TLS scan results for April 2016
by Hubert Kario
SSL/TLS survey of 554044 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 488020 88.0833
3DES Only 590 0.1065
3DES Preferred 1772 0.3198
3DES forced in TLS1.1+ 936 0.1689
AES 549187 99.1234
AES Only 42441 7.6602
AES-CBC 548762 99.0466
AES-CBC Only 8334 1.5042
AES-GCM 448629 80.9735
AES-GCM Only 378 0.0682
CAMELLIA 241430 43.576
CAMELLIA Only 1 0.0002
CHACHA20 75592 13.6437
Insecure 54139 9.7716
RC4 160923 29.0452
RC4 Only 183 0.033
RC4 Preferred 15628 2.8207
RC4 forced in TLS1.1+ 8360 1.5089
x:FF 29 3DES Only 639 0.1153
x:FF 29 3DES Preferred 2130 0.3844
x:FF 29 RC4 Only 254 0.0458
x:FF 29 RC4 Preferred 17323 3.1266
x:FF 29 incompatible 272 0.0491
x:FF 35 3DES Only 645 0.1164
x:FF 35 3DES Preferred 2044 0.3689
x:FF 35 RC4 Only 301 0.0543
x:FF 35 RC4 Preferred 17346 3.1308
x:FF 35 incompatible 276 0.0498
x:FF 44 3DES Only 4576 0.8259
x:FF 44 3DES Preferred 8336 1.5046
x:FF 44 incompatible 577 0.1041
y:DHE-RSA-SEED-SHA 71951 12.9865
y:IDEA-CBC-SHA 67468 12.1774
y:SEED-SHA 82250 14.8454
z:ADH-AES128-GCM-SHA256 401 0.0724
z:ADH-AES128-SHA 730 0.1318
z:ADH-AES128-SHA256 275 0.0496
z:ADH-AES256-GCM-SHA384 411 0.0742
z:ADH-AES256-SHA 748 0.135
z:ADH-AES256-SHA256 274 0.0495
z:ADH-CAMELLIA128-SHA 390 0.0704
z:ADH-CAMELLIA256-SHA 400 0.0722
z:ADH-DES-CBC-SHA 321 0.0579
z:ADH-DES-CBC3-SHA 738 0.1332
z:ADH-RC4-MD5 539 0.0973
z:ADH-SEED-SHA 312 0.0563
z:AECDH-AES128-SHA 9716 1.7537
z:AECDH-AES256-SHA 9763 1.7621
z:AECDH-DES-CBC3-SHA 9685 1.7481
z:AECDH-NULL-SHA 85 0.0153
z:AECDH-RC4-SHA 9132 1.6482
z:DES-CBC-MD5 7224 1.3039
z:DES-CBC-SHA 33578 6.0605
z:DES-CBC3-MD5 17444 3.1485
z:ECDHE-RSA-NULL-SHA 95 0.0171
z:EDH-RSA-DES-CBC-SHA 28962 5.2274
z:EXP-ADH-DES-CBC-SHA 173 0.0312
z:EXP-ADH-RC4-MD5 171 0.0309
z:EXP-DES-CBC-SHA 11121 2.0072
z:EXP-EDH-RSA-DES-CBC-SHA 8776 1.584
z:EXP-RC2-CBC-MD5 13375 2.4141
z:EXP-RC4-MD5 14006 2.528
z:EXP1024-DES-CBC-SHA 3639 0.6568
z:EXP1024-RC4-SHA 3688 0.6657
z:IDEA-CBC-MD5 1523 0.2749
z:NULL-MD5 214 0.0386
z:NULL-SHA 218 0.0393
z:NULL-SHA256 32 0.0058
z:RC2-CBC-MD5 7396 1.3349
z:RC4-64-MD5 767 0.1384
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 134999 24.3661
Server side 419045 75.6339
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 885 0.1597
AECDH 9773 1.7639
DHE 298929 53.954
ECDH 2 0.0004
ECDHE 476485 86.0013
ECDHE and DHE 253657 45.7828
RSA 475653 85.8511
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 116515 21.0299 38.9775
DH,1536bits 1 0.0002 0.0003
DH,2048bits 170990 30.8622 57.2009
DH,2236bits 69 0.0125 0.0231
DH,2432bits 3 0.0005 0.001
DH,2560bits 1 0.0002 0.0003
DH,3072bits 111 0.02 0.0371
DH,3092bits 1 0.0002 0.0003
DH,4094bits 1 0.0002 0.0003
DH,4096bits 10885 1.9646 3.6413
DH,4098bits 1 0.0002 0.0003
DH,512bits 64 0.0116 0.0214
DH,6144bits 1 0.0002 0.0003
DH,768bits 377 0.068 0.1261
DH,8192bits 9 0.0016 0.003
ECDH,B-571,570bits 2314 0.4177 0.4856
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,P-192,192bits 23 0.0042 0.0048
ECDH,P-224,224bits 84 0.0152 0.0176
ECDH,P-256,256bits 456709 82.4319 95.8496
ECDH,P-384,384bits 5908 1.0663 1.2399
ECDH,P-521,521bits 13327 2.4054 2.7969
Prefer DH,1024bits 43925 7.9281 14.6941
Prefer DH,1536bits 1 0.0002 0.0003
Prefer DH,2048bits 5768 1.0411 1.9296
Prefer DH,3072bits 6 0.0011 0.002
Prefer DH,4096bits 423 0.0763 0.1415
Prefer DH,768bits 54 0.0097 0.0181
Prefer ECDH,B-571,570bits 2090 0.3772 0.4386
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 81 0.0146 0.017
Prefer ECDH,P-256,256bits 419866 75.7821 88.1174
Prefer ECDH,P-384,384bits 4218 0.7613 0.8852
Prefer ECDH,P-521,521bits 12182 2.1987 2.5566
Prefer PFS 488615 88.1906 0
Support PFS 521757 94.1725 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 7632 1.3775
brainpoolP384r1 7634 1.3779
brainpoolP512r1 7637 1.3784
prime192v1 1557 0.281
prime256v1 473202 85.4087
prime256v1 Only 404241 72.9619
secp160k1 1490 0.2689
secp160r1 1497 0.2702
secp160r2 1488 0.2686
secp192k1 1502 0.2711
secp224k1 1576 0.2845
secp224r1 4971 0.8972
secp256k1 10618 1.9165
secp384r1 70010 12.6362
secp384r1 Only 1082 0.1953
secp521r1 36615 6.6087
secp521r1 Only 140 0.0253
sect163k1 1492 0.2693
sect163k1 Only 1 0.0002
sect163r1 1490 0.2689
sect163r2 1490 0.2689
sect193r1 1490 0.2689
sect193r2 1489 0.2688
sect233k1 1566 0.2826
sect233r1 1566 0.2826
sect239k1 1565 0.2825
sect283k1 9047 1.6329
sect283k1 Only 1 0.0002
sect283r1 9044 1.6324
sect409k1 9041 1.6318
sect409r1 9038 1.6313
sect571k1 9044 1.6324
sect571r1 9045 1.6325
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 46285 8.354
True 365389 65.9495
order-specific 61 0.011
unknown 142309 25.6855
ECC curve ordering Count Percent
-------------------------+---------+--------
client 9132 1.6482
inconclusive-noecc 4 0.0007
server 465324 83.9868
unknown 79584 14.3642
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 50518 9.118
ECDSA-SHA1 Only 3 0.0005
ECDSA-SHA224 50534 9.1209
ECDSA-SHA256 66231 11.9541
ECDSA-SHA384 66277 11.9624
ECDSA-SHA512 66334 11.9727
ECDSA-SHA512 Only 61 0.011
RSA-MD5 41528 7.4954
RSA-SHA1 408670 73.7613
RSA-SHA1 Only 36069 6.5101
RSA-SHA224 340011 61.369
RSA-SHA256 380914 68.7516
RSA-SHA256 Only 7319 1.321
RSA-SHA384 345799 62.4136
RSA-SHA384 Only 4 0.0007
RSA-SHA512 345776 62.4095
RSA-SHA512 Only 118 0.0213
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 255972 46.2007
indeterminate 42 0.0076
intolerant 5716 1.0317
order-fallback 9 0.0016
server 203222 36.6798
unsupported 17516 3.1615
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 50464 9.1083
ECDSA intolerant 381 0.0688
ECDSA pfs-rsa-SHA512 15610 2.8175
ECDSA soft-nopfs 2 0.0004
RSA False 41178 7.4323
RSA SHA1 336118 60.6663
RSA intolerant 40148 7.2464
RSA pfs-ecdsa-SHA512 45 0.0081
RSA soft-nopfs 512 0.0924
Renegotiation Count Percent
-------------------------+---------+--------
False 5199 0.9384
insecure 15950 2.8788
secure 532895 96.1828
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 7539 1.3607
False 5199 0.9384
NONE 541306 97.7009
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 4 0.0007
1 only 4 0.0007
2 2 0.0004
2 only 2 0.0004
5 8 0.0014
5 only 8 0.0014
10 8 0.0014
10 only 8 0.0014
15 6 0.0011
15 only 6 0.0011
30 19 0.0034
30 only 18 0.0032
60 167 0.0301
60 only 164 0.0296
65 2 0.0004
65 only 2 0.0004
70 6 0.0011
70 only 4 0.0007
75 1 0.0002
75 only 1 0.0002
100 16 0.0029
100 only 16 0.0029
120 28 0.0051
120 only 28 0.0051
128 3 0.0005
128 only 3 0.0005
150 2 0.0004
180 66 0.0119
180 only 64 0.0116
240 11 0.002
240 only 11 0.002
244 2 0.0004
244 only 2 0.0004
300 272999 49.2739
300 only 269600 48.6604
302 3 0.0005
302 only 3 0.0005
360 3 0.0005
360 only 2 0.0004
400 5 0.0009
400 only 5 0.0009
420 122 0.022
420 only 105 0.019
480 10 0.0018
480 only 10 0.0018
500 4 0.0007
500 only 4 0.0007
540 3 0.0005
540 only 3 0.0005
600 28373 5.1211
600 only 28233 5.0958
660 1 0.0002
660 only 1 0.0002
700 3 0.0005
700 only 3 0.0005
840 2 0.0004
840 only 2 0.0004
900 1388 0.2505
900 only 1366 0.2466
960 2 0.0004
960 only 2 0.0004
1000 1 0.0002
1000 only 1 0.0002
1200 2912 0.5256
1200 only 2907 0.5247
1210 2 0.0004
1210 only 2 0.0004
1320 1 0.0002
1320 only 1 0.0002
1380 1 0.0002
1380 only 1 0.0002
1440 1 0.0002
1440 only 1 0.0002
1500 6 0.0011
1500 only 5 0.0009
1800 579 0.1045
1800 only 568 0.1025
1980 2 0.0004
1980 only 2 0.0004
2100 2 0.0004
2100 only 1 0.0002
2160 1 0.0002
2160 only 1 0.0002
2400 8 0.0014
2400 only 8 0.0014
2700 9 0.0016
2700 only 9 0.0016
3000 25 0.0045
3000 only 25 0.0045
3300 1 0.0002
3300 only 1 0.0002
3600 865 0.1561
3600 only 850 0.1534
3900 1 0.0002
3900 only 1 0.0002
4200 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 15 0.0027
5400 only 9 0.0016
5940 1 0.0002
5940 only 1 0.0002
6000 297 0.0536
6000 only 297 0.0536
7200 15195 2.7426
7200 only 15175 2.739
7500 1 0.0002
7500 only 1 0.0002
10800 4136 0.7465
10800 only 4122 0.744
14400 95 0.0171
14400 only 95 0.0171
18000 10 0.0018
18000 only 10 0.0018
21600 4179 0.7543
21600 only 4179 0.7543
25200 1 0.0002
25200 only 1 0.0002
28800 3321 0.5994
28800 only 3321 0.5994
30000 1 0.0002
30000 only 1 0.0002
36000 1080 0.1949
36000 only 1071 0.1933
38854 1 0.0002
38866 1 0.0002
38879 1 0.0002
38893 1 0.0002
38908 1 0.0002
38925 1 0.0002
38940 1 0.0002
38953 1 0.0002
43200 55 0.0099
43200 only 55 0.0099
60000 2 0.0004
60000 only 2 0.0004
64800 65043 11.7397
64800 only 65041 11.7393
72000 9 0.0016
72000 only 9 0.0016
79200 1 0.0002
79200 only 1 0.0002
86400 2805 0.5063
86400 only 2801 0.5056
100800 9140 1.6497
100800 only 9137 1.6491
108000 1 0.0002
108000 only 1 0.0002
115200 1 0.0002
115200 only 1 0.0002
129600 6 0.0011
129600 only 6 0.0011
172800 49 0.0088
172800 only 49 0.0088
216000 4 0.0007
216000 only 4 0.0007
432000 1 0.0002
432000 only 1 0.0002
604800 2 0.0004
864000 2 0.0004
864000 only 2 0.0004
7776000 2 0.0004
7776000 only 2 0.0004
None 144581 26.0956
None only 140902 25.4316
Certificate sig alg Count Percent
-------------------------+---------+--------
None 10359 1.8697
ecdsa-with-SHA256 63100 11.389
sha1WithRSAEncryption 29544 5.3324
sha256WithRSAEncryption 477256 86.1405
sha384WithRSAEncryption 5 0.0009
sha512WithRSAEncryption 60 0.0108
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 66442 11.9922
ECDSA 384 21 0.0038
ECDSA 521 1 0.0002
RSA 1024 21 0.0038
RSA 2048 479886 86.6151
RSA 2049 2 0.0004
RSA 2056 3 0.0005
RSA 2058 3 0.0005
RSA 2084 3 0.0005
RSA 2086 1 0.0002
RSA 2096 2 0.0004
RSA 2432 2 0.0004
RSA 3072 150 0.0271
RSA 3073 1 0.0002
RSA 3076 3 0.0005
RSA 3096 2 0.0004
RSA 3248 3 0.0005
RSA 4048 3 0.0005
RSA 4056 15 0.0027
RSA 4069 1 0.0002
RSA 4086 4 0.0007
RSA 4092 2 0.0004
RSA 4094 1 0.0002
RSA 4095 1 0.0002
RSA 4096 26364 4.7585
RSA 4196 1 0.0002
RSA 8192 9 0.0016
RSA 8392 1 0.0002
RSA/ECDSA Dual Stack 18891 3.4097
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 128586 23.2086
Unsupported 425458 76.7914
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 17623 3.1808
SSL2 Only 17 0.0031
SSL3 98238 17.7311
SSL3 Only 1159 0.2092
SSL3 or TLS1 Only 52628 9.4989
SSL3 or lower Only 1168 0.2108
TLS1 543101 98.0249
TLS1 Only 32939 5.9452
TLS1 or lower Only 68307 12.3288
TLS1.1 473247 85.4169
TLS1.1 Only 208 0.0375
TLS1.1 or up Only 9606 1.7338
TLS1.2 482460 87.0797
TLS1.2 Only 2594 0.4682
TLS1.2, 1.0 but not 1.1 8635 1.5585
Statistics from 589898 chains provided by 709652 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 529449 74.6068
incomplete 22333 3.147
untrusted 157870 22.2461
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 8 0.0014
3 587212 99.5447
4 2665 0.4518
5 13 0.0022
CA key size in chains Count
-------------------------+---------
ECDSA 256 63091
ECDSA 384 63090
RSA 1024 21
RSA 2045 2
RSA 2048 881842
RSA 4096 174433
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 63091 10.6952
ECDSA 384 63090 10.6951
RSA 1024 19 0.0032
RSA 2045 2 0.0003
RSA 2048 526385 89.2332
RSA 4096 173801 29.4629
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 63084
sha1WithRSAEncryption 33756
sha256WithRSAEncryption 339826
sha384WithRSAEncryption 155860
sha512WithRSAEncryption 55
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 33778 5.7261
112 493007 83.575
128 63113 10.699
Root CAs Count Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 138204 23.4285
(2c543cd1) GeoTrust Global CA 95310 16.157
(eed8c118) COMODO ECC Certification Authority 63077 10.6929
(5ad8a5d6) GlobalSign Root CA 56226 9.5315
(cbf06781) Go Daddy Root Certificate Authorit 49413 8.3765
(b204d74a) VeriSign Class 3 Public Primary Ce 30520 5.1738
(244b5494) DigiCert High Assurance EV Root CA 19387 3.2865
(2e4eed3c) thawte Primary Root CA 18858 3.1968
(653b494a) Baltimore CyberTrust Root 12557 2.1287
(2e5ac55d) DST Root CA X3 12525 2.1232
(fc5a8f99) USERTrust RSA Certification Author 17514 2.969
(ae8153b9) StartCom Certification Authority 9654 1.6366
(3513523f) DigiCert Global Root CA 9633 1.633
(4bfab552) Starfield Root Certificate Authori 8780 1.4884
Scan performed between 18th of April and 1st of May 2016
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
6 years, 10 months
- 1
- 0
TLS scan results for March 2016
by Hubert Kario
SSL/TLS survey of 551637 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 484308 87.7947
3DES Only 592 0.1073
3DES Preferred 1803 0.3268
3DES forced in TLS1.1+ 945 0.1713
AES 546565 99.0806
AES Only 43629 7.909
AES-CBC 546039 98.9852
AES-CBC Only 8757 1.5875
AES-GCM 442034 80.1313
AES-GCM Only 490 0.0888
CAMELLIA 235037 42.6072
CAMELLIA Only 3 0.0005
CHACHA20 74906 13.5789
CHACHA20 Only 1 0.0002
Insecure 53675 9.7301
RC4 165105 29.93
RC4 Only 189 0.0343
RC4 Preferred 16635 3.0156
RC4 forced in TLS1.1+ 8955 1.6234
x:FF 29 3DES Only 637 0.1155
x:FF 29 3DES Preferred 2172 0.3937
x:FF 29 RC4 Only 263 0.0477
x:FF 29 RC4 Preferred 18392 3.3341
x:FF 29 incompatible 389 0.0705
x:FF 35 3DES Only 644 0.1167
x:FF 35 3DES Preferred 2079 0.3769
x:FF 35 RC4 Only 313 0.0567
x:FF 35 RC4 Preferred 18423 3.3397
x:FF 35 incompatible 393 0.0712
x:FF 44 3DES Only 4780 0.8665
x:FF 44 3DES Preferred 8693 1.5759
x:FF 44 incompatible 706 0.128
y:DHE-RSA-SEED-SHA 69733 12.6411
y:IDEA-CBC-SHA 66812 12.1116
y:SEED-SHA 80215 14.5413
z:ADH-AES128-GCM-SHA256 415 0.0752
z:ADH-AES128-SHA 692 0.1254
z:ADH-AES128-SHA256 283 0.0513
z:ADH-AES256-GCM-SHA384 428 0.0776
z:ADH-AES256-SHA 704 0.1276
z:ADH-AES256-SHA256 283 0.0513
z:ADH-CAMELLIA128-SHA 365 0.0662
z:ADH-CAMELLIA256-SHA 368 0.0667
z:ADH-DES-CBC-SHA 279 0.0506
z:ADH-DES-CBC3-SHA 707 0.1282
z:ADH-RC4-MD5 522 0.0946
z:ADH-SEED-SHA 294 0.0533
z:AECDH-AES128-SHA 8357 1.5149
z:AECDH-AES256-SHA 8387 1.5204
z:AECDH-DES-CBC3-SHA 8323 1.5088
z:AECDH-NULL-SHA 56 0.0102
z:AECDH-RC4-SHA 7767 1.408
z:DES-CBC-MD5 7631 1.3833
z:DES-CBC-SHA 34001 6.1637
z:DES-CBC3-MD5 18130 3.2866
z:ECDHE-RSA-NULL-SHA 63 0.0114
z:EDH-RSA-DES-CBC-SHA 28894 5.2379
z:EXP-ADH-DES-CBC-SHA 182 0.033
z:EXP-ADH-RC4-MD5 181 0.0328
z:EXP-DES-CBC-SHA 11397 2.066
z:EXP-EDH-RSA-DES-CBC-SHA 8988 1.6293
z:EXP-RC2-CBC-MD5 13770 2.4962
z:EXP-RC4-MD5 14407 2.6117
z:EXP1024-DES-CBC-SHA 3787 0.6865
z:EXP1024-RC4-SHA 3834 0.695
z:IDEA-CBC-MD5 1577 0.2859
z:NULL-MD5 182 0.033
z:NULL-SHA 189 0.0343
z:NULL-SHA256 43 0.0078
z:RC2-CBC-MD5 7791 1.4123
z:RC4-64-MD5 776 0.1407
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 133547 24.2092
Server side 418090 75.7908
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 857 0.1554
AECDH 8405 1.5236
DHE 295868 53.6345
ECDH 2 0.0004
ECDHE 469045 85.0278
ECDHE and DHE 247197 44.8115
RSA 474406 85.9997
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 118316 21.4482 39.9895
DH,1536bits 1 0.0002 0.0003
DH,2048bits 166870 30.25 56.4002
DH,2236bits 65 0.0118 0.022
DH,2432bits 3 0.0005 0.001
DH,3072bits 115 0.0208 0.0389
DH,3092bits 1 0.0002 0.0003
DH,4046bits 1 0.0002 0.0003
DH,4094bits 1 0.0002 0.0003
DH,4096bits 10250 1.8581 3.4644
DH,512bits 57 0.0103 0.0193
DH,768bits 352 0.0638 0.119
DH,8192bits 10 0.0018 0.0034
ECDH,B-571,570bits 2139 0.3878 0.456
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,P-192,192bits 20 0.0036 0.0043
ECDH,P-224,224bits 90 0.0163 0.0192
ECDH,P-256,256bits 450911 81.7405 96.1338
ECDH,P-384,384bits 5288 0.9586 1.1274
ECDH,P-521,521bits 12472 2.2609 2.659
Prefer DH,1024bits 46513 8.4318 15.7209
Prefer DH,1536bits 1 0.0002 0.0003
Prefer DH,2048bits 5993 1.0864 2.0256
Prefer DH,3072bits 10 0.0018 0.0034
Prefer DH,4096bits 386 0.07 0.1305
Prefer DH,768bits 37 0.0067 0.0125
Prefer ECDH,B-571,570bits 1925 0.349 0.4104
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 87 0.0158 0.0185
Prefer ECDH,P-256,256bits 414883 75.2094 88.4527
Prefer ECDH,P-384,384bits 3903 0.7075 0.8321
Prefer ECDH,P-521,521bits 11412 2.0688 2.433
Prefer PFS 485151 87.9475 0
Support PFS 517716 93.8508 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 7010 1.2708
brainpoolP384r1 7016 1.2719
brainpoolP512r1 7016 1.2719
prime192v1 1542 0.2795
prime192v1 Only 1 0.0002
prime256v1 465478 84.3812
prime256v1 Only 399795 72.4743
secp160k1 1479 0.2681
secp160r1 1485 0.2692
secp160r2 1478 0.2679
secp192k1 1492 0.2705
secp224k1 1571 0.2848
secp224r1 4963 0.8997
secp256k1 8958 1.6239
secp384r1 66416 12.0398
secp384r1 Only 776 0.1407
secp521r1 33828 6.1323
secp521r1 Only 143 0.0259
sect163k1 1480 0.2683
sect163k1 Only 2 0.0004
sect163r1 1478 0.2679
sect163r2 1478 0.2679
sect193r1 1478 0.2679
sect193r2 1478 0.2679
sect233k1 1563 0.2833
sect233r1 1563 0.2833
sect239k1 1563 0.2833
sect283k1 8428 1.5278
sect283r1 8425 1.5273
sect409k1 8431 1.5284
sect409r1 8429 1.528
sect571k1 8434 1.5289
sect571r1 8434 1.5289
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 48103 8.72
True 357854 64.8713
order-specific 74 0.0134
unknown 145606 26.3953
ECC curve ordering Count Percent
-------------------------+---------+--------
client 8089 1.4664
inconclusive-noecc 7 0.0013
server 458334 83.0862
unknown 85207 15.4462
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 48616 8.813
ECDSA-SHA1 Only 5 0.0009
ECDSA-SHA224 48602 8.8105
ECDSA-SHA256 64365 11.668
ECDSA-SHA384 64360 11.6671
ECDSA-SHA512 64365 11.668
ECDSA-SHA512 Only 6 0.0011
RSA-MD5 46119 8.3604
RSA-SHA1 404339 73.298
RSA-SHA1 Only 37023 6.7115
RSA-SHA224 339349 61.5167
RSA-SHA256 375560 68.081
RSA-SHA256 Only 7280 1.3197
RSA-SHA384 341601 61.925
RSA-SHA384 Only 3 0.0005
RSA-SHA512 341567 61.9188
RSA-SHA512 Only 84 0.0152
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 252624 45.7953
indeterminate 57 0.0103
intolerant 5553 1.0066
order-fallback 7 0.0013
server 199982 36.2525
unsupported 18801 3.4082
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 48595 8.8092
ECDSA intolerant 74 0.0134
ECDSA pfs-rsa-SHA512 15721 2.8499
RSA False 45736 8.291
RSA SHA1 328060 59.4703
RSA intolerant 39590 7.1768
RSA pfs-ecdsa-SHA512 1 0.0002
RSA soft-nopfs 500 0.0906
Renegotiation Count Percent
-------------------------+---------+--------
False 5768 1.0456
insecure 16732 3.0332
secure 529137 95.9212
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 7977 1.4461
False 5768 1.0456
NONE 537892 97.5083
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 4 0.0007
1 only 4 0.0007
2 2 0.0004
2 only 2 0.0004
5 3 0.0005
5 only 3 0.0005
10 6 0.0011
10 only 6 0.0011
15 5 0.0009
15 only 5 0.0009
30 18 0.0033
30 only 17 0.0031
60 170 0.0308
60 only 166 0.0301
65 1 0.0002
65 only 1 0.0002
70 6 0.0011
75 1 0.0002
75 only 1 0.0002
100 13 0.0024
100 only 13 0.0024
120 23 0.0042
120 only 23 0.0042
128 2 0.0004
128 only 2 0.0004
150 2 0.0004
180 72 0.0131
180 only 70 0.0127
240 14 0.0025
240 only 14 0.0025
244 1 0.0002
244 only 1 0.0002
300 268504 48.674
300 only 264860 48.0135
302 3 0.0005
302 only 3 0.0005
360 2 0.0004
360 only 1 0.0002
400 5 0.0009
400 only 5 0.0009
420 124 0.0225
420 only 105 0.019
450 1 0.0002
450 only 1 0.0002
480 10 0.0018
480 only 10 0.0018
500 4 0.0007
500 only 4 0.0007
540 3 0.0005
540 only 3 0.0005
600 27697 5.0209
600 only 27547 4.9937
660 3 0.0005
660 only 3 0.0005
720 1 0.0002
720 only 1 0.0002
840 1 0.0002
840 only 1 0.0002
900 1254 0.2273
900 only 1233 0.2235
960 2 0.0004
960 only 2 0.0004
1000 1 0.0002
1000 only 1 0.0002
1200 3011 0.5458
1200 only 3007 0.5451
1210 1 0.0002
1210 only 1 0.0002
1300 1 0.0002
1300 only 1 0.0002
1320 1 0.0002
1320 only 1 0.0002
1380 1 0.0002
1380 only 1 0.0002
1500 5 0.0009
1500 only 4 0.0007
1800 570 0.1033
1800 only 559 0.1013
1980 2 0.0004
1980 only 2 0.0004
2100 2 0.0004
2100 only 1 0.0002
2400 8 0.0015
2400 only 8 0.0015
2700 9 0.0016
2700 only 9 0.0016
3000 28 0.0051
3000 only 28 0.0051
3600 802 0.1454
3600 only 792 0.1436
3900 1 0.0002
3900 only 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 15 0.0027
5400 only 8 0.0015
6000 288 0.0522
6000 only 287 0.052
7200 16170 2.9313
7200 only 16152 2.928
10800 3928 0.7121
10800 only 3918 0.7102
14400 85 0.0154
14400 only 84 0.0152
18000 9 0.0016
18000 only 9 0.0016
21600 4289 0.7775
21600 only 4289 0.7775
25200 1 0.0002
25200 only 1 0.0002
28800 3301 0.5984
28800 only 3301 0.5984
36000 1118 0.2027
36000 only 1107 0.2007
43200 46 0.0083
43200 only 46 0.0083
60000 2 0.0004
60000 only 2 0.0004
64800 63048 11.4293
64800 only 63047 11.4291
72000 8 0.0015
72000 only 8 0.0015
79200 1 0.0002
79200 only 1 0.0002
84000 1 0.0002
84000 only 1 0.0002
86000 51 0.0092
86000 only 51 0.0092
86400 2862 0.5188
86400 only 2858 0.5181
100800 10169 1.8434
100800 only 10144 1.8389
108000 1 0.0002
108000 only 1 0.0002
115200 1 0.0002
115200 only 1 0.0002
129600 8 0.0015
129600 only 8 0.0015
172800 9 0.0016
172800 only 9 0.0016
216000 5 0.0009
216000 only 5 0.0009
259200 2 0.0004
259200 only 2 0.0004
432000 1 0.0002
432000 only 1 0.0002
604800 2 0.0004
604800 only 1 0.0002
864000 4 0.0007
864000 only 4 0.0007
7776000 2 0.0004
7776000 only 2 0.0004
None 147762 26.7861
None only 143812 26.07
Certificate sig alg Count Percent
-------------------------+---------+--------
None 9012 1.6337
ecdsa-with-SHA256 61035 11.0643
sha1WithRSAEncryption 33972 6.1584
sha256WithRSAEncryption 472384 85.6331
sha384WithRSAEncryption 5 0.0009
sha512WithRSAEncryption 59 0.0107
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 64371 11.6691
ECDSA 384 20 0.0036
ECDSA 521 1 0.0002
RSA 1024 29 0.0053
RSA 2048 480108 87.0333
RSA 2049 2 0.0004
RSA 2056 2 0.0004
RSA 2058 3 0.0005
RSA 2084 4 0.0007
RSA 2086 1 0.0002
RSA 2096 2 0.0004
RSA 2432 2 0.0004
RSA 3071 1 0.0002
RSA 3072 141 0.0256
RSA 3073 1 0.0002
RSA 3076 6 0.0011
RSA 3096 2 0.0004
RSA 3248 4 0.0007
RSA 4048 4 0.0007
RSA 4056 15 0.0027
RSA 4092 2 0.0004
RSA 4094 2 0.0004
RSA 4095 1 0.0002
RSA 4096 25981 4.7098
RSA 8192 8 0.0015
RSA 8392 1 0.0002
RSA/ECDSA Dual Stack 19066 3.4563
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 128880 23.3632
Unsupported 422757 76.6368
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 18283 3.3143
SSL2 Only 14 0.0025
SSL3 101196 18.3447
SSL3 Only 1158 0.2099
SSL3 or TLS1 Only 54616 9.9007
SSL3 or lower Only 1168 0.2117
TLS1 542011 98.255
TLS1 Only 34339 6.2249
TLS1 or lower Only 70962 12.8639
TLS1.1 467843 84.8099
TLS1.1 Only 333 0.0604
TLS1.1 or up Only 8279 1.5008
TLS1.2 477009 86.4715
TLS1.2 Only 2566 0.4652
TLS1.2, 1.0 but not 1.1 9002 1.6319
Statistics from 587252 chains provided by 715935 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 525344 73.3787
incomplete 23228 3.2444
untrusted 167363 23.3768
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 13 0.0022
3 585030 99.6216
4 2197 0.3741
5 12 0.002
CA key size in chains Count
-------------------------+---------
ECDSA 256 61011
ECDSA 384 61009
RSA 1024 26
RSA 2045 2
RSA 2048 885900
RSA 4096 168764
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 61011 10.3892
ECDSA 384 61009 10.3889
RSA 1024 24 0.0041
RSA 2045 2 0.0003
RSA 2048 525829 89.5406
RSA 4096 168152 28.6337
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 61004
sha1WithRSAEncryption 38564
sha256WithRSAEncryption 338536
sha384WithRSAEncryption 151286
sha512WithRSAEncryption 70
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 38602 6.5733
112 487624 83.0349
128.0 61026 10.3918
Most popular root CAs Count Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 135263 23.0332
(2c543cd1) GeoTrust Global CA 101180 17.2294
(eed8c118) COMODO ECC Certification Authority 60996 10.3867
(5ad8a5d6) GlobalSign Root CA 56051 9.5446
(cbf06781) Go Daddy Root Certificate Authorit 49631 8.4514
(b204d74a) VeriSign Class 3 Public Primary Ce 31013 5.281
(244b5494) DigiCert High Assurance EV Root CA 20318 3.4598
(2e4eed3c) thawte Primary Root CA 18889 3.2165
(fc5a8f99) USERTrust RSA Certification Author 15885 2.705
(653b494a) Baltimore CyberTrust Root 13245 2.2554
(4bfab552) Starfield Root Certificate Authori 10600 1.805
(3513523f) DigiCert Global Root CA 9653 1.6438
(ae8153b9) StartCom Certification Authority 8863 1.5092
(2e5ac55d) DST Root CA X3 7351 1.2518
Test ran between 17th of March and 5th of April 2016
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
6 years, 10 months
- 1
- 0
TLS scan results for February 2016 (incomplete)
by Hubert Kario
Unfortunately during scanning the disk space on the server run out so the
results are not complete.
Other than that, no interesting developments, just continuation of established
trends.
SSL/TLS survey of 479178 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 419340 87.5124
3DES Only 506 0.1056
3DES Preferred 1692 0.3531
3DES forced in TLS1.1+ 922 0.1924
AES 474652 99.0555
AES Only 37306 7.7854
AES-CBC 474138 98.9482
AES-CBC Only 7523 1.57
AES-GCM 380917 79.4938
AES-GCM Only 466 0.0972
CAMELLIA 201933 42.1415
CAMELLIA Only 3 0.0006
CHACHA20 66326 13.8416
CHACHA20 Only 1 0.0002
Insecure 48383 10.0971
RC4 149250 31.1471
RC4 Only 177 0.0369
RC4 Preferred 15506 3.236
RC4 forced in TLS1.1+ 8442 1.7618
x:FF 29 3DES Only 550 0.1148
x:FF 29 3DES Preferred 2012 0.4199
x:FF 29 RC4 Only 265 0.0553
x:FF 29 RC4 Preferred 17097 3.568
x:FF 29 incompatible 321 0.067
x:FF 35 3DES Only 559 0.1167
x:FF 35 3DES Preferred 1924 0.4015
x:FF 35 RC4 Only 311 0.0649
x:FF 35 RC4 Preferred 17124 3.5736
x:FF 35 incompatible 325 0.0678
y:DHE-RSA-SEED-SHA 60590 12.6446
y:IDEA-CBC-SHA 58075 12.1197
y:SEED-SHA 70022 14.6129
z:ADH-AES128-GCM-SHA256 354 0.0739
z:ADH-AES128-SHA 605 0.1263
z:ADH-AES128-SHA256 246 0.0513
z:ADH-AES256-GCM-SHA384 367 0.0766
z:ADH-AES256-SHA 618 0.129
z:ADH-AES256-SHA256 245 0.0511
z:ADH-CAMELLIA128-SHA 316 0.0659
z:ADH-CAMELLIA256-SHA 321 0.067
z:ADH-DES-CBC-SHA 243 0.0507
z:ADH-DES-CBC3-SHA 620 0.1294
z:ADH-RC4-MD5 455 0.095
z:ADH-SEED-SHA 254 0.053
z:AECDH-AES128-SHA 7521 1.5696
z:AECDH-AES256-SHA 7556 1.5769
z:AECDH-DES-CBC3-SHA 7499 1.565
z:AECDH-NULL-SHA 45 0.0094
z:AECDH-RC4-SHA 7010 1.4629
z:DES-CBC-MD5 7605 1.5871
z:DES-CBC-SHA 30728 6.4126
z:DES-CBC3-MD5 17199 3.5893
z:ECDHE-RSA-NULL-SHA 53 0.0111
z:EDH-RSA-DES-CBC-SHA 25945 5.4145
z:EXP-ADH-DES-CBC-SHA 148 0.0309
z:EXP-ADH-RC4-MD5 145 0.0303
z:EXP-DES-CBC-SHA 10647 2.2219
z:EXP-EDH-RSA-DES-CBC-SHA 8346 1.7417
z:EXP-RC2-CBC-MD5 12795 2.6702
z:EXP-RC4-MD5 13391 2.7946
z:EXP1024-DES-CBC-SHA 3415 0.7127
z:EXP1024-RC4-SHA 3465 0.7231
z:IDEA-CBC-MD5 1613 0.3366
z:NULL-MD5 162 0.0338
z:NULL-SHA 169 0.0353
z:NULL-SHA256 38 0.0079
z:RC2-CBC-MD5 7754 1.6182
z:RC4-64-MD5 712 0.1486
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 116701 24.3544
Server side 362477 75.6456
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 753 0.1571
AECDH 7568 1.5794
DHE 255330 53.285
ECDH 2 0.0004
ECDHE 404645 84.4457
ECDHE and DHE 212045 44.2518
RSA 411697 85.9173
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 107150 22.3612 41.9653
DH,1338bits 1 0.0002 0.0004
DH,1536bits 1 0.0002 0.0004
DH,2048bits 139444 29.1007 54.6132
DH,2236bits 57 0.0119 0.0223
DH,2432bits 3 0.0006 0.0012
DH,3072bits 93 0.0194 0.0364
DH,3092bits 1 0.0002 0.0004
DH,4096bits 8367 1.7461 3.2769
DH,512bits 52 0.0109 0.0204
DH,768bits 313 0.0653 0.1226
DH,8192bits 7 0.0015 0.0027
ECDH,B-571,570bits 1786 0.3727 0.4414
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,P-192,192bits 15 0.0031 0.0037
ECDH,P-224,224bits 84 0.0175 0.0208
ECDH,P-256,256bits 389954 81.3798 96.3694
ECDH,P-384,384bits 4297 0.8967 1.0619
ECDH,P-521,521bits 10105 2.1088 2.4973
Prefer DH,1024bits 41750 8.7128 16.3514
Prefer DH,1536bits 1 0.0002 0.0004
Prefer DH,2048bits 4670 0.9746 1.829
Prefer DH,3072bits 7 0.0015 0.0027
Prefer DH,4096bits 333 0.0695 0.1304
Prefer DH,768bits 37 0.0077 0.0145
Prefer ECDH,B-571,570bits 1575 0.3287 0.3892
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 81 0.0169 0.02
Prefer ECDH,P-256,256bits 357787 74.6668 88.42
Prefer ECDH,P-384,384bits 3158 0.659 0.7804
Prefer ECDH,P-521,521bits 9166 1.9129 2.2652
Prefer PFS 418566 87.3508 0
Support PFS 447930 93.4788 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 5523 1.1526
brainpoolP384r1 5524 1.1528
brainpoolP512r1 5525 1.153
prime192v1 1353 0.2824
prime256v1 401476 83.7843
prime256v1 Only 345957 72.198
secp160k1 1299 0.2711
secp160r1 1304 0.2721
secp160r2 1299 0.2711
secp192k1 1314 0.2742
secp224k1 1392 0.2905
secp224r1 4371 0.9122
secp256k1 7238 1.5105
secp384r1 56063 11.6998
secp384r1 Only 584 0.1219
secp521r1 28028 5.8492
secp521r1 Only 125 0.0261
sect163k1 1310 0.2734
sect163k1 Only 3 0.0006
sect163r1 1306 0.2726
sect163r2 1307 0.2728
sect193r1 1306 0.2726
sect193r2 1304 0.2721
sect233k1 1387 0.2895
sect233r1 1386 0.2892
sect239k1 1383 0.2886
sect283k1 6795 1.4181
sect283k1 Only 1 0.0002
sect283r1 6792 1.4174
sect409k1 6793 1.4176
sect409r1 6793 1.4176
sect571k1 6797 1.4185
sect571r1 6797 1.4185
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 43974 9.177
True 304974 63.6452
order-specific 61 0.0127
unknown 130169 27.1651
ECC curve ordering Count Percent
-------------------------+---------+--------
client 6487 1.3538
inconclusive-noecc 8 0.0017
server 395730 82.5852
unknown 76953 16.0594
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 40044 8.3568
ECDSA-SHA1 Only 3 0.0006
ECDSA-SHA224 40035 8.3549
ECDSA-SHA256 54403 11.3534
ECDSA-SHA384 54398 11.3524
ECDSA-SHA512 54399 11.3526
ECDSA-SHA512 Only 1 0.0002
RSA-MD5 47971 10.0111
RSA-SHA1 347530 72.5263
RSA-SHA1 Only 36263 7.5678
RSA-SHA224 288147 60.1336
RSA-SHA256 318675 66.5045
RSA-SHA256 Only 6467 1.3496
RSA-SHA384 290085 60.538
RSA-SHA384 Only 2 0.0004
RSA-SHA512 290093 60.5397
RSA-SHA512 Only 126 0.0263
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 215610 44.9958
indeterminate 32 0.0067
intolerant 4623 0.9648
order-fallback 3 0.0006
server 175045 36.5303
unsupported 17219 3.5934
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 40031 8.3541
ECDSA intolerant 47 0.0098
ECDSA pfs-rsa-SHA512 14337 2.992
ECDSA soft-nopfs 1 0.0002
RSA False 47573 9.928
RSA SHA1 274148 57.2121
RSA intolerant 34088 7.1138
RSA pfs-ecdsa-SHA512 4 0.0008
RSA soft-nopfs 498 0.1039
Renegotiation Count Percent
-------------------------+---------+--------
False 5212 1.0877
insecure 15480 3.2305
secure 458486 95.6818
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 7370 1.5381
False 5212 1.0877
NONE 466596 97.3743
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 4 0.0008
1 only 4 0.0008
2 1 0.0002
2 only 1 0.0002
10 6 0.0013
10 only 6 0.0013
15 5 0.001
15 only 5 0.001
30 18 0.0038
30 only 17 0.0035
60 142 0.0296
60 only 138 0.0288
65 1 0.0002
65 only 1 0.0002
70 6 0.0013
100 15 0.0031
100 only 15 0.0031
120 24 0.005
120 only 24 0.005
128 3 0.0006
128 only 3 0.0006
150 1 0.0002
180 58 0.0121
180 only 55 0.0115
240 7 0.0015
240 only 7 0.0015
244 1 0.0002
244 only 1 0.0002
300 230415 48.0855
300 only 226909 47.3538
302 2 0.0004
302 only 2 0.0004
360 3 0.0006
360 only 1 0.0002
400 7 0.0015
400 only 7 0.0015
420 116 0.0242
420 only 93 0.0194
480 10 0.0021
480 only 10 0.0021
500 4 0.0008
500 only 4 0.0008
540 2 0.0004
540 only 2 0.0004
600 23920 4.9919
600 only 23758 4.9581
660 1 0.0002
660 only 1 0.0002
840 1 0.0002
840 only 1 0.0002
900 983 0.2051
900 only 962 0.2008
960 3 0.0006
960 only 3 0.0006
1000 1 0.0002
1000 only 1 0.0002
1200 2630 0.5489
1200 only 2627 0.5482
1320 1 0.0002
1320 only 1 0.0002
1500 2 0.0004
1500 only 1 0.0002
1800 500 0.1043
1800 only 491 0.1025
1980 2 0.0004
1980 only 2 0.0004
2100 2 0.0004
2100 only 1 0.0002
2400 7 0.0015
2400 only 7 0.0015
2700 10 0.0021
2700 only 10 0.0021
3000 26 0.0054
3000 only 26 0.0054
3600 664 0.1386
3600 only 655 0.1367
3900 1 0.0002
3900 only 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 15 0.0031
5400 only 8 0.0017
6000 214 0.0447
6000 only 214 0.0447
7200 14927 3.1151
7200 only 14908 3.1112
10800 3286 0.6858
10800 only 3277 0.6839
14400 93 0.0194
14400 only 91 0.019
18000 9 0.0019
18000 only 9 0.0019
21600 3668 0.7655
21600 only 3668 0.7655
25200 1 0.0002
25200 only 1 0.0002
28800 1854 0.3869
28800 only 1853 0.3867
36000 954 0.1991
36000 only 945 0.1972
43200 39 0.0081
43200 only 39 0.0081
60000 1 0.0002
60000 only 1 0.0002
64800 56248 11.7384
64800 only 56243 11.7374
72000 21 0.0044
72000 only 21 0.0044
79200 1 0.0002
79200 only 1 0.0002
86000 44 0.0092
86000 only 44 0.0092
86400 2743 0.5724
86400 only 2734 0.5706
100800 8629 1.8008
100800 only 8618 1.7985
115200 1 0.0002
115200 only 1 0.0002
129600 7 0.0015
129600 only 7 0.0015
172800 9 0.0019
172800 only 9 0.0019
216000 2 0.0004
216000 only 2 0.0004
259200 2 0.0004
259200 only 2 0.0004
432000 1 0.0002
432000 only 1 0.0002
604800 2 0.0004
864000 3 0.0006
864000 only 3 0.0006
7776000 2 0.0004
7776000 only 2 0.0004
None 130619 27.259
None only 126799 26.4618
Certificate sig alg Count Percent
-------------------------+---------+--------
None 8093 1.6889
ecdsa-with-SHA256 54346 11.3415
sha1WithRSAEncryption 32309 6.7426
sha256WithRSAEncryption 406902 84.9167
sha384WithRSAEncryption 3 0.0006
sha512WithRSAEncryption 52 0.0109
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 54398 11.3524
ECDSA 384 18 0.0038
ECDSA 521 1 0.0002
RSA 1024 28 0.0058
RSA 2048 416954 87.0144
RSA 2049 3 0.0006
RSA 2056 2 0.0004
RSA 2058 2 0.0004
RSA 2084 4 0.0008
RSA 2086 1 0.0002
RSA 2096 2 0.0004
RSA 2432 1 0.0002
RSA 3071 1 0.0002
RSA 3072 118 0.0246
RSA 3073 1 0.0002
RSA 3076 2 0.0004
RSA 3096 2 0.0004
RSA 3248 2 0.0004
RSA 4048 1 0.0002
RSA 4056 17 0.0035
RSA 4092 7 0.0015
RSA 4094 1 0.0002
RSA 4096 22025 4.5964
RSA 4098 1 0.0002
RSA 8192 4 0.0008
RSA 8392 1 0.0002
RSA/ECDSA Dual Stack 14407 3.0066
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 112039 23.3815
Unsupported 367139 76.6185
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 17376 3.6262
SSL2 Only 10 0.0021
SSL3 93563 19.5257
SSL3 Only 980 0.2045
SSL3 or TLS1 Only 47829 9.9815
SSL3 or lower Only 992 0.207
TLS1 472039 98.5102
TLS1 Only 29199 6.0936
TLS1 or lower Only 63377 13.2262
TLS1.1 404578 84.4317
TLS1.1 Only 297 0.062
TLS1.1 or up Only 5984 1.2488
TLS1.2 412518 86.0887
TLS1.2 Only 2158 0.4504
TLS1.2, 1.0 but not 1.1 7981 1.6656
Statistics from 487333 chains provided by 621854 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 436283 70.1584
incomplete 20784 3.3423
untrusted 164787 26.4993
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 12 0.0025
3 485364 99.596
4 1945 0.3991
5 12 0.0025
CA key size in chains Count
-------------------------+---------
ECDSA 256 42987
ECDSA 384 42988
RSA 1024 28
RSA 2045 2
RSA 2048 746942
RSA 4096 143676
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 42987 8.8209
ECDSA 384 42988 8.8211
RSA 1024 26 0.0053
RSA 2045 2 0.0004
RSA 2048 443976 91.1032
RSA 4096 143127 29.3694
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 42983
sha1WithRSAEncryption 37695
sha256WithRSAEncryption 279113
sha384WithRSAEncryption 129437
sha512WithRSAEncryption 62
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 37722 7.7405
112 406613 83.4364
128.0 42998 8.8231
Root CAs Count Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 115692 23.7398
(2c543cd1) GeoTrust Global CA 85975 17.6419
(cbf06781) Go Daddy Root Certificate Authorit 43560 8.9384
(eed8c118) COMODO ECC Certification Authority 42977 8.8188
(5ad8a5d6) GlobalSign Root CA 41299 8.4745
(b204d74a) VeriSign Class 3 Public Primary Ce 28043 5.7544
(244b5494) DigiCert High Assurance EV Root CA 18414 3.7785
(2e4eed3c) thawte Primary Root CA 17524 3.5959
(fc5a8f99) USERTrust RSA Certification Author 13626 2.796
(653b494a) Baltimore CyberTrust Root 10432 2.1406
(3513523f) DigiCert Global Root CA 8525 1.7493
(ae8153b9) StartCom Certification Authority 7668 1.5735
(4bfab552) Starfield Root Certificate Authori 7663 1.5724
(480720ec) GeoTrust Primary Certification Aut 4978 1.0215
Scan performed between 22nd of February and 16th of March 2016
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
6 years, 10 months
- 1
- 0
TLS scan results for January 2016
by Hubert Kario
raw statistics only, sorry
SSL/TLS survey of 541489 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 477135 88.1154
3DES Only 523 0.0966
3DES Preferred 1744 0.3221
3DES forced in TLS1.1+ 945 0.1745
AES 535585 98.9097
AES Only 34994 6.4626
AES-CBC 534935 98.7896
AES-CBC Only 9110 1.6824
AES-GCM 422759 78.0734
AES-GCM Only 589 0.1088
CAMELLIA 228296 42.1608
CAMELLIA Only 2 0.0004
CHACHA20 72561 13.4003
CHACHA20 Only 1 0.0002
Insecure 56630 10.4582
RC4 178913 33.0409
RC4 Only 577 0.1066
RC4 Preferred 18219 3.3646
RC4 forced in TLS1.1+ 9446 1.7444
x:FF 29 3DES Only 574 0.106
x:FF 29 3DES Preferred 2103 0.3884
x:FF 29 RC4 Only 771 0.1424
x:FF 29 RC4 Preferred 20172 3.7253
x:FF 29 incompatible 395 0.0729
x:FF 35 3DES Only 582 0.1075
x:FF 35 3DES Preferred 2009 0.371
x:FF 35 RC4 Only 937 0.173
x:FF 35 RC4 Preferred 20230 3.736
x:FF 35 incompatible 398 0.0735
y:DHE-RSA-SEED-SHA 66504 12.2817
y:IDEA-CBC-SHA 63061 11.6459
y:SEED-SHA 78410 14.4804
z:ADH-AES128-GCM-SHA256 397 0.0733
z:ADH-AES128-SHA 714 0.1319
z:ADH-AES128-SHA256 269 0.0497
z:ADH-AES256-GCM-SHA384 413 0.0763
z:ADH-AES256-SHA 723 0.1335
z:ADH-AES256-SHA256 271 0.05
z:ADH-CAMELLIA128-SHA 358 0.0661
z:ADH-CAMELLIA256-SHA 366 0.0676
z:ADH-DES-CBC-SHA 298 0.055
z:ADH-DES-CBC3-SHA 722 0.1333
z:ADH-RC4-MD5 560 0.1034
z:ADH-SEED-SHA 286 0.0528
z:AECDH-AES128-SHA 9282 1.7142
z:AECDH-AES256-SHA 9332 1.7234
z:AECDH-DES-CBC3-SHA 9248 1.7079
z:AECDH-NULL-SHA 61 0.0113
z:AECDH-RC4-SHA 8710 1.6085
z:DES-CBC-MD5 10050 1.856
z:DES-CBC-SHA 35379 6.5337
z:DES-CBC3-MD5 21189 3.9131
z:ECDHE-RSA-NULL-SHA 67 0.0124
z:EDH-RSA-DES-CBC-SHA 30295 5.5948
z:EXP-ADH-DES-CBC-SHA 192 0.0355
z:EXP-ADH-RC4-MD5 189 0.0349
z:EXP-DES-CBC-SHA 13046 2.4093
z:EXP-EDH-RSA-DES-CBC-SHA 10364 1.914
z:EXP-RC2-CBC-MD5 15781 2.9144
z:EXP-RC4-MD5 16506 3.0483
z:EXP1024-DES-CBC-SHA 4104 0.7579
z:EXP1024-RC4-SHA 4194 0.7745
z:IDEA-CBC-MD5 2095 0.3869
z:NULL-MD5 211 0.039
z:NULL-SHA 210 0.0388
z:NULL-SHA256 30 0.0055
z:RC2-CBC-MD5 10224 1.8881
z:RC4-64-MD5 892 0.1647
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 133145 24.5887
Server side 408344 75.4113
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 874 0.1614
AECDH 9353 1.7273
DHE 292291 53.9791
ECDH 2 0.0004
ECDHE 448914 82.9036
ECDHE and DHE 235557 43.5017
RSA 475602 87.8323
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 152465 28.1566 52.1621
DH,1338bits 1 0.0002 0.0003
DH,1536bits 1 0.0002 0.0003
DH,2048bits 131006 24.1937 44.8204
DH,2236bits 13 0.0024 0.0044
DH,2432bits 2 0.0004 0.0007
DH,2560bits 1 0.0002 0.0003
DH,3072bits 93 0.0172 0.0318
DH,3092bits 1 0.0002 0.0003
DH,4096bits 8605 1.5891 2.944
DH,4098bits 1 0.0002 0.0003
DH,512bits 50 0.0092 0.0171
DH,768bits 395 0.0729 0.1351
DH,8192bits 2 0.0004 0.0007
ECDH,B-571,570bits 1771 0.3271 0.3945
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,P-192,192bits 15 0.0028 0.0033
ECDH,P-224,224bits 84 0.0155 0.0187
ECDH,P-256,256bits 433613 80.0779 96.5916
ECDH,P-384,384bits 4499 0.8309 1.0022
ECDH,P-521,521bits 10705 1.977 2.3846
Prefer DH,1024bits 53883 9.9509 18.4347
Prefer DH,1536bits 1 0.0002 0.0003
Prefer DH,2048bits 6107 1.1278 2.0894
Prefer DH,3072bits 9 0.0017 0.0031
Prefer DH,4096bits 375 0.0693 0.1283
Prefer DH,768bits 52 0.0096 0.0178
Prefer ECDH,B-571,570bits 1556 0.2874 0.3466
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 81 0.015 0.018
Prefer ECDH,P-256,256bits 396887 73.2955 88.4105
Prefer ECDH,P-384,384bits 3290 0.6076 0.7329
Prefer ECDH,P-521,521bits 9642 1.7806 2.1479
Prefer PFS 471884 87.1456 0
Support PFS 505648 93.381 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 2578 0.4761
brainpoolP384r1 2579 0.4763
brainpoolP512r1 2580 0.4765
prime192v1 1446 0.267
prime256v1 445477 82.2689
prime256v1 Only 388604 71.7658
secp160k1 1397 0.258
secp160r1 1402 0.2589
secp160r2 1396 0.2578
secp192k1 1410 0.2604
secp224k1 1487 0.2746
secp224r1 4270 0.7886
secp224r1 Only 1 0.0002
secp256k1 4033 0.7448
secp384r1 57392 10.5989
secp384r1 Only 554 0.1023
secp521r1 26343 4.8649
secp521r1 Only 142 0.0262
sect163k1 1402 0.2589
sect163k1 Only 2 0.0004
sect163r1 1400 0.2585
sect163r2 1400 0.2585
sect193r1 1399 0.2584
sect193r2 1399 0.2584
sect233k1 1480 0.2733
sect233r1 1480 0.2733
sect239k1 1480 0.2733
sect283k1 3926 0.725
sect283k1 Only 1 0.0002
sect283r1 3925 0.7249
sect409k1 3924 0.7247
sect409r1 3923 0.7245
sect571k1 3928 0.7254
sect571r1 3929 0.7256
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 55946 10.3319
True 332237 61.3562
order-specific 60 0.0111
unknown 153246 28.3009
ECC curve ordering Count Percent
-------------------------+---------+--------
client 6546 1.2089
inconclusive-noecc 10 0.0018
server 439646 81.192
unknown 95287 17.5972
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 43763 8.082
ECDSA-SHA1 Only 3 0.0006
ECDSA-SHA224 43755 8.0805
ECDSA-SHA256 58463 10.7967
ECDSA-SHA384 58458 10.7958
ECDSA-SHA512 58458 10.7958
RSA-MD5 93307 17.2316
RSA-SHA1 386583 71.3926
RSA-SHA1 Only 41287 7.6247
RSA-SHA224 320766 59.2378
RSA-SHA256 353383 65.2613
RSA-SHA256 Only 6919 1.2778
RSA-SHA384 322845 59.6217
RSA-SHA384 Only 1 0.0002
RSA-SHA512 322938 59.6389
RSA-SHA512 Only 199 0.0368
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 245811 45.3954
indeterminate 42 0.0078
intolerant 5114 0.9444
order-fallback 9 0.0017
server 187931 34.7063
unsupported 19787 3.6542
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 43750 8.0796
ECDSA intolerant 30 0.0055
ECDSA pfs-rsa-SHA512 14685 2.712
ECDSA soft-nopfs 1 0.0002
RSA False 92525 17.0871
RSA SHA1 265644 49.0581
RSA intolerant 37307 6.8897
RSA pfs-ecdsa-SHA512 1 0.0002
RSA soft-nopfs 863 0.1594
Renegotiation Count Percent
-------------------------+---------+--------
False 6052 1.1177
insecure 17380 3.2097
secure 518057 95.6727
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 8694 1.6056
False 6052 1.1177
NONE 526743 97.2768
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 5 0.0009
1 only 5 0.0009
2 1 0.0002
2 only 1 0.0002
5 1 0.0002
5 only 1 0.0002
10 11 0.002
10 only 11 0.002
15 9 0.0017
15 only 9 0.0017
30 14 0.0026
30 only 12 0.0022
60 158 0.0292
60 only 152 0.0281
65 1 0.0002
65 only 1 0.0002
70 7 0.0013
75 1 0.0002
75 only 1 0.0002
100 13 0.0024
100 only 13 0.0024
120 25 0.0046
120 only 25 0.0046
128 3 0.0006
128 only 3 0.0006
150 2 0.0004
180 59 0.0109
180 only 56 0.0103
240 6 0.0011
240 only 6 0.0011
244 1 0.0002
244 only 1 0.0002
300 257671 47.5856
300 only 253451 46.8063
302 3 0.0006
302 only 3 0.0006
360 2 0.0004
360 only 1 0.0002
400 6 0.0011
400 only 6 0.0011
420 114 0.0211
420 only 91 0.0168
450 1 0.0002
450 only 1 0.0002
480 13 0.0024
480 only 13 0.0024
500 4 0.0007
500 only 4 0.0007
540 1 0.0002
540 only 1 0.0002
600 27406 5.0612
600 only 27252 5.0328
720 2 0.0004
720 only 2 0.0004
840 2 0.0004
840 only 2 0.0004
900 989 0.1826
900 only 972 0.1795
960 3 0.0006
960 only 3 0.0006
1200 2741 0.5062
1200 only 2735 0.5051
1500 6 0.0011
1500 only 5 0.0009
1800 555 0.1025
1800 only 545 0.1006
1980 2 0.0004
1980 only 2 0.0004
2100 2 0.0004
2100 only 1 0.0002
2400 9 0.0017
2400 only 9 0.0017
2700 11 0.002
2700 only 11 0.002
3000 29 0.0054
3000 only 29 0.0054
3300 1 0.0002
3300 only 1 0.0002
3600 688 0.1271
3600 only 679 0.1254
3900 1 0.0002
3900 only 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 13 0.0024
5400 only 7 0.0013
6000 235 0.0434
6000 only 235 0.0434
7200 15880 2.9327
7200 only 15854 2.9279
10800 3309 0.6111
10800 only 3300 0.6094
14400 100 0.0185
14400 only 100 0.0185
18000 8 0.0015
18000 only 8 0.0015
21600 4676 0.8635
21600 only 4676 0.8635
25200 1 0.0002
25200 only 1 0.0002
28800 2453 0.453
28800 only 2450 0.4525
36000 1094 0.202
36000 only 1083 0.2
43200 41 0.0076
43200 only 41 0.0076
60000 2 0.0004
60000 only 2 0.0004
64800 4295 0.7932
64800 only 4295 0.7932
72000 28 0.0052
72000 only 28 0.0052
79200 1 0.0002
79200 only 1 0.0002
86000 48 0.0089
86000 only 48 0.0089
86400 3671 0.6779
86400 only 3666 0.677
100800 10910 2.0148
100800 only 10897 2.0124
115200 1 0.0002
115200 only 1 0.0002
129600 8 0.0015
129600 only 8 0.0015
172800 10 0.0018
172800 only 10 0.0018
216000 2 0.0004
216000 only 2 0.0004
259200 2 0.0004
259200 only 2 0.0004
432000 1 0.0002
432000 only 1 0.0002
604800 1 0.0002
864000 3 0.0006
864000 only 3 0.0006
None 208648 38.5323
None only 204120 37.6961
Certificate sig alg Count Percent
-------------------------+---------+--------
None 9968 1.8408
ecdsa-with-SHA256 58398 10.7847
sha1WithRSAEncryption 51637 9.5361
sha256WithRSAEncryption 446192 82.4009
sha384WithRSAEncryption 5 0.0009
sha512WithRSAEncryption 43 0.0079
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 58449 10.7941
ECDSA 384 17 0.0031
ECDSA 521 1 0.0002
RSA 1024 20 0.0037
RSA 2047 1 0.0002
RSA 2048 473537 87.4509
RSA 2049 2 0.0004
RSA 2056 1 0.0002
RSA 2058 2 0.0004
RSA 2064 2 0.0004
RSA 2084 5 0.0009
RSA 2096 2 0.0004
RSA 2408 1 0.0002
RSA 2432 1 0.0002
RSA 2480 1 0.0002
RSA 3071 1 0.0002
RSA 3072 119 0.022
RSA 3073 1 0.0002
RSA 3096 2 0.0004
RSA 3248 2 0.0004
RSA 4048 1 0.0002
RSA 4056 18 0.0033
RSA 4092 6 0.0011
RSA 4094 1 0.0002
RSA 4095 1 0.0002
RSA 4096 24063 4.4439
RSA 4098 1 0.0002
RSA 8192 3 0.0006
RSA/ECDSA Dual Stack 14756 2.7251
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 125414 23.161
Unsupported 416075 76.839
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 21373 3.9471
SSL2 Only 15 0.0028
SSL3 111129 20.5229
SSL3 Only 1140 0.2105
SSL3 or TLS1 Only 59881 11.0586
SSL3 or lower Only 1155 0.2133
TLS1 534137 98.6423
TLS1 Only 37819 6.9843
TLS1 or lower Only 79028 14.5946
TLS1.1 449426 82.9982
TLS1.1 Only 331 0.0611
TLS1.1 or up Only 5997 1.1075
TLS1.2 458682 84.7075
TLS1.2 Only 2265 0.4183
TLS1.2, 1.0 but not 1.1 9518 1.7577
Statistics from 575515 chains provided by 712157 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 510961 71.7484
incomplete 28667 4.0254
untrusted 172529 24.2263
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 26 0.0045
3 573525 99.6542
4 1952 0.3392
5 12 0.0021
CA key size in chains Count
-------------------------+---------
ECDSA 256 58397
ECDSA 384 58400
RSA 1024 25
RSA 2045 2
RSA 2048 878262
RSA 4096 157894
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 58397 10.1469
ECDSA 384 58400 10.1474
RSA 1024 23 0.004
RSA 2045 2 0.0003
RSA 2048 516745 89.7883
RSA 4096 157333 27.3378
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 58394
sha1WithRSAEncryption 58209
sha256WithRSAEncryption 319412
sha384WithRSAEncryption 141372
sha512WithRSAEncryption 78
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 58271 10.125
112 458828 79.7248
128.0 58416 10.1502
Most Popular Root CAs Count Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 126106 21.9119
(2c543cd1) GeoTrust Global CA 102943 17.8871
(eed8c118) COMODO ECC Certification Authority 58387 10.1452
(5ad8a5d6) GlobalSign Root CA 50714 8.8119
(cbf06781) Go Daddy Root Certificate Authorit 50524 8.7789
(b204d74a) VeriSign Class 3 Public Primary Ce 32049 5.5688
(244b5494) DigiCert High Assurance EV Root CA 21377 3.7144
(2e4eed3c) thawte Primary Root CA 20668 3.5912
(fc5a8f99) USERTrust RSA Certification Author 15152 2.6328
(157753a5) AddTrust External CA Root 14593 2.5356
(653b494a) Baltimore CyberTrust Root 11373 1.9761
(ae8153b9) StartCom Certification Authority 9025 1.5682
(3513523f) DigiCert Global Root CA 8982 1.5607
(4bfab552) Starfield Root Certificate Authori 8553 1.4861
Scan performed between 18th of January and 3rd of February 2016
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
6 years, 10 months
- 1
- 0
TLS scan results for December 2015
by Hubert Kario
no analysis this time, I've been too busy, sorry
SSL/TLS survey of 536563 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 459320 85.6041
AES 530014 98.7795
AES Only 45794 8.5347
AES-CBC 529364 98.6583
AES-CBC Only 10074 1.8775
AES-GCM 412370 76.854
AES-GCM Only 538 0.1003
CAMELLIA 222494 41.4665
CAMELLIA Only 3 0.0006
CHACHA20 69686 12.9875
CHACHA20 Only 6 0.0011
Insecure 57699 10.7534
RC4 183979 34.2884
RC4 Only 864 0.161
RC4 Preferred 19979 3.7235
RC4 forced in TLS1.1+ 10502 1.9573
x:FF 29 RC4 Only 1093 0.2037
x:FF 29 RC4 Preferred 22208 4.1389
x:FF 29 incompatible 391 0.0729
x:FF 35 RC4 Only 1327 0.2473
x:FF 35 RC4 Preferred 22286 4.1535
x:FF 35 incompatible 395 0.0736
y:DHE-RSA-SEED-SHA 66508 12.3952
y:IDEA-CBC-SHA 61454 11.4533
y:SEED-SHA 77575 14.4578
z:ADH-AES128-GCM-SHA256 397 0.074
z:ADH-AES128-SHA 727 0.1355
z:ADH-AES128-SHA256 282 0.0526
z:ADH-AES256-GCM-SHA384 407 0.0759
z:ADH-AES256-SHA 745 0.1388
z:ADH-AES256-SHA256 282 0.0526
z:ADH-CAMELLIA128-SHA 367 0.0684
z:ADH-CAMELLIA256-SHA 379 0.0706
z:ADH-DES-CBC-SHA 309 0.0576
z:ADH-DES-CBC3-SHA 744 0.1387
z:ADH-RC4-MD5 597 0.1113
z:ADH-SEED-SHA 296 0.0552
z:AECDH-AES128-SHA 9967 1.8576
z:AECDH-AES256-SHA 10016 1.8667
z:AECDH-DES-CBC3-SHA 9935 1.8516
z:AECDH-NULL-SHA 60 0.0112
z:AECDH-RC4-SHA 9381 1.7484
z:DES-CBC-MD5 10532 1.9629
z:DES-CBC-SHA 35384 6.5946
z:DES-CBC3-MD5 21789 4.0608
z:ECDHE-RSA-NULL-SHA 64 0.0119
z:EDH-RSA-DES-CBC-SHA 30143 5.6178
z:EXP-ADH-DES-CBC-SHA 206 0.0384
z:EXP-ADH-RC4-MD5 201 0.0375
z:EXP-DES-CBC-SHA 13685 2.5505
z:EXP-EDH-RSA-DES-CBC-SHA 10941 2.0391
z:EXP-RC2-CBC-MD5 16617 3.0969
z:EXP-RC4-MD5 17371 3.2375
z:EXP1024-DES-CBC-SHA 4273 0.7964
z:EXP1024-RC4-SHA 4354 0.8115
z:IDEA-CBC-MD5 2139 0.3986
z:NULL-MD5 227 0.0423
z:NULL-SHA 227 0.0423
z:NULL-SHA256 28 0.0052
z:RC2-CBC-MD5 10751 2.0037
z:RC4-64-MD5 880 0.164
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 132599 24.7127
Server side 403964 75.2873
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 892 0.1662
AECDH 10038 1.8708
DHE 290879 54.2115
ECDH 3 0.0006
ECDHE 438449 81.7144
ECDHE and DHE 230817 43.0177
RSA 462690 86.2322
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 156486 29.1645 53.7976
DH,1338bits 1 0.0002 0.0003
DH,1536bits 1 0.0002 0.0003
DH,2048bits 125695 23.426 43.2121
DH,2236bits 13 0.0024 0.0045
DH,2432bits 2 0.0004 0.0007
DH,2560bits 1 0.0002 0.0003
DH,3072bits 96 0.0179 0.033
DH,3092bits 1 0.0002 0.0003
DH,4094bits 1 0.0002 0.0003
DH,4096bits 8225 1.5329 2.8276
DH,4098bits 1 0.0002 0.0003
DH,512bits 39 0.0073 0.0134
DH,6144bits 2 0.0004 0.0007
DH,768bits 413 0.077 0.142
DH,8192bits 2 0.0004 0.0007
ECDH,B-571,570bits 1680 0.3131 0.3832
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,P-192,192bits 13 0.0024 0.003
ECDH,P-224,224bits 85 0.0158 0.0194
ECDH,P-256,256bits 424488 79.1124 96.8158
ECDH,P-384,384bits 3868 0.7209 0.8822
ECDH,P-521,521bits 9879 1.8412 2.2532
Prefer DH,1024bits 55460 10.3362 19.0663
Prefer DH,1536bits 1 0.0002 0.0003
Prefer DH,2048bits 7764 1.447 2.6692
Prefer DH,3072bits 10 0.0019 0.0034
Prefer DH,4096bits 364 0.0678 0.1251
Prefer DH,768bits 48 0.0089 0.0165
Prefer ECDH,B-571,570bits 1483 0.2764 0.3382
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 82 0.0153 0.0187
Prefer ECDH,P-256,256bits 386031 71.9451 88.0447
Prefer ECDH,P-384,384bits 2985 0.5563 0.6808
Prefer ECDH,P-521,521bits 8928 1.6639 2.0363
Prefer PFS 463157 86.3192 0
Support PFS 498511 92.9082 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 2250 0.4193
brainpoolP384r1 2253 0.4199
brainpoolP512r1 2257 0.4206
prime192v1 1426 0.2658
prime256v1 435505 81.1657
prime256v1 Only 381299 71.0632
secp160k1 1377 0.2566
secp160r1 1382 0.2576
secp160r2 1376 0.2564
secp192k1 1394 0.2598
secp224k1 1465 0.273
secp224r1 4037 0.7524
secp224r1 Only 1 0.0002
secp256k1 3628 0.6762
secp384r1 54625 10.1805
secp384r1 Only 479 0.0893
secp521r1 24462 4.559
secp521r1 Only 129 0.024
sect163k1 1388 0.2587
sect163k1 Only 1 0.0002
sect163r1 1387 0.2585
sect163r2 1387 0.2585
sect193r1 1385 0.2581
sect193r2 1384 0.2579
sect233k1 1466 0.2732
sect233r1 1464 0.2728
sect239k1 1461 0.2723
sect283k1 3583 0.6678
sect283r1 3581 0.6674
sect409k1 3584 0.668
sect409r1 3584 0.668
sect571k1 3594 0.6698
sect571r1 3596 0.6702
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 67862 12.6475
True 312481 58.2375
order-specific 96 0.0179
unknown 156124 29.097
ECC curve ordering Count Percent
-------------------------+---------+--------
client 5459 1.0174
inconclusive-noecc 12 0.0022
server 430685 80.2674
unknown 100407 18.713
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 41280 7.6934
ECDSA-SHA1 Only 2 0.0004
ECDSA-SHA224 41274 7.6923
ECDSA-SHA256 55318 10.3097
ECDSA-SHA384 55314 10.3089
ECDSA-SHA512 55315 10.3091
ECDSA-SHA512 Only 1 0.0002
RSA-MD5 156847 29.2318
RSA-SHA1 379786 70.7813
RSA-SHA1 Only 42067 7.8401
RSA-SHA224 314857 58.6803
RSA-SHA256 345177 64.3311
RSA-SHA256 Only 6253 1.1654
RSA-SHA384 316545 58.9949
RSA-SHA384 Only 1 0.0002
RSA-SHA512 316760 59.035
RSA-SHA512 Only 293 0.0546
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 241325 44.9761
indeterminate 115 0.0214
intolerant 4940 0.9207
order-fallback 4 0.0007
server 182715 34.0529
unsupported 21177 3.9468
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 41260 7.6897
ECDSA intolerant 48 0.0089
ECDSA pfs-rsa-SHA512 14029 2.6146
ECDSA soft-nopfs 2 0.0004
RSA False 155749 29.0272
RSA SHA1 196182 36.5627
RSA intolerant 36096 6.7273
RSA pfs-ecdsa-SHA512 8 0.0015
RSA soft-nopfs 1168 0.2177
Renegotiation Count Percent
-------------------------+---------+--------
False 6429 1.1982
insecure 17943 3.3441
secure 512191 95.4578
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 9264 1.7265
False 6429 1.1982
NONE 520870 97.0753
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 5 0.0009
1 only 5 0.0009
2 2 0.0004
2 only 2 0.0004
5 1 0.0002
5 only 1 0.0002
10 12 0.0022
10 only 12 0.0022
15 8 0.0015
15 only 8 0.0015
30 17 0.0032
30 only 15 0.0028
60 98 0.0183
60 only 93 0.0173
65 2 0.0004
65 only 2 0.0004
70 6 0.0011
100 16 0.003
100 only 16 0.003
120 29 0.0054
120 only 29 0.0054
128 3 0.0006
128 only 3 0.0006
150 2 0.0004
180 48 0.0089
180 only 45 0.0084
240 8 0.0015
240 only 8 0.0015
300 254800 47.4874
300 only 250537 46.6929
302 3 0.0006
302 only 3 0.0006
360 2 0.0004
360 only 1 0.0002
400 6 0.0011
400 only 6 0.0011
420 133 0.0248
420 only 105 0.0196
480 15 0.0028
480 only 15 0.0028
500 4 0.0007
500 only 4 0.0007
540 1 0.0002
540 only 1 0.0002
600 27913 5.2022
600 only 27746 5.1711
700 1 0.0002
700 only 1 0.0002
840 1 0.0002
840 only 1 0.0002
900 923 0.172
900 only 896 0.167
960 1 0.0002
960 only 1 0.0002
1200 2345 0.437
1200 only 2339 0.4359
1320 1 0.0002
1320 only 1 0.0002
1500 11 0.0021
1500 only 10 0.0019
1800 536 0.0999
1800 only 528 0.0984
1980 1 0.0002
1980 only 1 0.0002
2100 1 0.0002
2100 only 1 0.0002
2400 8 0.0015
2400 only 8 0.0015
2700 10 0.0019
2700 only 10 0.0019
3000 26 0.0048
3000 only 26 0.0048
3300 1 0.0002
3300 only 1 0.0002
3600 614 0.1144
3600 only 602 0.1122
3900 1 0.0002
3900 only 1 0.0002
4100 1 0.0002
4100 only 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 14 0.0026
5400 only 7 0.0013
6000 200 0.0373
6000 only 200 0.0373
7200 15561 2.9001
7200 only 15539 2.896
10800 3493 0.651
10800 only 3481 0.6488
14400 98 0.0183
14400 only 98 0.0183
18000 8 0.0015
18000 only 8 0.0015
21600 4783 0.8914
21600 only 4783 0.8914
25200 1 0.0002
25200 only 1 0.0002
28800 2385 0.4445
28800 only 2380 0.4436
36000 1170 0.2181
36000 only 1163 0.2167
43200 39 0.0073
43200 only 39 0.0073
60000 1 0.0002
60000 only 1 0.0002
64800 4661 0.8687
64800 only 4660 0.8685
72000 31 0.0058
72000 only 31 0.0058
79200 1 0.0002
79200 only 1 0.0002
86000 46 0.0086
86000 only 46 0.0086
86400 3553 0.6622
86400 only 3545 0.6607
100800 10783 2.0096
100800 only 10771 2.0074
115200 1 0.0002
115200 only 1 0.0002
129600 8 0.0015
129600 only 8 0.0015
172800 9 0.0017
172800 only 9 0.0017
216000 1 0.0002
216000 only 1 0.0002
432000 2 0.0004
432000 only 2 0.0004
604800 2 0.0004
604800 only 1 0.0002
None 206697 38.5224
None only 202099 37.6655
Certificate sig alg Count Percent
-------------------------+---------+--------
None 10673 1.9891
ecdsa-with-SHA256 55263 10.2994
sha1WithRSAEncryption 66180 12.3341
sha256WithRSAEncryption 429902 80.1214
sha384WithRSAEncryption 5 0.0009
sha512WithRSAEncryption 37 0.0069
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 55328 10.3116
ECDSA 384 15 0.0028
RSA 1024 33 0.0062
RSA 2048 474602 88.4522
RSA 2049 2 0.0004
RSA 2058 3 0.0006
RSA 2064 1 0.0002
RSA 2084 4 0.0007
RSA 2096 2 0.0004
RSA 2408 1 0.0002
RSA 2480 1 0.0002
RSA 3071 1 0.0002
RSA 3072 127 0.0237
RSA 3096 2 0.0004
RSA 3248 3 0.0006
RSA 4042 1 0.0002
RSA 4048 1 0.0002
RSA 4056 24 0.0045
RSA 4069 1 0.0002
RSA 4092 6 0.0011
RSA 4094 2 0.0004
RSA 4095 1 0.0002
RSA 4096 20517 3.8238
RSA 4098 1 0.0002
RSA 4196 2 0.0004
RSA 8192 6 0.0011
RSA/ECDSA Dual Stack 14112 2.6301
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 122156 22.7664
Unsupported 414407 77.2336
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 22019 4.1037
SSL2 Only 16 0.003
SSL3 114551 21.349
SSL3 Only 451 0.0841
SSL3 or TLS1 Only 62546 11.6568
SSL3 or lower Only 465 0.0867
TLS1 530535 98.8766
TLS1 Only 38783 7.228
TLS1 or lower Only 83051 15.4783
TLS1.1 440269 82.0536
TLS1.1 Only 341 0.0636
TLS1.1 or up Only 5269 0.982
TLS1.2 450259 83.9154
TLS1.2 Only 2150 0.4007
TLS1.2, 1.0 but not 1.1 10510 1.9588
Statistics from 571668 chains provided by 706831 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 509502 72.0826
incomplete 25925 3.6678
untrusted 171404 24.2496
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 33 0.0058
3 569492 99.6194
4 2129 0.3724
5 14 0.0024
CA key size in chains Count
-------------------------+---------
ECDSA 256 55261
ECDSA 384 55264
RSA 1024 33
RSA 2045 3
RSA 2048 886633
RSA 4096 148266
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 55261 9.6666
ECDSA 384 55264 9.6671
RSA 1024 31 0.0054
RSA 2045 3 0.0005
RSA 2048 516046 90.2702
RSA 4096 147728 25.8416
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 55257
sha1WithRSAEncryption 74114
sha256WithRSAEncryption 311465
sha384WithRSAEncryption 132882
sha512WithRSAEncryption 74
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 74154 12.9715
112 442237 77.3591
128 55277 9.6694
Most common root CAs Count Percent
---------------------------------------------+---------+-------
(157753a5) AddTrust External CA Root 21173 3.7037
(244b5494) DigiCert High Assurance EV Root CA 22796 3.9876
(2c543cd1) GeoTrust Global CA 103983 18.1894
(2e4eed3c) thawte Primary Root CA 22155 3.8755
(3513523f) DigiCert Global Root CA 8921 1.5605
(4bfab552) Starfield Root Certificate Authori 7786 1.362
(5ad8a5d6) GlobalSign Root CA 49934 8.7348
(653b494a) Baltimore CyberTrust Root 11652 2.0382
(ae8153b9) StartCom Certification Authority 9075 1.5875
(b204d74a) VeriSign Class 3 Public Primary Ce 33097 5.7895
(cbf06781) Go Daddy Root Certificate Authorit 50135 8.77
(d6325660) COMODO RSA Certification Authority 118944 20.8065
(eed8c118) COMODO ECC Certification Authority 55250 9.6647
(fc5a8f99) USERTrust RSA Certification Author 13826 2.4185
Scan performed between 15th of December and 26 of December 2015.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
6 years, 10 months
- 1
- 0
updating the fedora defensive guide
by Nikos Mavrogiannopoulos
Hi,
I've realized that the Fedora defensive guide [0] is the only guide we
have to introduce the C TLS and crypto libraries we have, as well as
provide a defensive style in using them. However, it is quite out-
dated, and misses information which may be standard requirement in the
future (e.g., support for HSMs). For that, I've taken the liberty to
update the text on crypto libraries, as well as the TLS libraries,
i.e., gnutls, Bob Relyea reviewed text on NSS, and we added a section
on using Hardware Security Modules with openssl, gnutls and NSS.
The existing updates are in:
https://pagure.io/defensive-coding-guide/pu
ll-requests
However, what is missing now, is updating the code samples for openssl with code that is safe to use with both 1.1.0 and 1.0.0, review the section on HSMs+openssl, and add a section on setting up a server with openssl. Anyone who knows openssl well enough to volunteer for any of the tasks above?
regards,
Nikos
[0]. https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defe...
6 years, 10 months
- 1
- 0
- ← Newer
- 1
- Older →