA 68 0.0128
z:EDH-RSA-DES-CBC-SHA 31274 5.8906
z:EXP-ADH-DES-CBC-SHA 203 0.0382
z:EXP-ADH-RC4-MD5 199 0.0375
z:EXP-DES-CBC-SHA 14643 2.7581
z:EXP-EDH-RSA-DES-CBC-SHA 11812 2.2249
z:EXP-RC2-CBC-MD5 17779 3.3488
z:EXP-RC4-MD5 18577 3.4991
z:EXP1024-DES-CBC-SHA 4531 0.8534
z:EXP1024-RC4-SHA 4613 0.8689
z:IDEA-CBC-MD5 2255 0.4247
z:NULL-MD5 237 0.0446
z:NULL-SHA 236 0.0445
z:NULL-SHA256 32 0.006
z:RC2-CBC-MD5 11512 2.1683
z:RC4-64-MD5 922 0.1737
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 134022 25.2437
Server side 396890 74.7563
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 896 0.1688
AECDH 10782 2.0308
DHE 289298 54.4908
ECDH 3 0.0006
ECDHE 425231 80.0944
ECDHE and DHE 223210 42.0427
RSA 458647 86.3885
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 159457 30.0345 55.1186
DH,1536bits 1 0.0002 0.0003
DH,2048bits 121879 22.9565 42.1292
DH,2236bits 14 0.0026 0.0048
DH,3072bits 108 0.0203 0.0373
DH,3092bits 1 0.0002 0.0003
DH,4096bits 7458 1.4048 2.578
DH,512bits 40 0.0075 0.0138
DH,6144bits 1 0.0002 0.0003
DH,768bits 439 0.0827 0.1517
DH,8192bits 2 0.0004 0.0007
ECDH,B-571,570bits 1680 0.3164 0.3951
ECDH,K-571,570bits 1 0.0002 0.0002
ECDH,P-192,192bits 11 0.0021 0.0026
ECDH,P-224,224bits 81 0.0153 0.019
ECDH,P-256,256bits 411892 77.582 96.8631
ECDH,P-384,384bits 3589 0.676 0.844
ECDH,P-521,521bits 9333 1.7579 2.1948
Prefer DH,1024bits 58262 10.9739 20.1391
Prefer DH,1536bits 1 0.0002 0.0003
Prefer DH,2048bits 10378 1.9547 3.5873
Prefer DH,2236bits 1 0.0002 0.0003
Prefer DH,3072bits 13 0.0024 0.0045
Prefer DH,4096bits 392 0.0738 0.1355
Prefer DH,768bits 66 0.0124 0.0228
Prefer ECDH,B-571,570bits 1478 0.2784 0.3476
Prefer ECDH,K-571,570bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 78 0.0147 0.0183
Prefer ECDH,P-256,256bits 370937 69.8679 87.2319
Prefer ECDH,P-384,384bits 3291 0.6199 0.7739
Prefer ECDH,P-521,521bits 8426 1.5871 1.9815
Prefer PFS 453324 85.3859 0
Support PFS 491319 92.5425 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 2073 0.3905
brainpoolP384r1 2074 0.3906
brainpoolP512r1 2074 0.3906
prime192v1 1449 0.2729
prime256v1 422425 79.5659
prime256v1 Only 368568 69.4217
secp160k1 1406 0.2648
secp160r1 1411 0.2658
secp160r2 1406 0.2648
secp192k1 1423 0.268
secp224k1 1491 0.2808
secp224r1 4011 0.7555
secp256k1 3482 0.6559
secp384r1 54256 10.2194
secp384r1 Only 444 0.0836
secp521r1 23612 4.4474
secp521r1 Only 128 0.0241
sect163k1 1415 0.2665
sect163k1 Only 2 0.0004
sect163r1 1413 0.2661
sect163r2 1409 0.2654
sect193r1 1409 0.2654
sect193r2 1407 0.265
sect233k1 1486 0.2799
sect233r1 1486 0.2799
sect239k1 1486 0.2799
sect283k1 3447 0.6493
sect283k1 Only 2 0.0004
sect283r1 3442 0.6483
sect409k1 3444 0.6487
sect409r1 3443 0.6485
sect571k1 3454 0.6506
sect571r1 3454 0.6506
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 69315 13.0558
True 299493 56.411
order-specific 82 0.0154
unknown 162022 30.5177
ECC curve ordering Count Percent
-------------------------+---------+--------
client 5116 0.9636
inconclusive-noecc 8 0.0015
server 417915 78.7164
unknown 107873 20.3184
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 39752 7.4875
ECDSA-SHA1 Only 2 0.0004
ECDSA-SHA224 39755 7.4881
ECDSA-SHA256 53701 10.1149
ECDSA-SHA384 53712 10.1169
ECDSA-SHA512 53734 10.1211
ECDSA-SHA512 Only 22 0.0041
RSA-MD5 164964 31.0718
RSA-SHA1 368019 69.3183
RSA-SHA1 Only 42674 8.0379
RSA-SHA224 303273 57.123
RSA-SHA256 332849 62.6938
RSA-SHA256 Only 6204 1.1686
RSA-SHA384 304966 57.4419
RSA-SHA384 Only 1 0.0002
RSA-SHA512 305210 57.4879
RSA-SHA512 Only 277 0.0522
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 233407 43.9634
indeterminate 45 0.0085
intolerant 4576 0.8619
order-fallback 8 0.0015
server 177923 33.5127
unsupported 21601 4.0687
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 39724 7.4822
ECDSA intolerant 116 0.0218
ECDSA pfs-rsa-SHA512 13917 2.6213
ECDSA soft-nopfs 3 0.0006
RSA False 163706 30.8349
RSA SHA1 176523 33.249
RSA intolerant 35829 6.7486
RSA pfs-ecdsa-SHA512 27 0.0051
RSA soft-nopfs 1308 0.2464
Renegotiation Count Percent
-------------------------+---------+--------
False 6621 1.2471
insecure 18673 3.5172
secure 505618 95.2357
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 9772 1.8406
False 6621 1.2471
NONE 514519 96.9123
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 4 0.0008
1 only 4 0.0008
2 2 0.0004
2 only 2 0.0004
10 11 0.0021
10 only 11 0.0021
15 10 0.0019
15 only 10 0.0019
30 10 0.0019
30 only 9 0.0017
60 97 0.0183
60 only 90 0.017
65 2 0.0004
65 only 2 0.0004
70 6 0.0011
100 15 0.0028
100 only 15 0.0028
120 27 0.0051
120 only 27 0.0051
128 2 0.0004
128 only 2 0.0004
150 2 0.0004
180 41 0.0077
180 only 38 0.0072
240 5 0.0009
240 only 5 0.0009
300 244735 46.0971
300 only 240267 45.2555
302 3 0.0006
302 only 3 0.0006
360 2 0.0004
360 only 1 0.0002
400 8 0.0015
400 only 8 0.0015
420 124 0.0234
420 only 97 0.0183
450 1 0.0002
450 only 1 0.0002
480 13 0.0024
480 only 13 0.0024
500 3 0.0006
500 only 3 0.0006
540 1 0.0002
540 only 1 0.0002
600 26475 4.9867
600 only 26305 4.9547
700 1 0.0002
700 only 1 0.0002
720 1 0.0002
720 only 1 0.0002
840 1 0.0002
840 only 1 0.0002
900 878 0.1654
900 only 861 0.1622
960 2 0.0004
960 only 2 0.0004
1200 2334 0.4396
1200 only 2330 0.4389
1320 1 0.0002
1320 only 1 0.0002
1500 9 0.0017
1500 only 8 0.0015
1800 499 0.094
1800 only 490 0.0923
1980 1 0.0002
1980 only 1 0.0002
2100 1 0.0002
2100 only 1 0.0002
2400 8 0.0015
2400 only 8 0.0015
2700 10 0.0019
2700 only 10 0.0019
3000 26 0.0049
3000 only 26 0.0049
3600 573 0.1079
3600 only 560 0.1055
3900 3 0.0006
3900 only 3 0.0006
4200 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 13 0.0024
5400 only 6 0.0011
6000 179 0.0337
6000 only 179 0.0337
7200 15645 2.9468
7200 only 15623 2.9427
10800 3114 0.5865
10800 only 3110 0.5858
14400 99 0.0186
14400 only 99 0.0186
18000 8 0.0015
18000 only 8 0.0015
21600 4849 0.9133
21600 only 4637 0.8734
25200 1 0.0002
25200 only 1 0.0002
28800 3555 0.6696
28800 only 3543 0.6673
36000 1157 0.2179
36000 only 1150 0.2166
43200 40 0.0075
43200 only 40 0.0075
60000 1 0.0002
60000 only 1 0.0002
64800 51789 9.7547
64800 only 51762 9.7496
72000 29 0.0055
72000 only 29 0.0055
84600 1 0.0002
84600 only 1 0.0002
86000 39 0.0073
86000 only 39 0.0073
86400 3482 0.6559
86400 only 3471 0.6538
100800 10699 2.0152
100800 only 10688 2.0131
129600 10 0.0019
129600 only 10 0.0019
172800 9 0.0017
172800 only 9 0.0017
216000 2 0.0004
216000 only 2 0.0004
432000 2 0.0004
432000 only 2 0.0004
604800 5 0.0009
604800 only 3 0.0006
864000 3 0.0006
864000 only 3 0.0006
None 165273 31.13
None only 160236 30.1813
Certificate sig alg Count Percent
-------------------------+---------+--------
None 11419 2.1508
ecdsa-with-SHA256 53709 10.1164
sha1WithRSAEncryption 79229 14.9232
sha256WithRSAEncryption 413158 77.8204
sha384WithRSAEncryption 6 0.0011
sha512WithRSAEncryption 33 0.0062
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 53748 10.1237
ECDSA 384 12 0.0023
ECDSA 521 1 0.0002
RSA 1024 38 0.0072
RSA 10240 8 0.0015
RSA 2048 470388 88.6
RSA 2049 4 0.0008
RSA 2056 1 0.0002
RSA 2058 2 0.0004
RSA 2064 1 0.0002
RSA 2084 3 0.0006
RSA 2096 1 0.0002
RSA 2408 2 0.0004
RSA 2432 2 0.0004
RSA 2480 1 0.0002
RSA 3071 1 0.0002
RSA 3072 144 0.0271
RSA 3096 2 0.0004
RSA 3120 2 0.0004
RSA 3248 2 0.0004
RSA 4042 1 0.0002
RSA 4048 1 0.0002
RSA 4056 22 0.0041
RSA 4069 1 0.0002
RSA 4086 1 0.0002
RSA 4092 6 0.0011
RSA 4094 1 0.0002
RSA 4096 20509 3.863
RSA 4098 1 0.0002
RSA 4196 1 0.0002
RSA 8192 3 0.0006
RSA/ECDSA Dual Stack 13986 2.6343
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 115313 21.7198
Unsupported 415599 78.2802
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 23492 4.4248
SSL2 Only 19 0.0036
SSL3 121502 22.8855
SSL3 Only 470 0.0885
SSL3 or TLS1 Only 68017 12.8114
SSL3 or lower Only 487 0.0917
TLS1 525297 98.9424
TLS1 Only 40462 7.6212
TLS1 or lower Only 89960 16.9444
TLS1.1 427273 80.4791
TLS1.1 Only 312 0.0588
TLS1.1 or up Only 4757 0.896
TLS1.2 437543 82.4135
TLS1.2 Only 2067 0.3893
TLS1.2, 1.0 but not 1.1 11005 2.0728
Statistics from 566530 chains provided by 702674 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 500948 71.2917
incomplete 27324 3.8886
untrusted 174402 24.8198
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 40 0.0071
3 564250 99.5975
4 2220 0.3919
5 20 0.0035
CA key size in chains Count
-------------------------+---------
ECDSA 256 53700
ECDSA 384 53703
RSA 1024 38
RSA 2045 3
RSA 2048 886848
RSA 4096 140988
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 53700 9.4788
ECDSA 384 53703 9.4793
RSA 1024 36 0.0064
RSA 2045 3 0.0005
RSA 2048 512489 90.4611
RSA 4096 140488 24.798
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 53695
sha1WithRSAEncryption 87476
sha256WithRSAEncryption 301918
sha384WithRSAEncryption 125587
sha512WithRSAEncryption 74
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 87515 15.4475
112 425304 75.0718
128 53711 9.4807
Root CAs Count Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 116038 20.4822
(2c543cd1) GeoTrust Global CA 109648 19.3543
(eed8c118) COMODO ECC Certification Authority 53687 9.4765
(cbf06781) Go Daddy Root Certificate Authorit 48182 8.5048
(5ad8a5d6) GlobalSign Root CA 44132 7.7899
(b204d74a) VeriSign Class 3 Public Primary Ce 32386 5.7166
(244b5494) DigiCert High Assurance EV Root CA 26649 4.7039
(2e4eed3c) thawte Primary Root CA 22839 4.0314
(157753a5) AddTrust External CA Root 21671 3.8252
(653b494a) Baltimore CyberTrust Root 12055 2.1279
(fc5a8f99) USERTrust RSA Certification Author 9450 1.668
(ae8153b9) StartCom Certification Authority 9327 1.6463
(4bfab552) Starfield Root Certificate Authori 9162 1.6172
(3513523f) DigiCert Global Root CA 8636 1.5244
Scan performed between 22nd November and 3rd of December 2015
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
8 years
- 1
- 0
TLS scan results for October 2015
by Hubert Kario
The biggest change since July is that over 10% fewer servers use
certificates with SHA-1 signatures.
Because I was rather busy for the past few months I wasn't able to work
on the scan analysis on-time. So this month's analysis is on a longer
time scale.
More detailed analysis on my blog:
https://securitypitfalls.wordpress.com/2015/11/29/october-2015-scan-results/
SSL/TLS survey of 523658 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate
installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 450366 86.0038
3DES Only 598 0.1142
AES 516026 98.5426
AES Only 22924 4.3777
AES-CBC 515568 98.4551
AES-CBC Only 10087 1.9263
AES-GCM 388464 74.1828
AES-GCM Only 378 0.0722
CAMELLIA 234209 44.7256
CAMELLIA Only 3 0.0006
CHACHA20 64701 12.3556
CHACHA20 Only 1 0.0002
Insecure 61963 11.8327
RC4 213861 40.8398
RC4 Only 1101 0.2103
RC4 Preferred 22873 4.3679
RC4 forced in TLS1.1+ 11792 2.2519
x:FF 29 RC4 Only 1377 0.263
x:FF 29 RC4 Preferred 26049 4.9744
x:FF 29 incompatible 312 0.0596
x:FF 35 RC4 Only 1656 0.3162
x:FF 35 RC4 Preferred 26149 4.9935
x:FF 35 incompatible 315 0.0602
y:DHE-RSA-SEED-SHA 84215 16.0821
y:IDEA-CBC-SHA 78851 15.0577
y:SEED-SHA 95873 18.3083
z:ADH-AES128-GCM-SHA256 395 0.0754
z:ADH-AES128-SHA 756 0.1444
z:ADH-AES128-SHA256 295 0.0563
z:ADH-AES256-GCM-SHA384 403 0.077
z:ADH-AES256-SHA 764 0.1459
z:ADH-AES256-SHA256 297 0.0567
z:ADH-CAMELLIA128-SHA 380 0.0726
z:ADH-CAMELLIA256-SHA 388 0.0741
z:ADH-DES-CBC-SHA 305 0.0582
z:ADH-DES-CBC3-SHA 775 0.148
z:ADH-RC4-MD5 638 0.1218
z:ADH-SEED-SHA 313 0.0598
z:AECDH-AES128-SHA 11266 2.1514
z:AECDH-AES256-SHA 11290 2.156
z:AECDH-DES-CBC3-SHA 11231 2.1447
z:AECDH-NULL-SHA 59 0.0113
z:AECDH-RC4-SHA 10599 2.024
z:DES-CBC-MD5 11791 2.2517
z:DES-CBC-SHA 36853 7.0376
z:DES-CBC3-MD5 24006 4.5843
z:ECDHE-RSA-NULL-SHA 63 0.012
z:EDH-RSA-DES-CBC-SHA 31633 6.0408
z:EXP-ADH-DES-CBC-SHA 208 0.0397
z:EXP-ADH-RC4-MD5 205 0.0391
z:EXP-DES-CBC-SHA 15360 2.9332
z:EXP-EDH-RSA-DES-CBC-SHA 12356 2.3596
z:EXP-RC2-CBC-MD5 18735 3.5777
z:EXP-RC4-MD5 19564 3.736
z:EXP1024-DES-CBC-SHA 4870 0.93
z:EXP1024-RC4-SHA 4967 0.9485
z:IDEA-CBC-MD5 2349 0.4486
z:NULL-MD5 227 0.0433
z:NULL-SHA 232 0.0443
z:NULL-SHA256 29 0.0055
z:RC2-CBC-MD5 12033 2.2979
z:RC4-64-MD5 968 0.1849
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 134694 25.7217
Server side 388964 74.2783
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 903 0.1724
AECDH 11321 2.1619
DHE 286818 54.772
ECDH 3 0.0006
ECDHE 415495 79.3447
ECDHE and DHE 219028 41.8265
RSA 471189 89.9803
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 162798 31.0886 56.76
DH,1536bits 1 0.0002 0.0003
DH,2048bits 116370 22.2225 40.5728
DH,2236bits 11 0.0021 0.0038
DH,2432bits 1 0.0002 0.0003
DH,3072bits 109 0.0208 0.038
DH,3092bits 1 0.0002 0.0003
DH,4094bits 1 0.0002 0.0003
DH,4096bits 7102 1.3562 2.4761
DH,512bits 43 0.0082 0.015
DH,768bits 450 0.0859 0.1569
DH,8192bits 2 0.0004 0.0007
ECDH,B-571,570bits 1628 0.3109 0.3918
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,K-571,570bits 1 0.0002 0.0002
ECDH,P-192,192bits 8 0.0015 0.0019
ECDH,P-224,224bits 71 0.0136 0.0171
ECDH,P-256,256bits 402982 76.9552 96.9884
ECDH,P-384,384bits 2860 0.5462 0.6883
ECDH,P-521,521bits 8826 1.6855 2.1242
Prefer DH,1024bits 59986 11.4552 20.9143
Prefer DH,1536bits 1 0.0002 0.0003
Prefer DH,2048bits 9957 1.9014 3.4715
Prefer DH,3072bits 13 0.0025 0.0045
Prefer DH,4096bits 345 0.0659 0.1203
Prefer DH,768bits 65 0.0124 0.0227
Prefer ECDH,B-571,570bits 1429 0.2729 0.3439
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,K-571,570bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 55 0.0105 0.0132
Prefer ECDH,P-256,256bits 358890 68.5352 86.3765
Prefer ECDH,P-384,384bits 2659 0.5078 0.64
Prefer ECDH,P-521,521bits 7931 1.5145 1.9088
Prefer PFS 441333 84.2789 0
Support PFS 483285 92.2902 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 1825 0.3485
brainpoolP384r1 1827 0.3489
brainpoolP512r1 1828 0.3491
prime192v1 1461 0.279
prime256v1 413390 78.9427
prime256v1 Only 360620 68.8656
secp160k1 1415 0.2702
secp160r1 1422 0.2716
secp160r2 1414 0.27
secp192k1 1433 0.2737
secp224k1 1489 0.2843
secp224r1 3846 0.7344
secp256k1 3218 0.6145
secp384r1 53089 10.1381
secp384r1 Only 364 0.0695
secp521r1 22417 4.2808
secp521r1 Only 125 0.0239
sect163k1 1415 0.2702
sect163k1 Only 1 0.0002
sect163r1 1414 0.27
sect163r2 1414 0.27
sect193r1 1412 0.2696
sect193r2 1412 0.2696
sect233k1 1482 0.283
sect233r1 1481 0.2828
sect239k1 1481 0.2828
sect283k1 3187 0.6086
sect283r1 3187 0.6086
sect409k1 3189 0.609
sect409r1 3189 0.609
sect571k1 3201 0.6113
sect571r1 3201 0.6113
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 70006 13.3686
True 291129 55.5953
order-specific 72 0.0137
unknown 162451 31.0223
ECC curve ordering Count Percent
-------------------------+---------+--------
client 4674 0.8926
inconclusive-noecc 10 0.0019
server 409225 78.1474
unknown 109749 20.9581
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 38366 7.3265
ECDSA-SHA1 Only 3 0.0006
ECDSA-SHA224 38357 7.3248
ECDSA-SHA256 49346 9.4233
ECDSA-SHA384 49344 9.4229
ECDSA-SHA512 49347 9.4235
ECDSA-SHA512 Only 3 0.0006
RSA-MD5 168481 32.1739
RSA-SHA1 361209 68.978
RSA-SHA1 Only 43815 8.3671
RSA-SHA224 296284 56.5797
RSA-SHA256 324294 61.9286
RSA-SHA256 Only 5869 1.1208
RSA-SHA384 297506 56.813
RSA-SHA384 Only 1 0.0002
RSA-SHA512 297620 56.8348
RSA-SHA512 Only 137 0.0262
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 238653 45.5742
indeterminate 202 0.0386
intolerant 4295 0.8202
order-fallback 10 0.0019
server 163641 31.2496
unsupported 21408 4.0882
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 38349 7.3233
ECDSA intolerant 24 0.0046
ECDSA pfs-rsa-SHA512 10983 2.0974
ECDSA soft-nopfs 1 0.0002
RSA False 167225 31.934
RSA SHA1 166732 31.8399
RSA intolerant 34038 6.5
RSA pfs-ecdsa-SHA512 5 0.001
RSA soft-nopfs 1316 0.2513
Renegotiation Count Percent
-------------------------+---------+--------
False 6661 1.272
insecure 19263 3.6785
secure 497734 95.0494
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 9887 1.8881
False 6661 1.272
NONE 507110 96.8399
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 2 0.0004
1 only 2 0.0004
2 2 0.0004
2 only 2 0.0004
5 2 0.0004
5 only 2 0.0004
10 8 0.0015
10 only 8 0.0015
15 9 0.0017
15 only 9 0.0017
30 10 0.0019
30 only 9 0.0017
60 96 0.0183
60 only 89 0.017
65 1 0.0002
65 only 1 0.0002
70 7 0.0013
75 1 0.0002
75 only 1 0.0002
100 18 0.0034
100 only 18 0.0034
120 26 0.005
120 only 26 0.005
128 3 0.0006
128 only 3 0.0006
150 2 0.0004
180 42 0.008
180 only 39 0.0074
200 1 0.0002
200 only 1 0.0002
240 12 0.0023
240 only 12 0.0023
300 242606 46.3291
300 only 238057 45.4604
302 3 0.0006
302 only 3 0.0006
360 2 0.0004
360 only 1 0.0002
400 8 0.0015
400 only 8 0.0015
420 119 0.0227
420 only 88 0.0168
480 12 0.0023
480 only 12 0.0023
500 5 0.001
500 only 5 0.001
540 1 0.0002
540 only 1 0.0002
600 25719 4.9114
600 only 25574 4.8837
700 1 0.0002
700 only 1 0.0002
720 2 0.0004
720 only 2 0.0004
840 1 0.0002
840 only 1 0.0002
900 781 0.1491
900 only 766 0.1463
960 2 0.0004
960 only 2 0.0004
1200 2230 0.4259
1200 only 2222 0.4243
1320 1 0.0002
1320 only 1 0.0002
1500 10 0.0019
1500 only 9 0.0017
1800 490 0.0936
1800 only 476 0.0909
2100 1 0.0002
2100 only 1 0.0002
2400 8 0.0015
2400 only 8 0.0015
2700 8 0.0015
2700 only 8 0.0015
3000 23 0.0044
3000 only 23 0.0044
3600 575 0.1098
3600 only 566 0.1081
3900 1 0.0002
3900 only 1 0.0002
4100 1 0.0002
4100 only 1 0.0002
4200 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 20 0.0038
5400 only 8 0.0015
6000 66 0.0126
6000 only 66 0.0126
7200 14981 2.8608
7200 only 14963 2.8574
10800 2576 0.4919
10800 only 2570 0.4908
14400 102 0.0195
14400 only 102 0.0195
18000 7 0.0013
18000 only 7 0.0013
21600 4999 0.9546
21600 only 4999 0.9546
25200 1 0.0002
25200 only 1 0.0002
28800 2018 0.3854
28800 only 1601 0.3057
36000 1153 0.2202
36000 only 1144 0.2185
43200 34 0.0065
43200 only 34 0.0065
60000 1 0.0002
60000 only 1 0.0002
64800 53897 10.2924
64800 only 53896 10.2922
72000 16 0.0031
72000 only 16 0.0031
84600 1 0.0002
84600 only 1 0.0002
86000 39 0.0074
86000 only 39 0.0074
86400 3516 0.6714
86400 only 3512 0.6707
100800 10300 1.9669
100800 only 10290 1.965
129600 9 0.0017
129600 only 9 0.0017
172800 6 0.0011
172800 only 6 0.0011
216000 1 0.0002
216000 only 1 0.0002
432000 2 0.0004
432000 only 2 0.0004
604800 1 0.0002
864000 4 0.0008
864000 only 4 0.0008
None 162322 30.9977
None only 157058 29.9925
Certificate sig alg Count Percent
-------------------------+---------+--------
None 11981 2.2879
ecdsa-with-SHA256 49307 9.4159
sha1WithRSAEncryption 86227 16.4663
sha256WithRSAEncryption 399420 76.275
sha384WithRSAEncryption 6 0.0011
sha512WithRSAEncryption 28 0.0053
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 49343 9.4228
ECDSA 384 15 0.0029
RSA 1024 56 0.0107
RSA 10240 8 0.0015
RSA 2047 1 0.0002
RSA 2048 464934 88.7858
RSA 2049 4 0.0008
RSA 2056 4 0.0008
RSA 2058 2 0.0004
RSA 2064 2 0.0004
RSA 2084 4 0.0008
RSA 2096 2 0.0004
RSA 2408 2 0.0004
RSA 2432 1 0.0002
RSA 2480 1 0.0002
RSA 3071 1 0.0002
RSA 3072 127 0.0243
RSA 3096 2 0.0004
RSA 3248 2 0.0004
RSA 4042 1 0.0002
RSA 4048 1 0.0002
RSA 4056 25 0.0048
RSA 4069 3 0.0006
RSA 4086 2 0.0004
RSA 4092 6 0.0011
RSA 4094 1 0.0002
RSA 4096 20149 3.8477
RSA 4098 1 0.0002
RSA 8192 4 0.0008
RSA/ECDSA Dual Stack 11039 2.1081
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 113302 21.6366
Unsupported 410356 78.3634
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 24244 4.6297
SSL2 Only 19 0.0036
SSL3 122263 23.3479
SSL3 Only 484 0.0924
SSL3 or TLS1 Only 69496 13.2713
SSL3 or lower Only 503 0.0961
TLS1 518406 98.9971
TLS1 Only 41584 7.9411
TLS1 or lower Only 92178 17.6027
TLS1.1 418156 79.8529
TLS1.1 Only 267 0.051
TLS1.1 or up Only 4492 0.8578
TLS1.2 428200 81.7709
TLS1.2 Only 1845 0.3523
TLS1.2, 1.0 but not 1.1 10863 2.0744
Statistics from 549280 chains provided by 697275 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 487661 69.9381
incomplete 27391 3.9283
untrusted 182223 26.1336
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 114 0.0208
3 547038 99.5918
4 2101 0.3825
5 27 0.0049
CA key size in chains Count
-------------------------+---------
ECDSA 256 48991
ECDSA 384 48992
RSA 1024 101
RSA 2045 3
RSA 2048 865095
RSA 4096 137419
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 48991 8.9191
ECDSA 384 48992 8.9193
RSA 1024 99 0.018
RSA 2045 3 0.0005
RSA 2048 499889 91.008
RSA 4096 136911 24.9255
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 48986
sha1WithRSAEncryption 92825
sha256WithRSAEncryption 287083
sha384WithRSAEncryption 122355
sha512WithRSAEncryption 72
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 92922 16.9171
112 407358 74.1622
128 49000 8.9208
Root CAs Count Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 113492 20.662
(2c543cd1) GeoTrust Global CA 107601 19.5895
(eed8c118) COMODO ECC Certification Authority 48977 8.9166
(cbf06781) Go Daddy Root Certificate Authorit 47939 8.7276
(5ad8a5d6) GlobalSign Root CA 44123 8.0329
(b204d74a) VeriSign Class 3 Public Primary Ce 29359 5.345
(244b5494) DigiCert High Assurance EV Root CA 25999 4.7333
(2e4eed3c) thawte Primary Root CA 23372 4.255
(157753a5) AddTrust External CA Root 20188 3.6754
(653b494a) Baltimore CyberTrust Root 12053 2.1943
(ae8153b9) StartCom Certification Authority 9139 1.6638
(fc5a8f99) USERTrust RSA Certification Author 8775 1.5975
(3513523f) DigiCert Global Root CA 8281 1.5076
(4bfab552) Starfield Root Certificate Authori 8226 1.4976
(480720ec) GeoTrust Primary Certification Aut 5570 1.0141
Scan performed between 19th of October and 9th of November 2015
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
8 years
- 1
- 0
TLS scan results for September 2015
by Hubert Kario
no analysis for this month, sorry
SSL/TLS survey of 514491 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate
installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 441032 85.722
3DES Only 662 0.1287
AES 506240 98.3963
AES Only 20155 3.9175
AES-CBC 506132 98.3753
AES-CBC Only 9532 1.8527
AES-GCM 372880 72.4755
AES-GCM Only 53 0.0103
CAMELLIA 228600 44.4323
CAMELLIA Only 1 0.0002
CHACHA20 63632 12.368
CHACHA20 Only 1 0.0002
Insecure 64742 12.5837
RC4 231507 44.9973
RC4 Only 1252 0.2433
RC4 Preferred 27685 5.381
RC4 forced in TLS1.1+ 15710 3.0535
x:FF 29 RC4 Only 1532 0.2978
x:FF 29 RC4 Preferred 31430 6.109
x:FF 29 incompatible 137 0.0266
x:FF 35 RC4 Only 1845 0.3586
x:FF 35 RC4 Preferred 31550 6.1323
x:FF 35 incompatible 138 0.0268
y:DHE-RSA-SEED-SHA 86011 16.7177
y:IDEA-CBC-SHA 78923 15.34
y:SEED-SHA 96111 18.6808
z:ADH-AES128-GCM-SHA256 333 0.0647
z:ADH-AES128-SHA 745 0.1448
z:ADH-AES128-SHA256 236 0.0459
z:ADH-AES256-GCM-SHA384 343 0.0667
z:ADH-AES256-SHA 749 0.1456
z:ADH-AES256-SHA256 236 0.0459
z:ADH-CAMELLIA128-SHA 344 0.0669
z:ADH-CAMELLIA256-SHA 350 0.068
z:ADH-DES-CBC-SHA 321 0.0624
z:ADH-DES-CBC3-SHA 759 0.1475
z:ADH-RC4-MD5 621 0.1207
z:ADH-SEED-SHA 272 0.0529
z:AECDH-AES128-SHA 12374 2.4051
z:AECDH-AES256-SHA 12403 2.4107
z:AECDH-DES-CBC3-SHA 12331 2.3967
z:AECDH-NULL-SHA 55 0.0107
z:AECDH-RC4-SHA 11656 2.2655
z:DES-CBC-MD5 12201 2.3715
z:DES-CBC-SHA 37676 7.323
z:DES-CBC3-MD5 24906 4.8409
z:ECDHE-RSA-NULL-SHA 59 0.0115
z:EDH-RSA-DES-CBC-SHA 32341 6.286
z:EXP-ADH-DES-CBC-SHA 225 0.0437
z:EXP-ADH-RC4-MD5 222 0.0431
z:EXP-DES-CBC-SHA 16253 3.159
z:EXP-EDH-RSA-DES-CBC-SHA 13136 2.5532
z:EXP-RC2-CBC-MD5 19785 3.8455
z:EXP-RC4-MD5 20799 4.0426
z:EXP1024-DES-CBC-SHA 5124 0.9959
z:EXP1024-RC4-SHA 5211 1.0128
z:IDEA-CBC-MD5 2368 0.4603
z:NULL-MD5 228 0.0443
z:NULL-SHA 231 0.0449
z:NULL-SHA256 22 0.0043
z:RC2-CBC-MD5 12471 2.4239
z:RC4-64-MD5 1000 0.1944
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 131154 25.492
Server side 383337 74.508
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 872 0.1695
AECDH 12430 2.416
DHE 282349 54.8793
ECDH 3 0.0006
ECDHE 400761 77.8947
ECDHE and DHE 210872 40.9865
RSA 466026 90.58
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 176947 34.3926 62.6696
DH,1536bits 1 0.0002 0.0004
DH,2048bits 97579 18.9661 34.5597
DH,2236bits 10 0.0019 0.0035
DH,2560bits 1 0.0002 0.0004
DH,3072bits 1027 0.1996 0.3637
DH,3092bits 1 0.0002 0.0004
DH,4096bits 6303 1.2251 2.2323
DH,512bits 53 0.0103 0.0188
DH,768bits 502 0.0976 0.1778
DH,8192bits 1 0.0002 0.0004
ECDH,B-163,163bits 1 0.0002 0.0002
ECDH,B-571,570bits 1514 0.2943 0.3778
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,K-571,570bits 1 0.0002 0.0002
ECDH,P-192,192bits 2 0.0004 0.0005
ECDH,P-224,224bits 89 0.0173 0.0222
ECDH,P-256,256bits 389270 75.6612 97.1327
ECDH,P-384,384bits 2668 0.5186 0.6657
ECDH,P-521,521bits 8073 1.5691 2.0144
Prefer DH,1024bits 63712 12.3835 22.565
Prefer DH,1536bits 1 0.0002 0.0004
Prefer DH,2048bits 9342 1.8158 3.3087
Prefer DH,2236bits 1 0.0002 0.0004
Prefer DH,3072bits 14 0.0027 0.005
Prefer DH,4096bits 342 0.0665 0.1211
Prefer DH,768bits 102 0.0198 0.0361
Prefer ECDH,B-163,163bits 1 0.0002 0.0002
Prefer ECDH,B-571,570bits 1305 0.2536 0.3256
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,K-571,570bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 55 0.0107 0.0137
Prefer ECDH,P-256,256bits 337269 65.5539 84.1571
Prefer ECDH,P-384,384bits 2525 0.4908 0.6301
Prefer ECDH,P-521,521bits 7266 1.4123 1.8131
Prefer PFS 421937 82.0106 0
Support PFS 472238 91.7874 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 1285 0.2498
brainpoolP384r1 1285 0.2498
brainpoolP512r1 1285 0.2498
prime192v1 1409 0.2739
prime256v1 399379 77.626
prime256v1 Only 346484 67.345
secp160k1 1372 0.2667
secp160r1 1376 0.2674
secp160r2 1372 0.2667
secp192k1 1393 0.2708
secp224k1 1466 0.2849
secp224r1 3478 0.676
secp224r1 Only 2 0.0004
secp256k1 2664 0.5178
secp384r1 53002 10.3018
secp384r1 Only 342 0.0665
secp521r1 22491 4.3715
secp521r1 Only 118 0.0229
sect163k1 1376 0.2674
sect163k1 Only 2 0.0004
sect163r1 1374 0.2671
sect163r2 1375 0.2673
sect163r2 Only 1 0.0002
sect193r1 1374 0.2671
sect193r2 1374 0.2671
sect233k1 1460 0.2838
sect233r1 1458 0.2834
sect239k1 1458 0.2834
sect283k1 2637 0.5125
sect283r1 2637 0.5125
sect409k1 2637 0.5125
sect409r1 2637 0.5125
sect571k1 2650 0.5151
sect571r1 2650 0.5151
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 69342 13.4778
True 279091 54.246
order-specific 247 0.048
unknown 165811 32.2282
ECC curve ordering Count Percent
-------------------------+---------+--------
client 4128 0.8023
inconclusive-noecc 10 0.0019
server 395723 76.9154
unknown 114630 22.2803
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 36846 7.1616
ECDSA-SHA1 Only 3 0.0006
ECDSA-SHA224 36847 7.1618
ECDSA-SHA256 36861 7.1646
ECDSA-SHA384 36862 7.1648
ECDSA-SHA512 36877 7.1677
ECDSA-SHA512 Only 15 0.0029
RSA-MD5 169404 32.9265
RSA-SHA1 349277 67.8879
RSA-SHA1 Only 46373 9.0134
RSA-SHA224 283789 55.1592
RSA-SHA256 309288 60.1153
RSA-SHA256 Only 5302 1.0305
RSA-SHA384 284974 55.3895
RSA-SHA384 Only 1 0.0002
RSA-SHA512 285175 55.4286
RSA-SHA512 Only 218 0.0424
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 247485 48.1029
indeterminate 113 0.022
intolerant 3917 0.7613
order-fallback 6 0.0012
server 141461 27.4953
unsupported 22160 4.3072
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 36832 7.1589
ECDSA intolerant 63 0.0122
ECDSA pfs-rsa-SHA512 1 0.0002
RSA False 168019 32.6573
RSA SHA1 154614 30.0518
RSA intolerant 32671 6.3502
RSA pfs-ecdsa-SHA512 1 0.0002
RSA soft-nopfs 1437 0.2793
Renegotiation Count Percent
-------------------------+---------+--------
False 6340 1.2323
insecure 19961 3.8798
secure 488190 94.888
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 10392 2.0199
False 6340 1.2323
NONE 497759 96.7479
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 4 0.0008
1 only 4 0.0008
2 2 0.0004
2 only 2 0.0004
5 1 0.0002
5 only 1 0.0002
10 7 0.0014
10 only 7 0.0014
15 8 0.0016
15 only 8 0.0016
30 11 0.0021
30 only 10 0.0019
60 93 0.0181
60 only 87 0.0169
65 1 0.0002
65 only 1 0.0002
70 7 0.0014
100 14 0.0027
100 only 14 0.0027
120 30 0.0058
120 only 30 0.0058
128 2 0.0004
128 only 2 0.0004
150 2 0.0004
180 39 0.0076
180 only 37 0.0072
240 14 0.0027
240 only 14 0.0027
300 232702 45.2296
300 only 227970 44.3098
302 2 0.0004
302 only 2 0.0004
360 2 0.0004
360 only 1 0.0002
400 7 0.0014
400 only 7 0.0014
420 113 0.022
420 only 87 0.0169
480 11 0.0021
480 only 11 0.0021
500 4 0.0008
500 only 4 0.0008
540 1 0.0002
540 only 1 0.0002
600 24187 4.7012
600 only 24031 4.6708
720 2 0.0004
720 only 2 0.0004
840 2 0.0004
840 only 2 0.0004
900 718 0.1396
900 only 702 0.1364
960 3 0.0006
960 only 3 0.0006
1200 2085 0.4053
1200 only 2080 0.4043
1320 1 0.0002
1320 only 1 0.0002
1500 11 0.0021
1500 only 10 0.0019
1800 473 0.0919
1800 only 468 0.091
2100 1 0.0002
2100 only 1 0.0002
2400 6 0.0012
2400 only 6 0.0012
2700 7 0.0014
2700 only 7 0.0014
3000 19 0.0037
3000 only 19 0.0037
3600 512 0.0995
3600 only 498 0.0968
3900 1 0.0002
3900 only 1 0.0002
4200 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 14 0.0027
5400 only 6 0.0012
6000 3 0.0006
6000 only 3 0.0006
7200 16177 3.1443
7200 only 16154 3.1398
10800 2416 0.4696
10800 only 2411 0.4686
14400 70 0.0136
14400 only 70 0.0136
18000 7 0.0014
18000 only 7 0.0014
21600 4966 0.9652
21600 only 4963 0.9646
28800 2049 0.3983
28800 only 637 0.1238
36000 1187 0.2307
36000 only 1176 0.2286
43200 35 0.0068
43200 only 35 0.0068
60000 1 0.0002
60000 only 1 0.0002
64800 51944 10.0962
64800 only 51911 10.0898
72000 13 0.0025
72000 only 13 0.0025
86000 31 0.006
86000 only 31 0.006
86400 3546 0.6892
86400 only 3543 0.6886
100800 11273 2.1911
100800 only 11263 2.1892
129600 9 0.0017
129600 only 9 0.0017
172800 7 0.0014
172800 only 7 0.0014
216000 1 0.0002
216000 only 1 0.0002
432000 2 0.0004
432000 only 2 0.0004
604800 1 0.0002
604800 only 1 0.0002
864000 3 0.0006
864000 only 3 0.0006
2592000 1 0.0002
2592000 only 1 0.0002
None 166108 32.2859
None only 159631 31.027
Certificate sig alg Count Percent
-------------------------+---------+--------
None 13099 2.546
ecdsa-with-SHA256 36858 7.164
sha1WithRSAEncryption 100797 19.5916
sha256WithRSAEncryption 377291 73.3329
sha384WithRSAEncryption 6 0.0012
sha512WithRSAEncryption 26 0.0051
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 36891 7.1704
ECDSA 384 8 0.0016
RSA 1024 68 0.0132
RSA 10240 5 0.001
RSA 2048 459006 89.2156
RSA 2049 3 0.0006
RSA 2056 2 0.0004
RSA 2058 2 0.0004
RSA 2064 1 0.0002
RSA 2078 1 0.0002
RSA 2080 2 0.0004
RSA 2084 6 0.0012
RSA 2096 2 0.0004
RSA 2408 1 0.0002
RSA 2432 2 0.0004
RSA 2480 1 0.0002
RSA 2890 1 0.0002
RSA 3024 1 0.0002
RSA 3071 1 0.0002
RSA 3072 119 0.0231
RSA 3248 3 0.0006
RSA 4042 1 0.0002
RSA 4048 1 0.0002
RSA 4056 26 0.0051
RSA 4069 2 0.0004
RSA 4092 6 0.0012
RSA 4094 1 0.0002
RSA 4096 18374 3.5713
RSA 8192 5 0.001
RSA/ECDSA Dual Stack 44 0.0086
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 110108 21.4013
Unsupported 404383 78.5987
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 25202 4.8984
SSL2 Only 15 0.0029
SSL3 126817 24.649
SSL3 Only 549 0.1067
SSL3 or TLS1 Only 72846 14.1588
SSL3 or lower Only 571 0.111
TLS1 510753 99.2735
TLS1 Only 43061 8.3696
TLS1 or lower Only 96394 18.7358
TLS1.1 405071 78.7324
TLS1.1 Only 30 0.0058
TLS1.1 or up Only 2939 0.5712
TLS1.2 415131 80.6877
TLS1.2 Only 1267 0.2463
TLS1.2, 1.0 but not 1.1 11078 2.1532
Statistics from 481615 chains provided by 696385 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 438491 62.9667
incomplete 20877 2.9979
untrusted 237017 34.0353
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 214 0.0444
3 479299 99.5191
4 2064 0.4286
5 38 0.0079
CA key size in chains Count
-------------------------+---------
ECDSA 256 21571
ECDSA 384 21574
RSA 1024 189
RSA 2045 3
RSA 2048 797792
RSA 4096 124027
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 21571 4.4789
ECDSA 384 21574 4.4795
RSA 1024 187 0.0388
RSA 2045 3 0.0006
RSA 2048 459556 95.4198
RSA 4096 123505 25.6439
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 21569
sha1WithRSAEncryption 87272
sha256WithRSAEncryption 264799
sha384WithRSAEncryption 109831
sha512WithRSAEncryption 70
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 87432 18.1539
112 372602 77.3651
128 21581 4.481
Root CAs Count Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA 102403 21.2624
(d6325660) COMODO RSA Certification Authority 101866 21.1509
(cbf06781) Go Daddy Root Certificate Authorit 47350 9.8315
(5ad8a5d6) GlobalSign Root CA 41408 8.5977
(b204d74a) VeriSign Class 3 Public Primary Ce 26837 5.5723
(244b5494) DigiCert High Assurance EV Root CA 25125 5.2168
(2e4eed3c) thawte Primary Root CA 22902 4.7553
(eed8c118) COMODO ECC Certification Authority 21557 4.476
(653b494a) Baltimore CyberTrust Root 11908 2.4725
(157753a5) AddTrust External CA Root 10009 2.0782
(ae8153b9) StartCom Certification Authority 8637 1.7933
(fc5a8f99) USERTrust RSA Certification Author 7875 1.6351
(3513523f) DigiCert Global Root CA 7502 1.5577
(4bfab552) Starfield Root Certificate Authori 6246 1.2969
(480720ec) GeoTrust Primary Certification Aut 5252 1.0905
(f387163d) Starfield Technologies, Inc. 4889 1.0151
Scan performed between 18th and 28th of September 2015.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
8 years
- 1
- 0
TLS scan results for August 2015
by Hubert Kario
Detailed analysis on my blog:
https://securitypitfalls.wordpress.com/2015/11/29/august-2015-scan-results/
SSL/TLS survey of 509351 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate
installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 435183 85.4387
3DES Only 725 0.1423
AES 500583 98.2786
AES Only 18647 3.6609
AES-CBC 500485 98.2594
AES-CBC Only 9344 1.8345
AES-GCM 363787 71.4217
AES-GCM Only 37 0.0073
CAMELLIA 225125 44.1984
CAMELLIA Only 3 0.0006
CHACHA20 63145 12.3971
CHACHA20 Only 2 0.0004
Insecure 67027 13.1593
RC4 239979 47.1147
RC4 Only 1395 0.2739
RC4 Preferred 29355 5.7632
RC4 forced in TLS1.1+ 16525 3.2443
x:FF 29 RC4 Only 1696 0.333
x:FF 29 RC4 Preferred 33338 6.5452
x:FF 29 incompatible 107 0.021
x:FF 35 RC4 Only 2022 0.397
x:FF 35 RC4 Preferred 33466 6.5703
x:FF 35 incompatible 112 0.022
y:DHE-RSA-SEED-SHA 85997 16.8836
y:IDEA-CBC-SHA 78567 15.4249
y:SEED-SHA 95725 18.7935
z:ADH-AES128-GCM-SHA256 290 0.0569
z:ADH-AES128-SHA 690 0.1355
z:ADH-AES128-SHA256 194 0.0381
z:ADH-AES256-GCM-SHA384 300 0.0589
z:ADH-AES256-SHA 701 0.1376
z:ADH-AES256-SHA256 196 0.0385
z:ADH-CAMELLIA128-SHA 306 0.0601
z:ADH-CAMELLIA256-SHA 312 0.0613
z:ADH-DES-CBC-SHA 295 0.0579
z:ADH-DES-CBC3-SHA 712 0.1398
z:ADH-RC4-MD5 569 0.1117
z:ADH-SEED-SHA 230 0.0452
z:AECDH-AES128-SHA 13191 2.5898
z:AECDH-AES256-SHA 13214 2.5943
z:AECDH-DES-CBC3-SHA 13149 2.5815
z:AECDH-NULL-SHA 51 0.01
z:AECDH-RC4-SHA 12459 2.4461
z:DES-CBC-MD5 12757 2.5046
z:DES-CBC-SHA 38652 7.5885
z:DES-CBC3-MD5 25783 5.0619
z:ECDHE-RSA-NULL-SHA 60 0.0118
z:EDH-RSA-DES-CBC-SHA 33192 6.5165
z:EXP-ADH-DES-CBC-SHA 214 0.042
z:EXP-ADH-RC4-MD5 213 0.0418
z:EXP-DES-CBC-SHA 17083 3.3539
z:EXP-EDH-RSA-DES-CBC-SHA 13893 2.7276
z:EXP-RC2-CBC-MD5 20743 4.0724
z:EXP-RC4-MD5 21811 4.2821
z:EXP1024-DES-CBC-SHA 5319 1.0443
z:EXP1024-RC4-SHA 5395 1.0592
z:IDEA-CBC-MD5 2435 0.4781
z:NULL-MD5 230 0.0452
z:NULL-SHA 232 0.0455
z:NULL-SHA256 22 0.0043
z:RC2-CBC-MD5 13042 2.5605
z:RC4-64-MD5 1052 0.2065
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 130864 25.6923
Server side 378487 74.3077
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 817 0.1604
AECDH 13248 2.601
DHE 280098 54.9912
ECDH 3 0.0006
ECDHE 390772 76.7196
ECDHE and DHE 205466 40.3388
RSA 463146 90.9287
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 187360 36.7841 66.8909
DH,1536bits 2 0.0004 0.0007
DH,2048bits 83731 16.4388 29.8935
DH,2236bits 3 0.0006 0.0011
DH,3072bits 2656 0.5214 0.9482
DH,3092bits 1 0.0002 0.0004
DH,4096bits 5788 1.1363 2.0664
DH,512bits 59 0.0116 0.0211
DH,768bits 553 0.1086 0.1974
DH,8192bits 2 0.0004 0.0007
ECDH,B-163,163bits 1 0.0002 0.0003
ECDH,B-571,570bits 1431 0.2809 0.3662
ECDH,K-163,163bits 1 0.0002 0.0003
ECDH,K-571,570bits 1 0.0002 0.0003
ECDH,P-224,224bits 83 0.0163 0.0212
ECDH,P-256,256bits 379964 74.5977 97.2342
ECDH,P-384,384bits 2696 0.5293 0.6899
ECDH,P-521,521bits 7641 1.5001 1.9554
Prefer DH,1024bits 70139 13.7703 25.0409
Prefer DH,1536bits 1 0.0002 0.0004
Prefer DH,2048bits 6067 1.1911 2.166
Prefer DH,2236bits 1 0.0002 0.0004
Prefer DH,3072bits 21 0.0041 0.0075
Prefer DH,4096bits 310 0.0609 0.1107
Prefer DH,768bits 170 0.0334 0.0607
Prefer ECDH,B-163,163bits 1 0.0002 0.0003
Prefer ECDH,B-571,570bits 1231 0.2417 0.315
Prefer ECDH,K-163,163bits 1 0.0002 0.0003
Prefer ECDH,K-571,570bits 1 0.0002 0.0003
Prefer ECDH,P-224,224bits 49 0.0096 0.0125
Prefer ECDH,P-256,256bits 327275 64.2533 83.7509
Prefer ECDH,P-384,384bits 2552 0.501 0.6531
Prefer ECDH,P-521,521bits 6909 1.3564 1.768
Prefer PFS 414728 81.4228 0
Support PFS 465404 91.372 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 1013 0.1989
brainpoolP384r1 1014 0.1991
brainpoolP512r1 1015 0.1993
prime192v1 1346 0.2643
prime256v1 389473 76.4646
prime256v1 Only 338238 66.4057
secp160k1 1313 0.2578
secp160r1 1315 0.2582
secp160r2 1312 0.2576
secp192k1 1335 0.2621
secp224k1 1403 0.2754
secp224r1 3044 0.5976
secp224r1 Only 2 0.0004
secp256k1 2305 0.4525
secp384r1 51317 10.075
secp384r1 Only 330 0.0648
secp521r1 20958 4.1146
secp521r1 Only 124 0.0243
sect163k1 1322 0.2595
sect163k1 Only 2 0.0004
sect163r1 1320 0.2592
sect163r2 1319 0.259
sect163r2 Only 1 0.0002
sect193r1 1316 0.2584
sect193r2 1315 0.2582
sect233k1 1395 0.2739
sect233r1 1395 0.2739
sect239k1 1394 0.2737
sect283k1 2280 0.4476
sect283r1 2279 0.4474
sect409k1 2281 0.4478
sect409r1 2278 0.4472
sect571k1 2291 0.4498
sect571r1 2290 0.4496
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 76188 14.9579
True 263977 51.8261
order-specific 263 0.0516
unknown 168923 33.1644
ECC curve ordering Count Percent
-------------------------+---------+--------
client 3661 0.7188
inconclusive-noecc 9 0.0018
server 386286 75.8389
unknown 119395 23.4406
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 35626 6.9944
ECDSA-SHA1 Only 4 0.0008
ECDSA-SHA224 35618 6.9928
ECDSA-SHA256 35628 6.9948
ECDSA-SHA384 35625 6.9942
ECDSA-SHA512 35631 6.9954
ECDSA-SHA512 Only 6 0.0012
RSA-MD5 165235 32.4403
RSA-SHA1 341873 67.1193
RSA-SHA1 Only 46530 9.1352
RSA-SHA224 277602 54.5011
RSA-SHA256 301111 59.1166
RSA-SHA256 Only 4859 0.954
RSA-SHA384 278555 54.6882
RSA-SHA512 278643 54.7055
RSA-SHA512 Only 93 0.0183
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 243146 47.7364
indeterminate 8 0.0016
intolerant 3556 0.6981
order-fallback 16 0.0031
server 136828 26.8632
unsupported 22608 4.4386
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 35612 6.9916
ECDSA intolerant 39 0.0077
RSA False 163780 32.1546
RSA SHA1 152230 29.8871
RSA intolerant 30949 6.0762
RSA soft-nopfs 1543 0.3029
Renegotiation Count Percent
-------------------------+---------+--------
False 6729 1.3211
insecure 20615 4.0473
secure 482007 94.6316
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 10877 2.1355
False 6729 1.3211
NONE 491745 96.5434
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 2 0.0004
1 only 2 0.0004
2 2 0.0004
2 only 2 0.0004
5 4 0.0008
5 only 4 0.0008
10 7 0.0014
10 only 7 0.0014
15 10 0.002
15 only 10 0.002
30 10 0.002
30 only 9 0.0018
60 100 0.0196
60 only 92 0.0181
65 1 0.0002
65 only 1 0.0002
70 6 0.0012
100 12 0.0024
100 only 12 0.0024
120 32 0.0063
120 only 32 0.0063
128 3 0.0006
128 only 3 0.0006
150 2 0.0004
180 52 0.0102
180 only 50 0.0098
240 14 0.0027
240 only 14 0.0027
300 227236 44.6129
300 only 222350 43.6536
302 1 0.0002
302 only 1 0.0002
360 3 0.0006
360 only 1 0.0002
400 7 0.0014
400 only 7 0.0014
420 113 0.0222
420 only 82 0.0161
450 1 0.0002
450 only 1 0.0002
480 12 0.0024
480 only 12 0.0024
500 4 0.0008
500 only 4 0.0008
540 1 0.0002
540 only 1 0.0002
600 23677 4.6485
600 only 23483 4.6104
720 1 0.0002
720 only 1 0.0002
840 2 0.0004
840 only 2 0.0004
900 664 0.1304
900 only 648 0.1272
960 2 0.0004
960 only 2 0.0004
1200 1996 0.3919
1200 only 1989 0.3905
1500 8 0.0016
1500 only 7 0.0014
1800 449 0.0882
1800 only 441 0.0866
2400 6 0.0012
2400 only 6 0.0012
2700 6 0.0012
2700 only 6 0.0012
3000 20 0.0039
3000 only 20 0.0039
3600 463 0.0909
3600 only 439 0.0862
3900 1 0.0002
3900 only 1 0.0002
5400 15 0.0029
5400 only 5 0.001
6000 6 0.0012
6000 only 6 0.0012
7200 15785 3.099
7200 only 15761 3.0943
10800 2395 0.4702
10800 only 2391 0.4694
14400 73 0.0143
14400 only 73 0.0143
18000 14 0.0027
18000 only 14 0.0027
21600 5069 0.9952
21600 only 5067 0.9948
28800 1936 0.3801
28800 only 846 0.1661
36000 1219 0.2393
36000 only 1212 0.2379
43200 32 0.0063
43200 only 32 0.0063
60000 1 0.0002
60000 only 1 0.0002
64800 50264 9.8682
64800 only 50206 9.8569
72000 10 0.002
72000 only 10 0.002
84600 1 0.0002
84600 only 1 0.0002
86000 37 0.0073
86000 only 37 0.0073
86400 3516 0.6903
86400 only 3515 0.6901
100800 12467 2.4476
100800 only 12460 2.4463
115200 1 0.0002
115200 only 1 0.0002
129600 7 0.0014
129600 only 7 0.0014
172800 8 0.0016
172800 only 8 0.0016
216000 1 0.0002
216000 only 1 0.0002
432000 2 0.0004
432000 only 2 0.0004
604800 1 0.0002
864000 2 0.0004
864000 only 2 0.0004
2592000 1 0.0002
2592000 only 1 0.0002
None 167946 32.9725
None only 161562 31.7192
Certificate sig alg Count Percent
-------------------------+---------+--------
None 13903 2.7296
ecdsa-with-SHA256 35609 6.9911
sha1WithRSAEncryption 118117 23.1897
sha256WithRSAEncryption 355741 69.842
sha384WithRSAEncryption 5 0.001
sha512WithRSAEncryption 17 0.0033
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 35649 6.9989
ECDSA 384 6 0.0012
ECDSA 521 1 0.0002
RSA 1024 81 0.0159
RSA 10240 7 0.0014
RSA 2048 455461 89.4199
RSA 2049 3 0.0006
RSA 2056 2 0.0004
RSA 2058 2 0.0004
RSA 2064 1 0.0002
RSA 2080 2 0.0004
RSA 2084 5 0.001
RSA 2408 1 0.0002
RSA 2432 2 0.0004
RSA 2480 1 0.0002
RSA 2890 1 0.0002
RSA 3071 2 0.0004
RSA 3072 111 0.0218
RSA 3102 1 0.0002
RSA 3248 3 0.0006
RSA 4042 1 0.0002
RSA 4048 1 0.0002
RSA 4056 25 0.0049
RSA 4069 3 0.0006
RSA 4086 2 0.0004
RSA 4092 6 0.0012
RSA 4094 1 0.0002
RSA 4096 18024 3.5386
RSA 8192 5 0.001
RSA/ECDSA Dual Stack 50 0.0098
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 109199 21.4389
Unsupported 400152 78.5611
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 26076 5.1195
SSL2 Only 24 0.0047
SSL3 130306 25.5828
SSL3 Only 584 0.1147
SSL3 or TLS1 Only 75720 14.866
SSL3 or lower Only 607 0.1192
TLS1 506048 99.3515
TLS1 Only 44327 8.7026
TLS1 or lower Only 100132 19.6587
TLS1.1 396444 77.8332
TLS1.1 Only 30 0.0059
TLS1.1 or up Only 2473 0.4855
TLS1.2 406149 79.7385
TLS1.2 Only 1063 0.2087
TLS1.2, 1.0 but not 1.1 11004 2.1604
Statistics from 528021 chains provided by 691201 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 479672 69.3969
incomplete 23576 3.4109
untrusted 187953 27.1922
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 269 0.0509
3 525613 99.544
4 2106 0.3988
5 33 0.0062
CA key size in chains Count
-------------------------+---------
ECDSA 256 35610
ECDSA 384 35613
RSA 1024 255
RSA 2045 1
RSA 2048 860646
RSA 4096 125820
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 35610 6.744
ECDSA 384 35613 6.7446
RSA 1024 253 0.0479
RSA 2045 1 0.0002
RSA 2048 491885 93.1563
RSA 4096 125302 23.7305
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 35609
sha1WithRSAEncryption 136788
sha256WithRSAEncryption 246213
sha384WithRSAEncryption 111253
sha512WithRSAEncryption 61
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 137062 25.9577
112 355341 67.2968
128 35618 6.7456
Root CAs Count Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA 109891 20.8119
(d6325660) COMODO RSA Certification Authority 103786 19.6557
(5ad8a5d6) GlobalSign Root CA 51859 9.8214
(cbf06781) Go Daddy Root Certificate Authorit 48094 9.1083
(eed8c118) COMODO ECC Certification Authority 35597 6.7416
(b204d74a) VeriSign Class 3 Public Primary Ce 30261 5.731
(244b5494) DigiCert High Assurance EV Root CA 26028 4.9293
(2e4eed3c) thawte Primary Root CA 24484 4.6369
(157753a5) AddTrust External CA Root 12314 2.3321
(653b494a) Baltimore CyberTrust Root 12080 2.2878
(ae8153b9) StartCom Certification Authority 9217 1.7456
(3513523f) DigiCert Global Root CA 7329 1.388
(fc5a8f99) USERTrust RSA Certification Author 7360 1.3939
(4bfab552) Starfield Root Certificate Authori 6079 1.1513
(f081611a) The Go Daddy Group, Inc. 5382 1.0193
(480720ec) GeoTrust Primary Certification Aut 5448 1.0318
(f387163d) Starfield Technologies, Inc. 5310 1.0056
Scan performed between 17th of August and 4th of September 2015.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
8 years
- 1
- 0
- ← Newer
- 1
- Older →