SSL/TLS survey of 551637 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 484308 87.7947
3DES Only 592 0.1073
3DES Preferred 1803 0.3268
3DES forced in TLS1.1+ 945 0.1713
AES 546565 99.0806
AES Only 43629 7.909
AES-CBC 546039 98.9852
AES-CBC Only 8757 1.5875
AES-GCM 442034 80.1313
AES-GCM Only 490 0.0888
CAMELLIA 235037 42.6072
CAMELLIA Only 3 0.0005
CHACHA20 74906 13.5789
CHACHA20 Only 1 0.0002
Insecure 53675 9.7301
RC4 165105 29.93
RC4 Only 189 0.0343
RC4 Preferred 16635 3.0156
RC4 forced in TLS1.1+ 8955 1.6234
x:FF 29 3DES Only 637 0.1155
x:FF 29 3DES Preferred 2172 0.3937
x:FF 29 RC4 Only 263 0.0477
x:FF 29 RC4 Preferred 18392 3.3341
x:FF 29 incompatible 389 0.0705
x:FF 35 3DES Only 644 0.1167
x:FF 35 3DES Preferred 2079 0.3769
x:FF 35 RC4 Only 313 0.0567
x:FF 35 RC4 Preferred 18423 3.3397
x:FF 35 incompatible 393 0.0712
x:FF 44 3DES Only 4780 0.8665
x:FF 44 3DES Preferred 8693 1.5759
x:FF 44 incompatible 706 0.128
y:DHE-RSA-SEED-SHA 69733 12.6411
y:IDEA-CBC-SHA 66812 12.1116
y:SEED-SHA 80215 14.5413
z:ADH-AES128-GCM-SHA256 415 0.0752
z:ADH-AES128-SHA 692 0.1254
z:ADH-AES128-SHA256 283 0.0513
z:ADH-AES256-GCM-SHA384 428 0.0776
z:ADH-AES256-SHA 704 0.1276
z:ADH-AES256-SHA256 283 0.0513
z:ADH-CAMELLIA128-SHA 365 0.0662
z:ADH-CAMELLIA256-SHA 368 0.0667
z:ADH-DES-CBC-SHA 279 0.0506
z:ADH-DES-CBC3-SHA 707 0.1282
z:ADH-RC4-MD5 522 0.0946
z:ADH-SEED-SHA 294 0.0533
z:AECDH-AES128-SHA 8357 1.5149
z:AECDH-AES256-SHA 8387 1.5204
z:AECDH-DES-CBC3-SHA 8323 1.5088
z:AECDH-NULL-SHA 56 0.0102
z:AECDH-RC4-SHA 7767 1.408
z:DES-CBC-MD5 7631 1.3833
z:DES-CBC-SHA 34001 6.1637
z:DES-CBC3-MD5 18130 3.2866
z:ECDHE-RSA-NULL-SHA 63 0.0114
z:EDH-RSA-DES-CBC-SHA 28894 5.2379
z:EXP-ADH-DES-CBC-SHA 182 0.033
z:EXP-ADH-RC4-MD5 181 0.0328
z:EXP-DES-CBC-SHA 11397 2.066
z:EXP-EDH-RSA-DES-CBC-SHA 8988 1.6293
z:EXP-RC2-CBC-MD5 13770 2.4962
z:EXP-RC4-MD5 14407 2.6117
z:EXP1024-DES-CBC-SHA 3787 0.6865
z:EXP1024-RC4-SHA 3834 0.695
z:IDEA-CBC-MD5 1577 0.2859
z:NULL-MD5 182 0.033
z:NULL-SHA 189 0.0343
z:NULL-SHA256 43 0.0078
z:RC2-CBC-MD5 7791 1.4123
z:RC4-64-MD5 776 0.1407
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 133547 24.2092
Server side 418090 75.7908
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 857 0.1554
AECDH 8405 1.5236
DHE 295868 53.6345
ECDH 2 0.0004
ECDHE 469045 85.0278
ECDHE and DHE 247197 44.8115
RSA 474406 85.9997
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 118316 21.4482 39.9895
DH,1536bits 1 0.0002 0.0003
DH,2048bits 166870 30.25 56.4002
DH,2236bits 65 0.0118 0.022
DH,2432bits 3 0.0005 0.001
DH,3072bits 115 0.0208 0.0389
DH,3092bits 1 0.0002 0.0003
DH,4046bits 1 0.0002 0.0003
DH,4094bits 1 0.0002 0.0003
DH,4096bits 10250 1.8581 3.4644
DH,512bits 57 0.0103 0.0193
DH,768bits 352 0.0638 0.119
DH,8192bits 10 0.0018 0.0034
ECDH,B-571,570bits 2139 0.3878 0.456
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,P-192,192bits 20 0.0036 0.0043
ECDH,P-224,224bits 90 0.0163 0.0192
ECDH,P-256,256bits 450911 81.7405 96.1338
ECDH,P-384,384bits 5288 0.9586 1.1274
ECDH,P-521,521bits 12472 2.2609 2.659
Prefer DH,1024bits 46513 8.4318 15.7209
Prefer DH,1536bits 1 0.0002 0.0003
Prefer DH,2048bits 5993 1.0864 2.0256
Prefer DH,3072bits 10 0.0018 0.0034
Prefer DH,4096bits 386 0.07 0.1305
Prefer DH,768bits 37 0.0067 0.0125
Prefer ECDH,B-571,570bits 1925 0.349 0.4104
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 87 0.0158 0.0185
Prefer ECDH,P-256,256bits 414883 75.2094 88.4527
Prefer ECDH,P-384,384bits 3903 0.7075 0.8321
Prefer ECDH,P-521,521bits 11412 2.0688 2.433
Prefer PFS 485151 87.9475 0
Support PFS 517716 93.8508 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 7010 1.2708
brainpoolP384r1 7016 1.2719
brainpoolP512r1 7016 1.2719
prime192v1 1542 0.2795
prime192v1 Only 1 0.0002
prime256v1 465478 84.3812
prime256v1 Only 399795 72.4743
secp160k1 1479 0.2681
secp160r1 1485 0.2692
secp160r2 1478 0.2679
secp192k1 1492 0.2705
secp224k1 1571 0.2848
secp224r1 4963 0.8997
secp256k1 8958 1.6239
secp384r1 66416 12.0398
secp384r1 Only 776 0.1407
secp521r1 33828 6.1323
secp521r1 Only 143 0.0259
sect163k1 1480 0.2683
sect163k1 Only 2 0.0004
sect163r1 1478 0.2679
sect163r2 1478 0.2679
sect193r1 1478 0.2679
sect193r2 1478 0.2679
sect233k1 1563 0.2833
sect233r1 1563 0.2833
sect239k1 1563 0.2833
sect283k1 8428 1.5278
sect283r1 8425 1.5273
sect409k1 8431 1.5284
sect409r1 8429 1.528
sect571k1 8434 1.5289
sect571r1 8434 1.5289
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 48103 8.72
True 357854 64.8713
order-specific 74 0.0134
unknown 145606 26.3953
ECC curve ordering Count Percent
-------------------------+---------+--------
client 8089 1.4664
inconclusive-noecc 7 0.0013
server 458334 83.0862
unknown 85207 15.4462
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 48616 8.813
ECDSA-SHA1 Only 5 0.0009
ECDSA-SHA224 48602 8.8105
ECDSA-SHA256 64365 11.668
ECDSA-SHA384 64360 11.6671
ECDSA-SHA512 64365 11.668
ECDSA-SHA512 Only 6 0.0011
RSA-MD5 46119 8.3604
RSA-SHA1 404339 73.298
RSA-SHA1 Only 37023 6.7115
RSA-SHA224 339349 61.5167
RSA-SHA256 375560 68.081
RSA-SHA256 Only 7280 1.3197
RSA-SHA384 341601 61.925
RSA-SHA384 Only 3 0.0005
RSA-SHA512 341567 61.9188
RSA-SHA512 Only 84 0.0152
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 252624 45.7953
indeterminate 57 0.0103
intolerant 5553 1.0066
order-fallback 7 0.0013
server 199982 36.2525
unsupported 18801 3.4082
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 48595 8.8092
ECDSA intolerant 74 0.0134
ECDSA pfs-rsa-SHA512 15721 2.8499
RSA False 45736 8.291
RSA SHA1 328060 59.4703
RSA intolerant 39590 7.1768
RSA pfs-ecdsa-SHA512 1 0.0002
RSA soft-nopfs 500 0.0906
Renegotiation Count Percent
-------------------------+---------+--------
False 5768 1.0456
insecure 16732 3.0332
secure 529137 95.9212
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 7977 1.4461
False 5768 1.0456
NONE 537892 97.5083
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 4 0.0007
1 only 4 0.0007
2 2 0.0004
2 only 2 0.0004
5 3 0.0005
5 only 3 0.0005
10 6 0.0011
10 only 6 0.0011
15 5 0.0009
15 only 5 0.0009
30 18 0.0033
30 only 17 0.0031
60 170 0.0308
60 only 166 0.0301
65 1 0.0002
65 only 1 0.0002
70 6 0.0011
75 1 0.0002
75 only 1 0.0002
100 13 0.0024
100 only 13 0.0024
120 23 0.0042
120 only 23 0.0042
128 2 0.0004
128 only 2 0.0004
150 2 0.0004
180 72 0.0131
180 only 70 0.0127
240 14 0.0025
240 only 14 0.0025
244 1 0.0002
244 only 1 0.0002
300 268504 48.674
300 only 264860 48.0135
302 3 0.0005
302 only 3 0.0005
360 2 0.0004
360 only 1 0.0002
400 5 0.0009
400 only 5 0.0009
420 124 0.0225
420 only 105 0.019
450 1 0.0002
450 only 1 0.0002
480 10 0.0018
480 only 10 0.0018
500 4 0.0007
500 only 4 0.0007
540 3 0.0005
540 only 3 0.0005
600 27697 5.0209
600 only 27547 4.9937
660 3 0.0005
660 only 3 0.0005
720 1 0.0002
720 only 1 0.0002
840 1 0.0002
840 only 1 0.0002
900 1254 0.2273
900 only 1233 0.2235
960 2 0.0004
960 only 2 0.0004
1000 1 0.0002
1000 only 1 0.0002
1200 3011 0.5458
1200 only 3007 0.5451
1210 1 0.0002
1210 only 1 0.0002
1300 1 0.0002
1300 only 1 0.0002
1320 1 0.0002
1320 only 1 0.0002
1380 1 0.0002
1380 only 1 0.0002
1500 5 0.0009
1500 only 4 0.0007
1800 570 0.1033
1800 only 559 0.1013
1980 2 0.0004
1980 only 2 0.0004
2100 2 0.0004
2100 only 1 0.0002
2400 8 0.0015
2400 only 8 0.0015
2700 9 0.0016
2700 only 9 0.0016
3000 28 0.0051
3000 only 28 0.0051
3600 802 0.1454
3600 only 792 0.1436
3900 1 0.0002
3900 only 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 15 0.0027
5400 only 8 0.0015
6000 288 0.0522
6000 only 287 0.052
7200 16170 2.9313
7200 only 16152 2.928
10800 3928 0.7121
10800 only 3918 0.7102
14400 85 0.0154
14400 only 84 0.0152
18000 9 0.0016
18000 only 9 0.0016
21600 4289 0.7775
21600 only 4289 0.7775
25200 1 0.0002
25200 only 1 0.0002
28800 3301 0.5984
28800 only 3301 0.5984
36000 1118 0.2027
36000 only 1107 0.2007
43200 46 0.0083
43200 only 46 0.0083
60000 2 0.0004
60000 only 2 0.0004
64800 63048 11.4293
64800 only 63047 11.4291
72000 8 0.0015
72000 only 8 0.0015
79200 1 0.0002
79200 only 1 0.0002
84000 1 0.0002
84000 only 1 0.0002
86000 51 0.0092
86000 only 51 0.0092
86400 2862 0.5188
86400 only 2858 0.5181
100800 10169 1.8434
100800 only 10144 1.8389
108000 1 0.0002
108000 only 1 0.0002
115200 1 0.0002
115200 only 1 0.0002
129600 8 0.0015
129600 only 8 0.0015
172800 9 0.0016
172800 only 9 0.0016
216000 5 0.0009
216000 only 5 0.0009
259200 2 0.0004
259200 only 2 0.0004
432000 1 0.0002
432000 only 1 0.0002
604800 2 0.0004
604800 only 1 0.0002
864000 4 0.0007
864000 only 4 0.0007
7776000 2 0.0004
7776000 only 2 0.0004
None 147762 26.7861
None only 143812 26.07
Certificate sig alg Count Percent
-------------------------+---------+--------
None 9012 1.6337
ecdsa-with-SHA256 61035 11.0643
sha1WithRSAEncryption 33972 6.1584
sha256WithRSAEncryption 472384 85.6331
sha384WithRSAEncryption 5 0.0009
sha512WithRSAEncryption 59 0.0107
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 64371 11.6691
ECDSA 384 20 0.0036
ECDSA 521 1 0.0002
RSA 1024 29 0.0053
RSA 2048 480108 87.0333
RSA 2049 2 0.0004
RSA 2056 2 0.0004
RSA 2058 3 0.0005
RSA 2084 4 0.0007
RSA 2086 1 0.0002
RSA 2096 2 0.0004
RSA 2432 2 0.0004
RSA 3071 1 0.0002
RSA 3072 141 0.0256
RSA 3073 1 0.0002
RSA 3076 6 0.0011
RSA 3096 2 0.0004
RSA 3248 4 0.0007
RSA 4048 4 0.0007
RSA 4056 15 0.0027
RSA 4092 2 0.0004
RSA 4094 2 0.0004
RSA 4095 1 0.0002
RSA 4096 25981 4.7098
RSA 8192 8 0.0015
RSA 8392 1 0.0002
RSA/ECDSA Dual Stack 19066 3.4563
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 128880 23.3632
Unsupported 422757 76.6368
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 18283 3.3143
SSL2 Only 14 0.0025
SSL3 101196 18.3447
SSL3 Only 1158 0.2099
SSL3 or TLS1 Only 54616 9.9007
SSL3 or lower Only 1168 0.2117
TLS1 542011 98.255
TLS1 Only 34339 6.2249
TLS1 or lower Only 70962 12.8639
TLS1.1 467843 84.8099
TLS1.1 Only 333 0.0604
TLS1.1 or up Only 8279 1.5008
TLS1.2 477009 86.4715
TLS1.2 Only 2566 0.4652
TLS1.2, 1.0 but not 1.1 9002 1.6319
Statistics from 587252 chains provided by 715935 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 525344 73.3787
incomplete 23228 3.2444
untrusted 167363 23.3768
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 13 0.0022
3 585030 99.6216
4 2197 0.3741
5 12 0.002
CA key size in chains Count
-------------------------+---------
ECDSA 256 61011
ECDSA 384 61009
RSA 1024 26
RSA 2045 2
RSA 2048 885900
RSA 4096 168764
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 61011 10.3892
ECDSA 384 61009 10.3889
RSA 1024 24 0.0041
RSA 2045 2 0.0003
RSA 2048 525829 89.5406
RSA 4096 168152 28.6337
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 61004
sha1WithRSAEncryption 38564
sha256WithRSAEncryption 338536
sha384WithRSAEncryption 151286
sha512WithRSAEncryption 70
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 38602 6.5733
112 487624 83.0349
128.0 61026 10.3918
Most popular root CAs Count Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 135263 23.0332
(2c543cd1) GeoTrust Global CA 101180 17.2294
(eed8c118) COMODO ECC Certification Authority 60996 10.3867
(5ad8a5d6) GlobalSign Root CA 56051 9.5446
(cbf06781) Go Daddy Root Certificate Authorit 49631 8.4514
(b204d74a) VeriSign Class 3 Public Primary Ce 31013 5.281
(244b5494) DigiCert High Assurance EV Root CA 20318 3.4598
(2e4eed3c) thawte Primary Root CA 18889 3.2165
(fc5a8f99) USERTrust RSA Certification Author 15885 2.705
(653b494a) Baltimore CyberTrust Root 13245 2.2554
(4bfab552) Starfield Root Certificate Authori 10600 1.805
(3513523f) DigiCert Global Root CA 9653 1.6438
(ae8153b9) StartCom Certification Authority 8863 1.5092
(2e5ac55d) DST Root CA X3 7351 1.2518
Test ran between 17th of March and 5th of April 2016
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic