TLS scan results for July 2016
by Hubert Kario
This time the results are enhanced with probes detecting tolerance to higher
protocol versions and bigger messages.
analysis here:
https://securitypitfalls.wordpress.com/2016/09/06/july-2016-scan-results/
SSL/TLS survey of 603391 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 532905 88.3184
3DES Only 550 0.0912
3DES Preferred 1719 0.2849
3DES forced in TLS1.1+ 992 0.1644
AES 599329 99.3268
AES Only 46610 7.7247
AES-CBC 598756 99.2318
AES-CBC Only 4850 0.8038
AES-GCM 509780 84.4858
AES-GCM Only 526 0.0872
CAMELLIA 267705 44.3668
CAMELLIA Only 1 0.0002
CHACHA20 83982 13.9183
CHACHA20 Only 3 0.0005
Insecure 53186 8.8145
RC4 153525 25.4437
RC4 Only 140 0.0232
RC4 Preferred 12783 2.1185
RC4 forced in TLS1.1+ 6911 1.1454
x:FF 29 3DES Only 597 0.0989
x:FF 29 3DES Preferred 2030 0.3364
x:FF 29 RC4 Only 193 0.032
x:FF 29 RC4 Preferred 14404 2.3872
x:FF 29 incompatible 530 0.0878
x:FF 35 3DES Only 605 0.1003
x:FF 35 3DES Preferred 1956 0.3242
x:FF 35 RC4 Only 218 0.0361
x:FF 35 RC4 Preferred 14418 2.3895
x:FF 35 incompatible 532 0.0882
x:FF 44 3DES Only 3874 0.642
x:FF 44 3DES Preferred 7464 1.237
x:FF 44 incompatible 750 0.1243
y:DHE-RSA-SEED-SHA 79084 13.1066
y:IDEA-CBC-SHA 75906 12.5799
y:SEED-SHA 90103 14.9328
z:ADH-AES128-GCM-SHA256 428 0.0709
z:ADH-AES128-SHA 715 0.1185
z:ADH-AES128-SHA256 281 0.0466
z:ADH-AES256-GCM-SHA384 442 0.0733
z:ADH-AES256-SHA 759 0.1258
z:ADH-AES256-SHA256 284 0.0471
z:ADH-CAMELLIA128-SHA 368 0.061
z:ADH-CAMELLIA128-SHA256 1 0.0002
z:ADH-CAMELLIA256-SHA 393 0.0651
z:ADH-CAMELLIA256-SHA256 1 0.0002
z:ADH-DES-CBC-SHA 279 0.0462
z:ADH-DES-CBC3-SHA 720 0.1193
z:ADH-RC4-MD5 517 0.0857
z:ADH-SEED-SHA 298 0.0494
z:AECDH-AES128-SHA 9498 1.5741
z:AECDH-AES256-SHA 9566 1.5854
z:AECDH-DES-CBC3-SHA 9463 1.5683
z:AECDH-NULL-SHA 60 0.0099
z:AECDH-RC4-SHA 8940 1.4816
z:DES-CBC-MD5 6015 0.9969
z:DES-CBC-SHA 33753 5.5939
z:DES-CBC3-MD5 15538 2.5751
z:ECDHE-RSA-NULL-SHA 67 0.0111
z:EDH-RSA-DES-CBC-SHA 28904 4.7903
z:EXP-ADH-DES-CBC-SHA 180 0.0298
z:EXP-ADH-RC4-MD5 178 0.0295
z:EXP-DES-CBC-SHA 9916 1.6434
z:EXP-EDH-RSA-DES-CBC-SHA 7950 1.3176
z:EXP-RC2-CBC-MD5 11811 1.9574
z:EXP-RC4-MD5 12355 2.0476
z:EXP1024-DES-CBC-SHA 3045 0.5046
z:EXP1024-RC4-SHA 3108 0.5151
z:IDEA-CBC-MD5 1225 0.203
z:NULL-MD5 196 0.0325
z:NULL-SHA 201 0.0333
z:NULL-SHA256 39 0.0065
z:RC2-CBC-MD5 6171 1.0227
z:RC4-64-MD5 692 0.1147
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 149228 24.7316
Server side 454163 75.2684
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 918 0.1521
AECDH 9574 1.5867
DHE 327644 54.3004
ECDH 2 0.0003
ECDHE 532966 88.3285
ECDHE and DHE 285103 47.2501
RSA 517470 85.7603
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 115821 19.195 35.3496
DH,2048bits 196265 32.527 59.9019
DH,2049bits 1 0.0002 0.0003
DH,2236bits 77 0.0128 0.0235
DH,2432bits 3 0.0005 0.0009
DH,3072bits 141 0.0234 0.043
DH,3092bits 2 0.0003 0.0006
DH,3196bits 1 0.0002 0.0003
DH,4096bits 14972 2.4813 4.5696
DH,512bits 122 0.0202 0.0372
DH,6144bits 1 0.0002 0.0003
DH,768bits 355 0.0588 0.1083
DH,8192bits 7 0.0012 0.0021
ECDH,B-571,570bits 4696 0.7783 0.8811
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,P-192,192bits 68 0.0113 0.0128
ECDH,P-224,224bits 91 0.0151 0.0171
ECDH,P-256,256bits 500295 82.9139 93.87
ECDH,P-384,384bits 12707 2.1059 2.3842
ECDH,P-521,521bits 17146 2.8416 3.2171
ECDH,brainpoolP512r1,512bits 3 0.0005 0.0006
ECDH,secp256k1,256bits 1 0.0002 0.0002
Prefer DH,1024bits 42440 7.0336 12.9531
Prefer DH,2048bits 4955 0.8212 1.5123
Prefer DH,3072bits 9 0.0015 0.0027
Prefer DH,3092bits 2 0.0003 0.0006
Prefer DH,4096bits 379 0.0628 0.1157
Prefer DH,768bits 33 0.0055 0.0101
Prefer ECDH,B-571,570bits 4438 0.7355 0.8327
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,P-192,192bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 89 0.0147 0.0167
Prefer ECDH,P-256,256bits 465038 77.0708 87.2547
Prefer ECDH,P-384,384bits 10660 1.7667 2.0001
Prefer ECDH,P-521,521bits 15901 2.6353 2.9835
Prefer ECDH,brainpoolP512r1,512bits 3 0.0005 0.0006
Prefer ECDH,secp256k1,256bits 1 0.0002 0.0002
Prefer PFS 543950 90.1488 0
Support PFS 575507 95.3788 0
Supported ECC curves Count Percent
-------------------------+---------+--------
None 2 0.0003
None Only 2 0.0003
brainpoolP256r1 27492 4.5562
brainpoolP384r1 27491 4.5561
brainpoolP512r1 27484 4.5549
prime192v1 1647 0.273
prime256v1 510415 84.5911
prime256v1 Only 428464 71.0093
secp160k1 1528 0.2532
secp160r1 1536 0.2546
secp160r2 1528 0.2532
secp192k1 1543 0.2557
secp224k1 1625 0.2693
secp224r1 5406 0.8959
secp256k1 29683 4.9194
secp384r1 88419 14.6537
secp384r1 Only 5169 0.8567
secp521r1 58499 9.695
secp521r1 Only 153 0.0254
sect163k1 1531 0.2537
sect163k1 Only 3 0.0005
sect163r1 1529 0.2534
sect163r2 1529 0.2534
sect193r1 1529 0.2534
sect193r2 1529 0.2534
sect233k1 1614 0.2675
sect233r1 1614 0.2675
sect239k1 1614 0.2675
sect283k1 28930 4.7946
sect283k1 Only 2 0.0003
sect283r1 28927 4.7941
sect409k1 28927 4.7941
sect409r1 28927 4.7941
sect571k1 28927 4.7941
sect571r1 28930 4.7946
server 38445 6.3715
server Only 38445 6.3715
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 532806 88.3019
unknown 70585 11.6981
ECC curve ordering Count Percent
-------------------------+---------+--------
36744 6.0896
client 18027 2.9876
server 478197 79.2516
unknown 70423 11.6712
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 54563 9.0427
ECDSA-SHA1 Only 9 0.0015
ECDSA-SHA224 54587 9.0467
ECDSA-SHA256 72567 12.0265
ECDSA-SHA384 72639 12.0385
ECDSA-SHA512 72750 12.0569
ECDSA-SHA512 Only 118 0.0196
RSA-MD5 23842 3.9513
RSA-SHA1 462908 76.7178
RSA-SHA1 Only 30278 5.018
RSA-SHA224 387875 64.2825
RSA-SHA256 441866 73.2305
RSA-SHA256 Only 8016 1.3285
RSA-SHA384 403401 66.8557
RSA-SHA384 Only 4 0.0007
RSA-SHA512 403342 66.8459
RSA-SHA512 Only 131 0.0217
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 282677 46.8481
indeterminate 38 0.0063
intolerant 6561 1.0874
order-fallback 4 0.0007
server 236059 39.1221
unsupported 14339 2.3764
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 54456 9.025
ECDSA intolerant 652 0.1081
ECDSA pfs-rsa-SHA512 17783 2.9472
ECDSA soft-nopfs 15 0.0025
RSA False 23629 3.916
RSA SHA1 399316 66.1786
RSA intolerant 50007 8.2877
RSA pfs-ecdsa-SHA512 99 0.0164
RSA soft-nopfs 389 0.0645
Renegotiation Count Percent
-------------------------+---------+--------
False 4550 0.7541
insecure 15701 2.6021
secure 583140 96.6438
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 6683 1.1076
False 4550 0.7541
NONE 592158 98.1384
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 3 0.0005
1 only 3 0.0005
5 8 0.0013
5 only 8 0.0013
10 9 0.0015
10 only 9 0.0015
15 7 0.0012
15 only 7 0.0012
30 29 0.0048
30 only 29 0.0048
60 172 0.0285
60 only 166 0.0275
65 2 0.0003
65 only 2 0.0003
70 6 0.001
70 only 4 0.0007
75 1 0.0002
75 only 1 0.0002
90 1 0.0002
90 only 1 0.0002
100 15 0.0025
100 only 15 0.0025
120 28 0.0046
120 only 28 0.0046
128 3 0.0005
128 only 2 0.0003
150 2 0.0003
180 83 0.0138
180 only 80 0.0133
240 12 0.002
240 only 12 0.002
300 306995 50.8783
300 only 304055 50.391
302 2 0.0003
302 only 2 0.0003
360 3 0.0005
360 only 2 0.0003
400 8 0.0013
400 only 8 0.0013
420 120 0.0199
420 only 103 0.0171
480 11 0.0018
480 only 11 0.0018
500 4 0.0007
500 only 4 0.0007
540 4 0.0007
540 only 4 0.0007
600 29961 4.9654
600 only 29817 4.9416
630 1 0.0002
630 only 1 0.0002
700 1 0.0002
700 only 1 0.0002
720 6 0.001
720 only 6 0.001
840 2 0.0003
840 only 2 0.0003
900 1560 0.2585
900 only 1541 0.2554
960 3 0.0005
960 only 3 0.0005
1000 1 0.0002
1000 only 1 0.0002
1200 3528 0.5847
1200 only 3525 0.5842
1210 2 0.0003
1210 only 2 0.0003
1320 1 0.0002
1320 only 1 0.0002
1380 1 0.0002
1380 only 1 0.0002
1440 1 0.0002
1440 only 1 0.0002
1500 4 0.0007
1500 only 3 0.0005
1800 860 0.1425
1800 only 839 0.139
1980 2 0.0003
1980 only 2 0.0003
2100 1 0.0002
2400 8 0.0013
2400 only 8 0.0013
2700 12 0.002
2700 only 12 0.002
3000 41 0.0068
3000 only 41 0.0068
3600 1100 0.1823
3600 only 1090 0.1806
3900 2 0.0003
3900 only 2 0.0003
4200 2 0.0003
4200 only 1 0.0002
4500 1 0.0002
4500 only 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 15 0.0025
5400 only 9 0.0015
6000 341 0.0565
6000 only 340 0.0563
7200 15389 2.5504
7200 only 15355 2.5448
7500 2 0.0003
7500 only 2 0.0003
9000 2 0.0003
9000 only 2 0.0003
10800 5322 0.882
10800 only 5300 0.8784
14400 147 0.0244
14400 only 144 0.0239
18000 9 0.0015
18000 only 8 0.0013
21600 4353 0.7214
21600 only 4353 0.7214
25200 1 0.0002
25200 only 1 0.0002
28800 2164 0.3586
28800 only 2164 0.3586
30000 2 0.0003
30000 only 1 0.0002
36000 1239 0.2053
36000 only 1231 0.204
43200 67 0.0111
43200 only 67 0.0111
54000 2 0.0003
54000 only 2 0.0003
60000 3 0.0005
60000 only 3 0.0005
64800 73037 12.1044
64800 only 73018 12.1013
72000 12 0.002
72000 only 12 0.002
79200 1 0.0002
79200 only 1 0.0002
86400 3232 0.5356
86400 only 3222 0.534
100800 9169 1.5196
100800 only 9156 1.5174
108000 1 0.0002
108000 only 1 0.0002
115200 1 0.0002
115200 only 1 0.0002
129600 6 0.001
129600 only 6 0.001
172800 49 0.0081
172800 only 49 0.0081
216000 3 0.0005
216000 only 3 0.0005
259200 3 0.0005
259200 only 3 0.0005
432000 1 0.0002
432000 only 1 0.0002
604800 1 0.0002
864000 2 0.0003
864000 only 2 0.0003
7776000 2 0.0003
7776000 only 2 0.0003
None 147458 24.4382
None only 144200 23.8983
Certificate sig alg Count Percent
-------------------------+---------+--------
None 10178 1.6868
ecdsa-with-SHA256 70598 11.7002
sha1WithRSAEncryption 17351 2.8756
sha256WithRSAEncryption 533303 88.3843
sha384WithRSAEncryption 7 0.0012
sha512WithRSAEncryption 77 0.0128
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 72865 12.0759
ECDSA 384 41 0.0068
ECDSA 521 1 0.0002
RSA 1024 14 0.0023
RSA 2048 516458 85.5926
RSA 2049 4 0.0007
RSA 2056 1 0.0002
RSA 2058 3 0.0005
RSA 2059 1 0.0002
RSA 2080 6 0.001
RSA 2084 1 0.0002
RSA 2086 1 0.0002
RSA 2096 3 0.0005
RSA 2408 1 0.0002
RSA 2432 6 0.001
RSA 2560 1 0.0002
RSA 2948 1 0.0002
RSA 3072 158 0.0262
RSA 3096 2 0.0003
RSA 3120 1 0.0002
RSA 3248 3 0.0005
RSA 4048 3 0.0005
RSA 4056 21 0.0035
RSA 4069 1 0.0002
RSA 4086 3 0.0005
RSA 4092 2 0.0003
RSA 4094 1 0.0002
RSA 4095 1 0.0002
RSA 4096 33887 5.6161
RSA 4196 1 0.0002
RSA 8192 12 0.002
RSA 8392 1 0.0002
RSA/ECDSA Dual Stack 20097 3.3307
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 139486 23.117
Unsupported 463905 76.883
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 15694 2.601
SSL2 Only 9 0.0015
SSL3 88647 14.6915
SSL3 Only 325 0.0539
SSL3 or TLS1 Only 47120 7.8092
SSL3 or lower Only 335 0.0555
TLS1 590402 97.8473
TLS1 Only 28435 4.7125
TLS1 or lower Only 61759 10.2353
TLS1.1 532582 88.2648
TLS1.1 Only 43 0.0071
TLS1.1 or up Only 12475 2.0675
TLS1.2 539663 89.4384
TLS1.2 Only 3587 0.5945
TLS1.2, 1.0 but not 1.1 5029 0.8335
Client Hello intolerance Count Percent
----------------------------------------+---------+-------
Huge Cipher List 539862 89.4713
Huge Cipher List (trunc 16388) 143271 23.7443
SSL 3.254 19882 3.295
TLS 1.0 66391 11.003
TLS 1.1 3190 0.5287
TLS 1.2 67 0.0111
TLS 1.3 7896 1.3086
TLS 1.4 14758 2.4458
Xmas tree 43001 7.1266
x:missing information 44 0.0073
Statistics from 544239 chains provided by 734331 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 493648 67.2242
incomplete 20056 2.7312
untrusted 220627 30.0446
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 1 0.0002
3 540295 99.2753
4 3930 0.7221
5 13 0.0024
CA key size in chains Count
-------------------------+---------
ECDSA 256 30197
ECDSA 384 30193
RSA 1024 9
RSA 2045 2
RSA 2048 845143
RSA 4096 186889
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 30197 5.5485
ECDSA 384 30193 5.5477
RSA 1024 7 0.0013
RSA 2045 2 0.0004
RSA 2048 513612 94.3725
RSA 4096 186227 34.2179
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 30185
sha1WithRSAEncryption 20474
sha256WithRSAEncryption 330105
sha384WithRSAEncryption 167373
sha512WithRSAEncryption 57
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 20448 3.7572
112 493575 90.6909
128 30216 5.552
Most popular root CAs Count Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 149876 27.5386
(2c543cd1) GeoTrust Global CA 82272 15.1169
(cbf06781) Go Daddy Root Certificate Authorit 46152 8.4801
(5ad8a5d6) GlobalSign Root CA 42046 7.7256
(b204d74a) VeriSign Class 3 Public Primary Ce 30585 5.6198
(eed8c118) COMODO ECC Certification Authority 30178 5.545
(244b5494) DigiCert High Assurance EV Root CA 21202 3.8957
(2e4eed3c) thawte Primary Root CA 17390 3.1953
(fc5a8f99) USERTrust RSA Certification Author 17354 3.1887
(2e5ac55d) DST Root CA X3 16492 3.0303
(653b494a) Baltimore CyberTrust Root 11315 2.079
(3513523f) DigiCert Global Root CA 10347 1.9012
(ae8153b9) StartCom Certification Authority 9044 1.6618
(4bfab552) Starfield Root Certificate Authori 9012 1.6559
(e2799e36) GeoTrust Primary Certification Aut 6148 1.1297
(480720ec) GeoTrust Primary Certification Aut 5775 1.0611
(02265526) Entrust Root Certification Authori 3969 0.7293
(ba89ed3b) thawte Primary Root CA - G3 3394 0.6236
(8096d0a9) Certification Authority of WoSign 2877 0.5286
(157753a5) AddTrust External CA Root 2782 0.5112
Most popular intermediate CA Count Percent
---------------------------------------------+---------+-------
(8d28ae65) COMODO RSA Domain Validation Secur 100923 18.5439
(27eb7704) Go Daddy Secure Certificate Author 46152 8.4801
(53f3e569) RapidSSL SHA256 CA - G3 40339 7.412
(6cfa716c) COMODO ECC Domain Validation Secur 30126 5.5354
(7d9c641e) Symantec Class 3 Secure Server CA 21662 3.9802
(1400f578) cPanel, Inc. Certification Authori 19580 3.5977
(38ae8eda) DigiCert SHA2 High Assurance Serve 17140 3.1494
(4f06f81d) Let's Encrypt Authority X3 16492 3.0303
(16744f0c) AlphaSSL CA - SHA256 - G2 16239 2.9838
(493a2f06) COMODO RSA Domain Validation Secur 13442 2.4699
(10310d4b) GeoTrust SSL CA - G3 13423 2.4664
(80ecc636) RapidSSL SHA256 CA 12795 2.351
(d7d634d4) GlobalSign Domain Validation CA - 11432 2.1005
(b85455c4) GlobalSign Organization Validation 11363 2.0879
(c43a77d9) COMODO RSA Organization Validation 11217 2.061
(85cf5865) DigiCert SHA2 Secure Server CA 10208 1.8756
(9ad474ec) thawte SSL CA - G2 9146 1.6805
(cd7781e5) Starfield Secure Certificate Autho 9012 1.6559
(d84ef247) GeoTrust DV SSL CA - G4 7163 1.3161
(a0f7ac3e) Symantec Class 3 EV SSL CA - G3 7144 1.3127
(3d97f5e2) Verizon Akamai SureServer CA G14-S 7025 1.2908
(fd917e82) SecureCore RSA DV CA 6995 1.2853
(b71a5f76) GeoTrust EV SSL CA - G4 5724 1.0517
(661c52cc) thawte DV SSL CA - G2 5368 0.9863
(e22cd3f0) COMODO RSA Extended Validation Sec 4365 0.802
(7f8496de) StartCom Class 1 DV Server CA 3678 0.6758
(45bfefc3) DigiCert SHA2 Extended Validation 3527 0.6481
(2835d715) Entrust Certification Authority - 3328 0.6115
(f131b364) RapidSSL CA 3180 0.5843
(98d7cad7) GeoTrust DV SSL CA - G3 3154 0.5795
Scan performed between 20th of July and 17th of August 2016
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
6 years, 8 months
- 1
- 0
TLS scan results for June 2016
by Hubert Kario
SSL/TLS survey of 593851 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 525961 88.5678
3DES Only 605 0.1019
3DES Preferred 1797 0.3026
3DES forced in TLS1.1+ 978 0.1647
AES 589255 99.2261
AES Only 43606 7.3429
AES-CBC 588687 99.1304
AES-CBC Only 5565 0.9371
AES-GCM 490658 82.6231
AES-GCM Only 520 0.0876
CAMELLIA 261701 44.0685
CAMELLIA Only 2 0.0003
CHACHA20 81256 13.6829
Insecure 56141 9.4537
RC4 166167 27.9813
RC4 Only 158 0.0266
RC4 Preferred 13843 2.3311
RC4 forced in TLS1.1+ 7176 1.2084
x:FF 29 3DES Only 654 0.1101
x:FF 29 3DES Preferred 2164 0.3644
x:FF 29 RC4 Only 233 0.0392
x:FF 29 RC4 Preferred 16139 2.7177
x:FF 29 incompatible 518 0.0872
x:FF 35 3DES Only 662 0.1115
x:FF 35 3DES Preferred 2094 0.3526
x:FF 35 RC4 Only 273 0.046
x:FF 35 RC4 Preferred 16162 2.7216
x:FF 35 incompatible 522 0.0879
x:FF 44 3DES Only 4368 0.7355
x:FF 44 3DES Preferred 8162 1.3744
x:FF 44 incompatible 795 0.1339
y:DHE-RSA-SEED-SHA 79533 13.3928
y:IDEA-CBC-SHA 76113 12.8169
y:SEED-SHA 90128 15.1769
z:ADH-AES128-GCM-SHA256 430 0.0724
z:ADH-AES128-SHA 771 0.1298
z:ADH-AES128-SHA256 268 0.0451
z:ADH-AES256-GCM-SHA384 444 0.0748
z:ADH-AES256-SHA 809 0.1362
z:ADH-AES256-SHA256 269 0.0453
z:ADH-CAMELLIA128-SHA 401 0.0675
z:ADH-CAMELLIA128-SHA256 1 0.0002
z:ADH-CAMELLIA256-SHA 424 0.0714
z:ADH-CAMELLIA256-SHA256 1 0.0002
z:ADH-DES-CBC-SHA 326 0.0549
z:ADH-DES-CBC3-SHA 781 0.1315
z:ADH-RC4-MD5 571 0.0962
z:ADH-SEED-SHA 322 0.0542
z:AECDH-AES128-SHA 10202 1.7179
z:AECDH-AES256-SHA 10261 1.7279
z:AECDH-DES-CBC3-SHA 10168 1.7122
z:AECDH-NULL-SHA 94 0.0158
z:AECDH-RC4-SHA 9605 1.6174
z:DES-CBC-MD5 6658 1.1212
z:DES-CBC-SHA 35044 5.9011
z:DES-CBC3-MD5 17074 2.8751
z:ECDHE-RSA-NULL-SHA 100 0.0168
z:EDH-RSA-DES-CBC-SHA 29995 5.0509
z:EXP-ADH-DES-CBC-SHA 181 0.0305
z:EXP-ADH-RC4-MD5 180 0.0303
z:EXP-DES-CBC-SHA 10901 1.8356
z:EXP-EDH-RSA-DES-CBC-SHA 8667 1.4595
z:EXP-RC2-CBC-MD5 13108 2.2073
z:EXP-RC4-MD5 13716 2.3097
z:EXP1024-DES-CBC-SHA 3463 0.5831
z:EXP1024-RC4-SHA 3524 0.5934
z:IDEA-CBC-MD5 1453 0.2447
z:NULL-MD5 233 0.0392
z:NULL-SHA 238 0.0401
z:NULL-SHA256 36 0.0061
z:RC2-CBC-MD5 6966 1.173
z:RC4-64-MD5 757 0.1275
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 152565 25.6908
Server side 441286 74.3092
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 979 0.1649
AECDH 10271 1.7296
DHE 320930 54.0422
ECDH 2 0.0003
ECDHE 517887 87.2082
ECDHE and DHE 274945 46.2987
RSA 509769 85.8412
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 119481 20.1197 37.2296
DH,1028bits 1 0.0002 0.0003
DH,2048bits 188192 31.6901 58.6396
DH,2236bits 78 0.0131 0.0243
DH,2430bits 1 0.0002 0.0003
DH,2432bits 3 0.0005 0.0009
DH,2560bits 1 0.0002 0.0003
DH,3072bits 132 0.0222 0.0411
DH,3092bits 2 0.0003 0.0006
DH,3196bits 1 0.0002 0.0003
DH,4046bits 1 0.0002 0.0003
DH,4094bits 1 0.0002 0.0003
DH,4096bits 12637 2.128 3.9376
DH,512bits 108 0.0182 0.0337
DH,6144bits 1 0.0002 0.0003
DH,768bits 385 0.0648 0.12
DH,8192bits 8 0.0013 0.0025
ECDH,B-571,570bits 3072 0.5173 0.5932
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,P-192,192bits 60 0.0101 0.0116
ECDH,P-224,224bits 94 0.0158 0.0182
ECDH,P-256,256bits 490672 82.6254 94.745
ECDH,P-384,384bits 9474 1.5953 1.8294
ECDH,P-521,521bits 16461 2.7719 3.1785
ECDH,brainpoolP512r1,512bits 1 0.0002 0.0002
ECDH,secp256k1,256bits 1 0.0002 0.0002
Prefer DH,1024bits 45380 7.6416 14.1402
Prefer DH,2048bits 5635 0.9489 1.7558
Prefer DH,3072bits 8 0.0013 0.0025
Prefer DH,3092bits 2 0.0003 0.0006
Prefer DH,4096bits 398 0.067 0.124
Prefer DH,768bits 44 0.0074 0.0137
Prefer ECDH,B-571,570bits 2840 0.4782 0.5484
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,P-192,192bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 92 0.0155 0.0178
Prefer ECDH,P-256,256bits 453139 76.3052 87.4977
Prefer ECDH,P-384,384bits 7350 1.2377 1.4192
Prefer ECDH,P-521,521bits 15215 2.5621 2.9379
Prefer ECDH,brainpoolP512r1,512bits 1 0.0002 0.0002
Prefer ECDH,secp256k1,256bits 1 0.0002 0.0002
Prefer PFS 530107 89.266 0
Support PFS 563872 94.9518 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 17814 2.9997
brainpoolP384r1 17827 3.0019
brainpoolP512r1 17836 3.0034
prime192v1 1799 0.3029
prime256v1 513258 86.4288
prime256v1 Only 427959 72.065
secp160k1 1678 0.2826
secp160r1 1688 0.2842
secp160r2 1678 0.2826
secp192k1 1693 0.2851
secp224k1 1780 0.2997
secp224r1 5748 0.9679
secp256k1 20085 3.3822
secp384r1 88954 14.9792
secp384r1 Only 3672 0.6183
secp521r1 50953 8.5801
secp521r1 Only 140 0.0236
sect163k1 1684 0.2836
sect163k1 Only 2 0.0003
sect163r1 1682 0.2832
sect163r2 1681 0.2831
sect193r1 1681 0.2831
sect193r2 1681 0.2831
sect233k1 1770 0.2981
sect233r1 1768 0.2977
sect239k1 1768 0.2977
sect283k1 19394 3.2658
sect283r1 19392 3.2655
sect409k1 19395 3.266
sect409r1 19391 3.2653
sect571k1 19395 3.266
sect571r1 19395 3.266
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 56371 9.4924
True 391090 65.8566
order-specific 45 0.0076
unknown 146345 24.6434
ECC curve ordering Count Percent
-------------------------+---------+--------
client 13249 2.231
inconclusive-noecc 8 0.0013
server 503853 84.845
unknown 76741 12.9226
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 53286 8.973
ECDSA-SHA1 Only 8 0.0013
ECDSA-SHA224 53248 8.9666
ECDSA-SHA256 71063 11.9665
ECDSA-SHA384 71064 11.9666
ECDSA-SHA512 71074 11.9683
ECDSA-SHA512 Only 16 0.0027
RSA-MD5 27142 4.5705
RSA-SHA1 447072 75.2835
RSA-SHA1 Only 34046 5.7331
RSA-SHA224 371135 62.4963
RSA-SHA256 422358 71.1219
RSA-SHA256 Only 8044 1.3545
RSA-SHA384 383992 64.6613
RSA-SHA384 Only 4 0.0007
RSA-SHA512 384022 64.6664
RSA-SHA512 Only 209 0.0352
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 280809 47.2861
indeterminate 54 0.0091
intolerant 6465 1.0887
order-fallback 8 0.0013
server 220388 37.1117
unsupported 15018 2.5289
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 53230 8.9635
ECDSA intolerant 189 0.0318
ECDSA pfs-rsa-SHA512 17719 2.9837
ECDSA soft-nopfs 7 0.0012
RSA False 26845 4.5205
RSA SHA1 386610 65.1022
RSA intolerant 43313 7.2936
RSA pfs-ecdsa-SHA512 27 0.0045
RSA soft-nopfs 474 0.0798
Renegotiation Count Percent
-------------------------+---------+--------
False 4962 0.8356
insecure 16550 2.7869
secure 572339 96.3775
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 7077 1.1917
False 4962 0.8356
NONE 581812 97.9727
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 2 0.0003
1 only 2 0.0003
2 1 0.0002
2 only 1 0.0002
5 5 0.0008
5 only 5 0.0008
10 8 0.0013
10 only 8 0.0013
15 8 0.0013
15 only 8 0.0013
30 25 0.0042
30 only 25 0.0042
60 166 0.028
60 only 161 0.0271
65 2 0.0003
65 only 2 0.0003
70 8 0.0013
70 only 8 0.0013
75 1 0.0002
75 only 1 0.0002
90 1 0.0002
90 only 1 0.0002
100 16 0.0027
100 only 16 0.0027
120 27 0.0045
120 only 27 0.0045
128 6 0.001
128 only 6 0.001
150 2 0.0003
180 78 0.0131
180 only 74 0.0125
240 14 0.0024
240 only 14 0.0024
244 2 0.0003
244 only 2 0.0003
300 298609 50.2835
300 only 295255 49.7187
302 2 0.0003
302 only 2 0.0003
360 3 0.0005
360 only 2 0.0003
400 6 0.001
400 only 6 0.001
420 129 0.0217
420 only 111 0.0187
450 1 0.0002
450 only 1 0.0002
480 11 0.0019
480 only 11 0.0019
500 3 0.0005
500 only 3 0.0005
540 4 0.0007
540 only 4 0.0007
600 28678 4.8292
600 only 28547 4.8071
660 1 0.0002
660 only 1 0.0002
700 1 0.0002
700 only 1 0.0002
720 3 0.0005
720 only 3 0.0005
840 2 0.0003
840 only 2 0.0003
900 1532 0.258
900 only 1515 0.2551
960 3 0.0005
960 only 3 0.0005
1000 1 0.0002
1000 only 1 0.0002
1200 3512 0.5914
1200 only 3508 0.5907
1210 2 0.0003
1210 only 2 0.0003
1320 1 0.0002
1320 only 1 0.0002
1380 1 0.0002
1380 only 1 0.0002
1440 1 0.0002
1440 only 1 0.0002
1500 6 0.001
1500 only 5 0.0008
1800 751 0.1265
1800 only 734 0.1236
1980 2 0.0003
1980 only 2 0.0003
2100 2 0.0003
2100 only 1 0.0002
2400 10 0.0017
2400 only 10 0.0017
2700 11 0.0019
2700 only 11 0.0019
3000 42 0.0071
3000 only 42 0.0071
3300 1 0.0002
3300 only 1 0.0002
3600 1079 0.1817
3600 only 1070 0.1802
3900 1 0.0002
3900 only 1 0.0002
4200 1 0.0002
4500 1 0.0002
4500 only 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 19 0.0032
5400 only 6 0.001
6000 352 0.0593
6000 only 352 0.0593
7200 15154 2.5518
7200 only 15130 2.5478
9000 2 0.0003
9000 only 2 0.0003
10800 5334 0.8982
10800 only 5324 0.8965
14400 116 0.0195
14400 only 116 0.0195
18000 9 0.0015
18000 only 9 0.0015
21600 4287 0.7219
21600 only 4286 0.7217
25200 1 0.0002
25200 only 1 0.0002
28800 2555 0.4302
28800 only 2555 0.4302
30000 3 0.0005
30000 only 1 0.0002
36000 1220 0.2054
36000 only 1209 0.2036
43200 65 0.0109
43200 only 65 0.0109
54000 1 0.0002
54000 only 1 0.0002
54647 1 0.0002
54660 1 0.0002
54674 1 0.0002
54690 1 0.0002
54703 1 0.0002
54722 1 0.0002
54737 1 0.0002
54751 1 0.0002
60000 2 0.0003
60000 only 2 0.0003
64800 70759 11.9153
64800 only 70736 11.9114
72000 12 0.002
72000 only 12 0.002
79200 1 0.0002
79200 only 1 0.0002
86400 2990 0.5035
86400 only 2984 0.5025
100800 9026 1.5199
100800 only 9015 1.5181
108000 1 0.0002
108000 only 1 0.0002
115200 1 0.0002
115200 only 1 0.0002
129600 6 0.001
129600 only 6 0.001
172800 47 0.0079
172800 only 47 0.0079
216000 4 0.0007
216000 only 3 0.0005
259200 2 0.0003
259200 only 2 0.0003
432000 1 0.0002
432000 only 1 0.0002
604800 1 0.0002
604800 only 1 0.0002
864000 2 0.0003
864000 only 2 0.0003
7776000 1 0.0002
7776000 only 1 0.0002
None 150742 25.3838
None only 147105 24.7714
Certificate sig alg Count Percent
-------------------------+---------+--------
None 10920 1.8388
ecdsa-with-SHA256 68463 11.5286
sha1WithRSAEncryption 21372 3.5989
sha256WithRSAEncryption 521742 87.8574
sha384WithRSAEncryption 8 0.0013
sha512WithRSAEncryption 69 0.0116
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 71108 11.974
ECDSA 384 38 0.0064
ECDSA 521 1 0.0002
RSA 1024 15 0.0025
RSA 2048 511834 86.189
RSA 2049 3 0.0005
RSA 2056 1 0.0002
RSA 2058 3 0.0005
RSA 2059 1 0.0002
RSA 2080 6 0.001
RSA 2084 2 0.0003
RSA 2086 1 0.0002
RSA 2096 3 0.0005
RSA 2408 1 0.0002
RSA 2432 3 0.0005
RSA 2560 1 0.0002
RSA 2948 1 0.0002
RSA 3072 163 0.0274
RSA 3073 1 0.0002
RSA 3096 2 0.0003
RSA 3248 3 0.0005
RSA 4048 4 0.0007
RSA 4056 18 0.003
RSA 4069 1 0.0002
RSA 4086 4 0.0007
RSA 4092 2 0.0003
RSA 4094 1 0.0002
RSA 4095 1 0.0002
RSA 4096 30991 5.2186
RSA 4196 1 0.0002
RSA 8192 10 0.0017
RSA 8392 1 0.0002
RSA/ECDSA Dual Stack 20358 3.4281
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 126688 21.3333
Unsupported 467163 78.6667
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 17236 2.9024
SSL2 Only 12 0.002
SSL3 99629 16.7768
SSL3 Only 497 0.0837
SSL3 or TLS1 Only 52946 8.9157
SSL3 or lower Only 505 0.085
TLS1 582034 98.0101
TLS1 Only 32797 5.5228
TLS1 or lower Only 68913 11.6044
TLS1.1 515189 86.7539
TLS1.1 Only 42 0.0071
TLS1.1 or up Only 11134 1.8749
TLS1.2 522729 88.0236
TLS1.2 Only 3290 0.554
TLS1.2, 1.0 but not 1.1 5865 0.9876
Statistics from 628845 chains provided by 728648 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 570337 78.2733
incomplete 21286 2.9213
untrusted 137025 18.8054
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 1 0.0002
3 625155 99.4132
4 3676 0.5846
5 13 0.0021
CA key size in chains Count
-------------------------+---------
ECDSA 256 68458
ECDSA 384 68457
RSA 1024 8
RSA 2045 2
RSA 2048 927971
RSA 4096 196495
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 68458 10.8863
ECDSA 384 68456 10.886
RSA 1024 6 0.001
RSA 2045 2 0.0003
RSA 2048 559959 89.0456
RSA 4096 195838 31.1425
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 68447
sha1WithRSAEncryption 24541
sha256WithRSAEncryption 363378
sha384WithRSAEncryption 176120
sha512WithRSAEncryption 60
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 24524 3.8998
112 535845 85.211
128 68476 10.8892
Most popular root CAs Count Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 158376 25.1852
(2c543cd1) GeoTrust Global CA 95542 15.1933
(eed8c118) COMODO ECC Certification Authority 68438 10.8831
(cbf06781) Go Daddy Root Certificate Authorit 49514 7.8738
(5ad8a5d6) GlobalSign Root CA 48382 7.6938
(b204d74a) VeriSign Class 3 Public Primary Ce 32086 5.1024
(2e5ac55d) DST Root CA X3 26043 4.1414
(244b5494) DigiCert High Assurance EV Root CA 20408 3.2453
(2e4eed3c) thawte Primary Root CA 19033 3.0267
(fc5a8f99) USERTrust RSA Certification Author 17598 2.7985
(653b494a) Baltimore CyberTrust Root 11671 1.8559
(3513523f) DigiCert Global Root CA 10585 1.6832
(ae8153b9) StartCom Certification Authority 9453 1.5032
(4bfab552) Starfield Root Certificate Authori 8502 1.352
Scan performed between 19th of June and 6th of July 2016
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
6 years, 8 months
- 1
- 0
TLS scan results for May 2016
by Hubert Kario
SSL/TLS survey of 588324 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 521557 88.6513
3DES Only 618 0.105
3DES Preferred 1789 0.3041
3DES forced in TLS1.1+ 964 0.1639
AES 583623 99.201
AES Only 42928 7.2967
AES-CBC 583065 99.1061
AES-CBC Only 6504 1.1055
AES-GCM 482505 82.0135
AES-GCM Only 514 0.0874
CAMELLIA 258710 43.9741
CAMELLIA Only 3 0.0005
CHACHA20 80738 13.7234
CHACHA20 Only 4 0.0007
Insecure 56788 9.6525
RC4 168525 28.6449
RC4 Only 166 0.0282
RC4 Preferred 14971 2.5447
RC4 forced in TLS1.1+ 8083 1.3739
x:FF 29 3DES Only 661 0.1124
x:FF 29 3DES Preferred 2145 0.3646
x:FF 29 RC4 Only 245 0.0416
x:FF 29 RC4 Preferred 16797 2.8551
x:FF 29 incompatible 506 0.086
x:FF 35 3DES Only 669 0.1137
x:FF 35 3DES Preferred 2073 0.3524
x:FF 35 RC4 Only 285 0.0484
x:FF 35 RC4 Preferred 16818 2.8586
x:FF 35 incompatible 510 0.0867
x:FF 44 3DES Only 4449 0.7562
x:FF 44 3DES Preferred 8286 1.4084
x:FF 44 incompatible 795 0.1351
y:DHE-RSA-SEED-SHA 79291 13.4774
y:IDEA-CBC-SHA 75311 12.8009
y:SEED-SHA 89316 15.1814
z:ADH-AES128-GCM-SHA256 414 0.0704
z:ADH-AES128-SHA 763 0.1297
z:ADH-AES128-SHA256 275 0.0467
z:ADH-AES256-GCM-SHA384 425 0.0722
z:ADH-AES256-SHA 792 0.1346
z:ADH-AES256-SHA256 275 0.0467
z:ADH-CAMELLIA128-SHA 406 0.069
z:ADH-CAMELLIA128-SHA256 1 0.0002
z:ADH-CAMELLIA256-SHA 423 0.0719
z:ADH-CAMELLIA256-SHA256 1 0.0002
z:ADH-DES-CBC-SHA 338 0.0575
z:ADH-DES-CBC3-SHA 773 0.1314
z:ADH-RC4-MD5 578 0.0982
z:ADH-SEED-SHA 332 0.0564
z:AECDH-AES128-SHA 10505 1.7856
z:AECDH-AES256-SHA 10564 1.7956
z:AECDH-DES-CBC3-SHA 10475 1.7805
z:AECDH-NULL-SHA 91 0.0155
z:AECDH-RC4-SHA 9925 1.687
z:DES-CBC-MD5 6864 1.1667
z:DES-CBC-SHA 35454 6.0263
z:DES-CBC3-MD5 17200 2.9236
z:ECDHE-RSA-NULL-SHA 98 0.0167
z:EDH-RSA-DES-CBC-SHA 30414 5.1696
z:EXP-ADH-DES-CBC-SHA 188 0.032
z:EXP-ADH-RC4-MD5 186 0.0316
z:EXP-DES-CBC-SHA 11293 1.9195
z:EXP-EDH-RSA-DES-CBC-SHA 8983 1.5269
z:EXP-RC2-CBC-MD5 13517 2.2975
z:EXP-RC4-MD5 14150 2.4051
z:EXP1024-DES-CBC-SHA 3580 0.6085
z:EXP1024-RC4-SHA 3641 0.6189
z:IDEA-CBC-MD5 1486 0.2526
z:NULL-MD5 239 0.0406
z:NULL-SHA 242 0.0411
z:NULL-SHA256 33 0.0056
z:RC2-CBC-MD5 7118 1.2099
z:RC4-64-MD5 762 0.1295
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 151229 25.7051
Server side 437095 74.2949
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 941 0.1599
AECDH 10576 1.7976
DHE 319231 54.2611
ECDH 2 0.0003
ECDHE 509684 86.6332
ECDHE and DHE 272378 46.2973
RSA 505946 85.9979
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 122627 20.8434 38.4132
DH,2048bits 183782 31.2382 57.5702
DH,2236bits 92 0.0156 0.0288
DH,2430bits 1 0.0002 0.0003
DH,2432bits 3 0.0005 0.0009
DH,2560bits 1 0.0002 0.0003
DH,3072bits 122 0.0207 0.0382
DH,3092bits 2 0.0003 0.0006
DH,3196bits 1 0.0002 0.0003
DH,4094bits 1 0.0002 0.0003
DH,4096bits 12216 2.0764 3.8267
DH,512bits 91 0.0155 0.0285
DH,6144bits 1 0.0002 0.0003
DH,768bits 384 0.0653 0.1203
DH,8192bits 9 0.0015 0.0028
ECDH,B-571,570bits 2788 0.4739 0.547
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,P-192,192bits 39 0.0066 0.0077
ECDH,P-224,224bits 92 0.0156 0.0181
ECDH,P-256,256bits 484945 82.4282 95.1462
ECDH,P-384,384bits 8059 1.3698 1.5812
ECDH,P-521,521bits 15676 2.6645 3.0756
ECDH,brainpoolP512r1,512bits 1 0.0002 0.0002
Prefer DH,1024bits 46364 7.8807 14.5237
Prefer DH,2048bits 5558 0.9447 1.7411
Prefer DH,3072bits 11 0.0019 0.0034
Prefer DH,4096bits 389 0.0661 0.1219
Prefer DH,768bits 45 0.0076 0.0141
Prefer ECDH,B-571,570bits 2562 0.4355 0.5027
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,P-192,192bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 89 0.0151 0.0175
Prefer ECDH,P-256,256bits 446551 75.9022 87.6133
Prefer ECDH,P-384,384bits 6159 1.0469 1.2084
Prefer ECDH,P-521,521bits 14444 2.4551 2.8339
Prefer ECDH,brainpoolP512r1,512bits 1 0.0002 0.0002
Prefer PFS 522175 88.7564 0
Support PFS 556537 94.597 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 15666 2.6628
brainpoolP384r1 15673 2.664
brainpoolP512r1 15677 2.6647
prime192v1 1721 0.2925
prime256v1 505771 85.9681
prime256v1 Only 424806 72.2061
secp160k1 1634 0.2777
secp160r1 1641 0.2789
secp160r2 1633 0.2776
secp192k1 1647 0.2799
secp224k1 1732 0.2944
secp224r1 5585 0.9493
secp256k1 17871 3.0376
secp384r1 83624 14.2139
secp384r1 Only 2663 0.4526
secp521r1 47374 8.0524
secp521r1 Only 142 0.0241
sect163k1 1637 0.2782
sect163r1 1636 0.2781
sect163r2 1637 0.2782
sect193r1 1636 0.2781
sect193r2 1636 0.2781
sect233k1 1728 0.2937
sect233r1 1725 0.2932
sect239k1 1721 0.2925
sect283k1 17205 2.9244
sect283r1 17203 2.9241
sect409k1 17203 2.9241
sect409r1 17200 2.9236
sect571k1 17204 2.9242
sect571r1 17205 2.9244
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 56188 9.5505
True 384116 65.2899
order-specific 30 0.0051
unknown 147990 25.1545
ECC curve ordering Count Percent
-------------------------+---------+--------
client 12072 2.0519
inconclusive-noecc 8 0.0014
server 496534 84.3981
unknown 79710 13.5487
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 53235 9.0486
ECDSA-SHA1 Only 7 0.0012
ECDSA-SHA224 53208 9.044
ECDSA-SHA256 70734 12.023
ECDSA-SHA384 70725 12.0214
ECDSA-SHA512 70735 12.0231
ECDSA-SHA512 Only 16 0.0027
RSA-MD5 32419 5.5104
RSA-SHA1 439804 74.7554
RSA-SHA1 Only 34182 5.8101
RSA-SHA224 364514 61.958
RSA-SHA256 414576 70.4673
RSA-SHA256 Only 7888 1.3408
RSA-SHA384 377143 64.1046
RSA-SHA384 Only 4 0.0007
RSA-SHA512 377071 64.0924
RSA-SHA512 Only 85 0.0144
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 276407 46.9821
indeterminate 52 0.0088
intolerant 6076 1.0328
order-fallback 9 0.0015
server 217108 36.9028
unsupported 15976 2.7155
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 53190 9.0409
ECDSA intolerant 134 0.0228
ECDSA pfs-rsa-SHA512 17450 2.9661
ECDSA soft-nopfs 9 0.0015
RSA False 32115 5.4587
RSA SHA1 374923 63.7273
RSA intolerant 41684 7.0852
RSA pfs-ecdsa-SHA512 26 0.0044
RSA soft-nopfs 481 0.0818
Renegotiation Count Percent
-------------------------+---------+--------
False 5021 0.8534
insecure 16740 2.8454
secure 566563 96.3012
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 7345 1.2485
False 5021 0.8534
NONE 575958 97.8981
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 2 0.0003
1 only 2 0.0003
2 1 0.0002
2 only 1 0.0002
5 9 0.0015
5 only 9 0.0015
10 8 0.0014
10 only 8 0.0014
15 7 0.0012
15 only 7 0.0012
30 24 0.0041
30 only 24 0.0041
60 159 0.027
60 only 151 0.0257
65 2 0.0003
65 only 2 0.0003
70 8 0.0014
70 only 7 0.0012
75 1 0.0002
75 only 1 0.0002
90 1 0.0002
90 only 1 0.0002
100 15 0.0025
100 only 15 0.0025
120 24 0.0041
120 only 24 0.0041
128 6 0.001
128 only 5 0.0008
150 2 0.0003
180 72 0.0122
180 only 70 0.0119
240 13 0.0022
240 only 13 0.0022
244 2 0.0003
244 only 2 0.0003
300 294538 50.0639
300 only 291166 49.4908
302 2 0.0003
302 only 2 0.0003
360 3 0.0005
360 only 2 0.0003
400 4 0.0007
400 only 4 0.0007
420 133 0.0226
420 only 113 0.0192
480 11 0.0019
480 only 10 0.0017
500 3 0.0005
500 only 3 0.0005
540 4 0.0007
540 only 4 0.0007
600 28048 4.7674
600 only 27923 4.7462
700 3 0.0005
700 only 3 0.0005
840 2 0.0003
840 only 2 0.0003
900 1508 0.2563
900 only 1487 0.2528
960 4 0.0007
960 only 4 0.0007
1000 1 0.0002
1000 only 1 0.0002
1200 3403 0.5784
1200 only 3400 0.5779
1210 2 0.0003
1210 only 2 0.0003
1320 1 0.0002
1320 only 1 0.0002
1380 1 0.0002
1380 only 1 0.0002
1440 1 0.0002
1440 only 1 0.0002
1500 7 0.0012
1500 only 6 0.001
1800 698 0.1186
1800 only 680 0.1156
1980 2 0.0003
1980 only 2 0.0003
2100 2 0.0003
2100 only 1 0.0002
2160 1 0.0002
2160 only 1 0.0002
2400 9 0.0015
2400 only 9 0.0015
2700 10 0.0017
2700 only 10 0.0017
3000 38 0.0065
3000 only 38 0.0065
3300 1 0.0002
3300 only 1 0.0002
3600 1035 0.1759
3600 only 1024 0.1741
3900 2 0.0003
3900 only 2 0.0003
4200 1 0.0002
4500 1 0.0002
4500 only 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 22 0.0037
5400 only 6 0.001
6000 345 0.0586
6000 only 345 0.0586
7200 15012 2.5517
7200 only 14995 2.5488
8100 1 0.0002
8100 only 1 0.0002
9000 2 0.0003
9000 only 2 0.0003
10800 5061 0.8602
10800 only 5045 0.8575
14400 106 0.018
14400 only 106 0.018
18000 11 0.0019
18000 only 11 0.0019
21600 4326 0.7353
21600 only 4324 0.735
25200 1 0.0002
25200 only 1 0.0002
28800 2688 0.4569
28800 only 2688 0.4569
30000 3 0.0005
30000 only 1 0.0002
36000 1246 0.2118
36000 only 1240 0.2108
43200 61 0.0104
43200 only 61 0.0104
54000 1 0.0002
54000 only 1 0.0002
60000 2 0.0003
60000 only 2 0.0003
64800 70216 11.9349
64800 only 70188 11.9302
72000 12 0.002
72000 only 12 0.002
79200 1 0.0002
79200 only 1 0.0002
86400 2835 0.4819
86400 only 2826 0.4803
100800 9392 1.5964
100800 only 9375 1.5935
108000 1 0.0002
108000 only 1 0.0002
115200 1 0.0002
115200 only 1 0.0002
129600 7 0.0012
129600 only 7 0.0012
172800 55 0.0093
172800 only 55 0.0093
216000 4 0.0007
216000 only 4 0.0007
259200 3 0.0005
259200 only 3 0.0005
432000 1 0.0002
432000 only 1 0.0002
604800 1 0.0002
864000 3 0.0005
864000 only 3 0.0005
7776000 1 0.0002
7776000 only 1 0.0002
None 150759 25.6252
None only 147078 24.9995
Certificate sig alg Count Percent
-------------------------+---------+--------
None 11191 1.9022
ecdsa-with-SHA256 67977 11.5543
sha1WithRSAEncryption 23775 4.0411
sha256WithRSAEncryption 514022 87.3706
sha384WithRSAEncryption 8 0.0014
sha512WithRSAEncryption 67 0.0114
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 70749 12.0255
ECDSA 384 34 0.0058
ECDSA 521 1 0.0002
RSA 1024 17 0.0029
RSA 2048 507589 86.2771
RSA 2049 2 0.0003
RSA 2056 1 0.0002
RSA 2058 3 0.0005
RSA 2059 1 0.0002
RSA 2084 1 0.0002
RSA 2086 1 0.0002
RSA 2096 3 0.0005
RSA 2408 1 0.0002
RSA 2432 2 0.0003
RSA 2560 1 0.0002
RSA 2948 1 0.0002
RSA 3072 156 0.0265
RSA 3073 1 0.0002
RSA 3096 2 0.0003
RSA 3248 2 0.0003
RSA 4048 4 0.0007
RSA 4056 16 0.0027
RSA 4069 1 0.0002
RSA 4086 3 0.0005
RSA 4092 2 0.0003
RSA 4094 1 0.0002
RSA 4095 1 0.0002
RSA 4096 29945 5.0899
RSA 4196 1 0.0002
RSA 8192 11 0.0019
RSA 8392 1 0.0002
RSA/ECDSA Dual Stack 20215 3.436
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 127611 21.6906
Unsupported 460713 78.3094
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 17372 2.9528
SSL2 Only 13 0.0022
SSL3 102349 17.3967
SSL3 Only 1020 0.1734
SSL3 or TLS1 Only 54445 9.2543
SSL3 or lower Only 1028 0.1747
TLS1 576797 98.0407
TLS1 Only 33030 5.6143
TLS1 or lower Only 70001 11.8984
TLS1.1 507108 86.1954
TLS1.1 Only 42 0.0071
TLS1.1 or up Only 10330 1.7558
TLS1.2 515617 87.6417
TLS1.2 Only 3098 0.5266
TLS1.2, 1.0 but not 1.1 7000 1.1898
Statistics from 622291 chains provided by 724741 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 563959 77.8152
incomplete 21088 2.9097
untrusted 139694 19.275
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 2 0.0003
3 618971 99.4665
4 3305 0.5311
5 13 0.0021
CA key size in chains Count
-------------------------+---------
ECDSA 256 67969
ECDSA 384 67967
RSA 1024 10
RSA 2045 2
RSA 2048 918447
RSA 4096 193516
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 67969 10.9224
ECDSA 384 67967 10.9221
RSA 1024 8 0.0013
RSA 2045 2 0.0003
RSA 2048 553908 89.0111
RSA 4096 192863 30.9924
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 67958
sha1WithRSAEncryption 27126
sha256WithRSAEncryption 356410
sha384WithRSAEncryption 174062
sha512WithRSAEncryption 64
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 27123 4.3586
112 527185 84.7168
128 67983 10.9246
Most common root CAs Count Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 156327 25.1212
(2c543cd1) GeoTrust Global CA 97389 15.6501
(eed8c118) COMODO ECC Certification Authority 67950 10.9193
(5ad8a5d6) GlobalSign Root CA 54936 8.828
(cbf06781) Go Daddy Root Certificate Authorit 48751 7.8341
(b204d74a) VeriSign Class 3 Public Primary Ce 32016 5.1449
(244b5494) DigiCert High Assurance EV Root CA 19865 3.1922
(2e4eed3c) thawte Primary Root CA 18906 3.0381
(fc5a8f99) USERTrust RSA Certification Author 17597 2.8278
(2e5ac55d) DST Root CA X3 17594 2.8273
(653b494a) Baltimore CyberTrust Root 11729 1.8848
(3513523f) DigiCert Global Root CA 10305 1.656
(ae8153b9) StartCom Certification Authority 9737 1.5647
(4bfab552) Starfield Root Certificate Authori 8211 1.3195
Scan performed between 30th of May and 18th of June 2016
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
6 years, 8 months
- 1
- 0
cipherscan
by cla@danskebank.dk
Hi,
Are you still using https://github.com/tomato42/cipherscan as-is or have you modified it?
Thanks,
Martin
6 years, 9 months
- 1
- 0
- ← Newer
- 1
- Older →