SSL/TLS survey of 554044 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 488020 88.0833
3DES Only 590 0.1065
3DES Preferred 1772 0.3198
3DES forced in TLS1.1+ 936 0.1689
AES 549187 99.1234
AES Only 42441 7.6602
AES-CBC 548762 99.0466
AES-CBC Only 8334 1.5042
AES-GCM 448629 80.9735
AES-GCM Only 378 0.0682
CAMELLIA 241430 43.576
CAMELLIA Only 1 0.0002
CHACHA20 75592 13.6437
Insecure 54139 9.7716
RC4 160923 29.0452
RC4 Only 183 0.033
RC4 Preferred 15628 2.8207
RC4 forced in TLS1.1+ 8360 1.5089
x:FF 29 3DES Only 639 0.1153
x:FF 29 3DES Preferred 2130 0.3844
x:FF 29 RC4 Only 254 0.0458
x:FF 29 RC4 Preferred 17323 3.1266
x:FF 29 incompatible 272 0.0491
x:FF 35 3DES Only 645 0.1164
x:FF 35 3DES Preferred 2044 0.3689
x:FF 35 RC4 Only 301 0.0543
x:FF 35 RC4 Preferred 17346 3.1308
x:FF 35 incompatible 276 0.0498
x:FF 44 3DES Only 4576 0.8259
x:FF 44 3DES Preferred 8336 1.5046
x:FF 44 incompatible 577 0.1041
y:DHE-RSA-SEED-SHA 71951 12.9865
y:IDEA-CBC-SHA 67468 12.1774
y:SEED-SHA 82250 14.8454
z:ADH-AES128-GCM-SHA256 401 0.0724
z:ADH-AES128-SHA 730 0.1318
z:ADH-AES128-SHA256 275 0.0496
z:ADH-AES256-GCM-SHA384 411 0.0742
z:ADH-AES256-SHA 748 0.135
z:ADH-AES256-SHA256 274 0.0495
z:ADH-CAMELLIA128-SHA 390 0.0704
z:ADH-CAMELLIA256-SHA 400 0.0722
z:ADH-DES-CBC-SHA 321 0.0579
z:ADH-DES-CBC3-SHA 738 0.1332
z:ADH-RC4-MD5 539 0.0973
z:ADH-SEED-SHA 312 0.0563
z:AECDH-AES128-SHA 9716 1.7537
z:AECDH-AES256-SHA 9763 1.7621
z:AECDH-DES-CBC3-SHA 9685 1.7481
z:AECDH-NULL-SHA 85 0.0153
z:AECDH-RC4-SHA 9132 1.6482
z:DES-CBC-MD5 7224 1.3039
z:DES-CBC-SHA 33578 6.0605
z:DES-CBC3-MD5 17444 3.1485
z:ECDHE-RSA-NULL-SHA 95 0.0171
z:EDH-RSA-DES-CBC-SHA 28962 5.2274
z:EXP-ADH-DES-CBC-SHA 173 0.0312
z:EXP-ADH-RC4-MD5 171 0.0309
z:EXP-DES-CBC-SHA 11121 2.0072
z:EXP-EDH-RSA-DES-CBC-SHA 8776 1.584
z:EXP-RC2-CBC-MD5 13375 2.4141
z:EXP-RC4-MD5 14006 2.528
z:EXP1024-DES-CBC-SHA 3639 0.6568
z:EXP1024-RC4-SHA 3688 0.6657
z:IDEA-CBC-MD5 1523 0.2749
z:NULL-MD5 214 0.0386
z:NULL-SHA 218 0.0393
z:NULL-SHA256 32 0.0058
z:RC2-CBC-MD5 7396 1.3349
z:RC4-64-MD5 767 0.1384
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 134999 24.3661
Server side 419045 75.6339
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 885 0.1597
AECDH 9773 1.7639
DHE 298929 53.954
ECDH 2 0.0004
ECDHE 476485 86.0013
ECDHE and DHE 253657 45.7828
RSA 475653 85.8511
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 116515 21.0299 38.9775
DH,1536bits 1 0.0002 0.0003
DH,2048bits 170990 30.8622 57.2009
DH,2236bits 69 0.0125 0.0231
DH,2432bits 3 0.0005 0.001
DH,2560bits 1 0.0002 0.0003
DH,3072bits 111 0.02 0.0371
DH,3092bits 1 0.0002 0.0003
DH,4094bits 1 0.0002 0.0003
DH,4096bits 10885 1.9646 3.6413
DH,4098bits 1 0.0002 0.0003
DH,512bits 64 0.0116 0.0214
DH,6144bits 1 0.0002 0.0003
DH,768bits 377 0.068 0.1261
DH,8192bits 9 0.0016 0.003
ECDH,B-571,570bits 2314 0.4177 0.4856
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,P-192,192bits 23 0.0042 0.0048
ECDH,P-224,224bits 84 0.0152 0.0176
ECDH,P-256,256bits 456709 82.4319 95.8496
ECDH,P-384,384bits 5908 1.0663 1.2399
ECDH,P-521,521bits 13327 2.4054 2.7969
Prefer DH,1024bits 43925 7.9281 14.6941
Prefer DH,1536bits 1 0.0002 0.0003
Prefer DH,2048bits 5768 1.0411 1.9296
Prefer DH,3072bits 6 0.0011 0.002
Prefer DH,4096bits 423 0.0763 0.1415
Prefer DH,768bits 54 0.0097 0.0181
Prefer ECDH,B-571,570bits 2090 0.3772 0.4386
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 81 0.0146 0.017
Prefer ECDH,P-256,256bits 419866 75.7821 88.1174
Prefer ECDH,P-384,384bits 4218 0.7613 0.8852
Prefer ECDH,P-521,521bits 12182 2.1987 2.5566
Prefer PFS 488615 88.1906 0
Support PFS 521757 94.1725 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 7632 1.3775
brainpoolP384r1 7634 1.3779
brainpoolP512r1 7637 1.3784
prime192v1 1557 0.281
prime256v1 473202 85.4087
prime256v1 Only 404241 72.9619
secp160k1 1490 0.2689
secp160r1 1497 0.2702
secp160r2 1488 0.2686
secp192k1 1502 0.2711
secp224k1 1576 0.2845
secp224r1 4971 0.8972
secp256k1 10618 1.9165
secp384r1 70010 12.6362
secp384r1 Only 1082 0.1953
secp521r1 36615 6.6087
secp521r1 Only 140 0.0253
sect163k1 1492 0.2693
sect163k1 Only 1 0.0002
sect163r1 1490 0.2689
sect163r2 1490 0.2689
sect193r1 1490 0.2689
sect193r2 1489 0.2688
sect233k1 1566 0.2826
sect233r1 1566 0.2826
sect239k1 1565 0.2825
sect283k1 9047 1.6329
sect283k1 Only 1 0.0002
sect283r1 9044 1.6324
sect409k1 9041 1.6318
sect409r1 9038 1.6313
sect571k1 9044 1.6324
sect571r1 9045 1.6325
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 46285 8.354
True 365389 65.9495
order-specific 61 0.011
unknown 142309 25.6855
ECC curve ordering Count Percent
-------------------------+---------+--------
client 9132 1.6482
inconclusive-noecc 4 0.0007
server 465324 83.9868
unknown 79584 14.3642
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 50518 9.118
ECDSA-SHA1 Only 3 0.0005
ECDSA-SHA224 50534 9.1209
ECDSA-SHA256 66231 11.9541
ECDSA-SHA384 66277 11.9624
ECDSA-SHA512 66334 11.9727
ECDSA-SHA512 Only 61 0.011
RSA-MD5 41528 7.4954
RSA-SHA1 408670 73.7613
RSA-SHA1 Only 36069 6.5101
RSA-SHA224 340011 61.369
RSA-SHA256 380914 68.7516
RSA-SHA256 Only 7319 1.321
RSA-SHA384 345799 62.4136
RSA-SHA384 Only 4 0.0007
RSA-SHA512 345776 62.4095
RSA-SHA512 Only 118 0.0213
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 255972 46.2007
indeterminate 42 0.0076
intolerant 5716 1.0317
order-fallback 9 0.0016
server 203222 36.6798
unsupported 17516 3.1615
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 50464 9.1083
ECDSA intolerant 381 0.0688
ECDSA pfs-rsa-SHA512 15610 2.8175
ECDSA soft-nopfs 2 0.0004
RSA False 41178 7.4323
RSA SHA1 336118 60.6663
RSA intolerant 40148 7.2464
RSA pfs-ecdsa-SHA512 45 0.0081
RSA soft-nopfs 512 0.0924
Renegotiation Count Percent
-------------------------+---------+--------
False 5199 0.9384
insecure 15950 2.8788
secure 532895 96.1828
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 7539 1.3607
False 5199 0.9384
NONE 541306 97.7009
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 4 0.0007
1 only 4 0.0007
2 2 0.0004
2 only 2 0.0004
5 8 0.0014
5 only 8 0.0014
10 8 0.0014
10 only 8 0.0014
15 6 0.0011
15 only 6 0.0011
30 19 0.0034
30 only 18 0.0032
60 167 0.0301
60 only 164 0.0296
65 2 0.0004
65 only 2 0.0004
70 6 0.0011
70 only 4 0.0007
75 1 0.0002
75 only 1 0.0002
100 16 0.0029
100 only 16 0.0029
120 28 0.0051
120 only 28 0.0051
128 3 0.0005
128 only 3 0.0005
150 2 0.0004
180 66 0.0119
180 only 64 0.0116
240 11 0.002
240 only 11 0.002
244 2 0.0004
244 only 2 0.0004
300 272999 49.2739
300 only 269600 48.6604
302 3 0.0005
302 only 3 0.0005
360 3 0.0005
360 only 2 0.0004
400 5 0.0009
400 only 5 0.0009
420 122 0.022
420 only 105 0.019
480 10 0.0018
480 only 10 0.0018
500 4 0.0007
500 only 4 0.0007
540 3 0.0005
540 only 3 0.0005
600 28373 5.1211
600 only 28233 5.0958
660 1 0.0002
660 only 1 0.0002
700 3 0.0005
700 only 3 0.0005
840 2 0.0004
840 only 2 0.0004
900 1388 0.2505
900 only 1366 0.2466
960 2 0.0004
960 only 2 0.0004
1000 1 0.0002
1000 only 1 0.0002
1200 2912 0.5256
1200 only 2907 0.5247
1210 2 0.0004
1210 only 2 0.0004
1320 1 0.0002
1320 only 1 0.0002
1380 1 0.0002
1380 only 1 0.0002
1440 1 0.0002
1440 only 1 0.0002
1500 6 0.0011
1500 only 5 0.0009
1800 579 0.1045
1800 only 568 0.1025
1980 2 0.0004
1980 only 2 0.0004
2100 2 0.0004
2100 only 1 0.0002
2160 1 0.0002
2160 only 1 0.0002
2400 8 0.0014
2400 only 8 0.0014
2700 9 0.0016
2700 only 9 0.0016
3000 25 0.0045
3000 only 25 0.0045
3300 1 0.0002
3300 only 1 0.0002
3600 865 0.1561
3600 only 850 0.1534
3900 1 0.0002
3900 only 1 0.0002
4200 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 15 0.0027
5400 only 9 0.0016
5940 1 0.0002
5940 only 1 0.0002
6000 297 0.0536
6000 only 297 0.0536
7200 15195 2.7426
7200 only 15175 2.739
7500 1 0.0002
7500 only 1 0.0002
10800 4136 0.7465
10800 only 4122 0.744
14400 95 0.0171
14400 only 95 0.0171
18000 10 0.0018
18000 only 10 0.0018
21600 4179 0.7543
21600 only 4179 0.7543
25200 1 0.0002
25200 only 1 0.0002
28800 3321 0.5994
28800 only 3321 0.5994
30000 1 0.0002
30000 only 1 0.0002
36000 1080 0.1949
36000 only 1071 0.1933
38854 1 0.0002
38866 1 0.0002
38879 1 0.0002
38893 1 0.0002
38908 1 0.0002
38925 1 0.0002
38940 1 0.0002
38953 1 0.0002
43200 55 0.0099
43200 only 55 0.0099
60000 2 0.0004
60000 only 2 0.0004
64800 65043 11.7397
64800 only 65041 11.7393
72000 9 0.0016
72000 only 9 0.0016
79200 1 0.0002
79200 only 1 0.0002
86400 2805 0.5063
86400 only 2801 0.5056
100800 9140 1.6497
100800 only 9137 1.6491
108000 1 0.0002
108000 only 1 0.0002
115200 1 0.0002
115200 only 1 0.0002
129600 6 0.0011
129600 only 6 0.0011
172800 49 0.0088
172800 only 49 0.0088
216000 4 0.0007
216000 only 4 0.0007
432000 1 0.0002
432000 only 1 0.0002
604800 2 0.0004
864000 2 0.0004
864000 only 2 0.0004
7776000 2 0.0004
7776000 only 2 0.0004
None 144581 26.0956
None only 140902 25.4316
Certificate sig alg Count Percent
-------------------------+---------+--------
None 10359 1.8697
ecdsa-with-SHA256 63100 11.389
sha1WithRSAEncryption 29544 5.3324
sha256WithRSAEncryption 477256 86.1405
sha384WithRSAEncryption 5 0.0009
sha512WithRSAEncryption 60 0.0108
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 66442 11.9922
ECDSA 384 21 0.0038
ECDSA 521 1 0.0002
RSA 1024 21 0.0038
RSA 2048 479886 86.6151
RSA 2049 2 0.0004
RSA 2056 3 0.0005
RSA 2058 3 0.0005
RSA 2084 3 0.0005
RSA 2086 1 0.0002
RSA 2096 2 0.0004
RSA 2432 2 0.0004
RSA 3072 150 0.0271
RSA 3073 1 0.0002
RSA 3076 3 0.0005
RSA 3096 2 0.0004
RSA 3248 3 0.0005
RSA 4048 3 0.0005
RSA 4056 15 0.0027
RSA 4069 1 0.0002
RSA 4086 4 0.0007
RSA 4092 2 0.0004
RSA 4094 1 0.0002
RSA 4095 1 0.0002
RSA 4096 26364 4.7585
RSA 4196 1 0.0002
RSA 8192 9 0.0016
RSA 8392 1 0.0002
RSA/ECDSA Dual Stack 18891 3.4097
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 128586 23.2086
Unsupported 425458 76.7914
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 17623 3.1808
SSL2 Only 17 0.0031
SSL3 98238 17.7311
SSL3 Only 1159 0.2092
SSL3 or TLS1 Only 52628 9.4989
SSL3 or lower Only 1168 0.2108
TLS1 543101 98.0249
TLS1 Only 32939 5.9452
TLS1 or lower Only 68307 12.3288
TLS1.1 473247 85.4169
TLS1.1 Only 208 0.0375
TLS1.1 or up Only 9606 1.7338
TLS1.2 482460 87.0797
TLS1.2 Only 2594 0.4682
TLS1.2, 1.0 but not 1.1 8635 1.5585
Statistics from 589898 chains provided by 709652 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 529449 74.6068
incomplete 22333 3.147
untrusted 157870 22.2461
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 8 0.0014
3 587212 99.5447
4 2665 0.4518
5 13 0.0022
CA key size in chains Count
-------------------------+---------
ECDSA 256 63091
ECDSA 384 63090
RSA 1024 21
RSA 2045 2
RSA 2048 881842
RSA 4096 174433
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 63091 10.6952
ECDSA 384 63090 10.6951
RSA 1024 19 0.0032
RSA 2045 2 0.0003
RSA 2048 526385 89.2332
RSA 4096 173801 29.4629
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 63084
sha1WithRSAEncryption 33756
sha256WithRSAEncryption 339826
sha384WithRSAEncryption 155860
sha512WithRSAEncryption 55
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 33778 5.7261
112 493007 83.575
128 63113 10.699
Root CAs Count Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 138204 23.4285
(2c543cd1) GeoTrust Global CA 95310 16.157
(eed8c118) COMODO ECC Certification Authority 63077 10.6929
(5ad8a5d6) GlobalSign Root CA 56226 9.5315
(cbf06781) Go Daddy Root Certificate Authorit 49413 8.3765
(b204d74a) VeriSign Class 3 Public Primary Ce 30520 5.1738
(244b5494) DigiCert High Assurance EV Root CA 19387 3.2865
(2e4eed3c) thawte Primary Root CA 18858 3.1968
(653b494a) Baltimore CyberTrust Root 12557 2.1287
(2e5ac55d) DST Root CA X3 12525 2.1232
(fc5a8f99) USERTrust RSA Certification Author 17514 2.969
(ae8153b9) StartCom Certification Authority 9654 1.6366
(3513523f) DigiCert Global Root CA 9633 1.633
(4bfab552) Starfield Root Certificate Authori 8780 1.4884
Scan performed between 18th of April and 1st of May 2016
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic