On Fri, 2014-04-25 at 10:34 -0400, Hubert Kario wrote:
Hi,
I went and extended the scanning script from
https://jve.linuxwall.info/blog/index.php?post/TLS_Survey
and performed the same scan again.
The most important change is that I captured also the information
about the used certificate by server (both the key size, signature
and if it links to trust anchors we distribute in F19). That makes
the cohort significantly different (my 305280 valid servers vs
Julien Vehent's 451470 SSL-enabled servers).
The results are both good and bad.
The bad:
1. Over 10% of servers prefer RC4 with TLS1.1 or TLS1.2 (!!)
2. 1.77% of servers support only RC4 (which is an increase from
Julien scan result of 1.5%)
3. Nearly 20% of servers prefer RC4
4. There are still servers that support *only* SSLv2
5. Nearly 95% of servers have certificates signed with SHA-1
6. Over 30% of servers prefer PFS with 1024 bit DH params
7. 15% of servers enable export suites
8. 19% enable single DES suites
9. 3% of servers support only 3DES ciphers
The good:
1. There are no servers with valid certificates and <1024 bit RSA keys
2. While there are quite a few servers that use 768bit or 512bit DH
(about 0.2%) very few of them actually prefer them (0.023%)
3. There are no servers with certificates with md5 signatures
4. Nearly 50% of servers support TLS1.1 or greater
5. Over 99% of servers use at least 2047 bit RSA certificates
Note that the results do not include results from SNI-only servers.
Also, for some reason google servers like YouTube don't present ECDSA
certificates to the script.
Very nice work.
SSL/TLS survey of 305280 websites from Alexa's top 0.97 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
RC4 Only 5418 1.7748
That's pretty interesting. The question is now how important is that RC4
only segment. Is that percentage significant enough to revise having RC4
in the "default" crypto profile set?
btw. I've put the policy generation code in:
https://git.fedorahosted.org/git/crypto-profiles.git
It currently generates policies for gnutls (in rawhide) and for openssl
(which will support that in rawhide). NSS should follow, hopefully,
before the F21 release (patches are available but are not upstream yet).
regards,
Nikos