Detailed analysis on my blog:
https://securitypitfalls.wordpress.com/2015/11/29/august-2015-scan-results/
SSL/TLS survey of 509351 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate
installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 435183 85.4387
3DES Only 725 0.1423
AES 500583 98.2786
AES Only 18647 3.6609
AES-CBC 500485 98.2594
AES-CBC Only 9344 1.8345
AES-GCM 363787 71.4217
AES-GCM Only 37 0.0073
CAMELLIA 225125 44.1984
CAMELLIA Only 3 0.0006
CHACHA20 63145 12.3971
CHACHA20 Only 2 0.0004
Insecure 67027 13.1593
RC4 239979 47.1147
RC4 Only 1395 0.2739
RC4 Preferred 29355 5.7632
RC4 forced in TLS1.1+ 16525 3.2443
x:FF 29 RC4 Only 1696 0.333
x:FF 29 RC4 Preferred 33338 6.5452
x:FF 29 incompatible 107 0.021
x:FF 35 RC4 Only 2022 0.397
x:FF 35 RC4 Preferred 33466 6.5703
x:FF 35 incompatible 112 0.022
y:DHE-RSA-SEED-SHA 85997 16.8836
y:IDEA-CBC-SHA 78567 15.4249
y:SEED-SHA 95725 18.7935
z:ADH-AES128-GCM-SHA256 290 0.0569
z:ADH-AES128-SHA 690 0.1355
z:ADH-AES128-SHA256 194 0.0381
z:ADH-AES256-GCM-SHA384 300 0.0589
z:ADH-AES256-SHA 701 0.1376
z:ADH-AES256-SHA256 196 0.0385
z:ADH-CAMELLIA128-SHA 306 0.0601
z:ADH-CAMELLIA256-SHA 312 0.0613
z:ADH-DES-CBC-SHA 295 0.0579
z:ADH-DES-CBC3-SHA 712 0.1398
z:ADH-RC4-MD5 569 0.1117
z:ADH-SEED-SHA 230 0.0452
z:AECDH-AES128-SHA 13191 2.5898
z:AECDH-AES256-SHA 13214 2.5943
z:AECDH-DES-CBC3-SHA 13149 2.5815
z:AECDH-NULL-SHA 51 0.01
z:AECDH-RC4-SHA 12459 2.4461
z:DES-CBC-MD5 12757 2.5046
z:DES-CBC-SHA 38652 7.5885
z:DES-CBC3-MD5 25783 5.0619
z:ECDHE-RSA-NULL-SHA 60 0.0118
z:EDH-RSA-DES-CBC-SHA 33192 6.5165
z:EXP-ADH-DES-CBC-SHA 214 0.042
z:EXP-ADH-RC4-MD5 213 0.0418
z:EXP-DES-CBC-SHA 17083 3.3539
z:EXP-EDH-RSA-DES-CBC-SHA 13893 2.7276
z:EXP-RC2-CBC-MD5 20743 4.0724
z:EXP-RC4-MD5 21811 4.2821
z:EXP1024-DES-CBC-SHA 5319 1.0443
z:EXP1024-RC4-SHA 5395 1.0592
z:IDEA-CBC-MD5 2435 0.4781
z:NULL-MD5 230 0.0452
z:NULL-SHA 232 0.0455
z:NULL-SHA256 22 0.0043
z:RC2-CBC-MD5 13042 2.5605
z:RC4-64-MD5 1052 0.2065
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 130864 25.6923
Server side 378487 74.3077
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 817 0.1604
AECDH 13248 2.601
DHE 280098 54.9912
ECDH 3 0.0006
ECDHE 390772 76.7196
ECDHE and DHE 205466 40.3388
RSA 463146 90.9287
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 187360 36.7841 66.8909
DH,1536bits 2 0.0004 0.0007
DH,2048bits 83731 16.4388 29.8935
DH,2236bits 3 0.0006 0.0011
DH,3072bits 2656 0.5214 0.9482
DH,3092bits 1 0.0002 0.0004
DH,4096bits 5788 1.1363 2.0664
DH,512bits 59 0.0116 0.0211
DH,768bits 553 0.1086 0.1974
DH,8192bits 2 0.0004 0.0007
ECDH,B-163,163bits 1 0.0002 0.0003
ECDH,B-571,570bits 1431 0.2809 0.3662
ECDH,K-163,163bits 1 0.0002 0.0003
ECDH,K-571,570bits 1 0.0002 0.0003
ECDH,P-224,224bits 83 0.0163 0.0212
ECDH,P-256,256bits 379964 74.5977 97.2342
ECDH,P-384,384bits 2696 0.5293 0.6899
ECDH,P-521,521bits 7641 1.5001 1.9554
Prefer DH,1024bits 70139 13.7703 25.0409
Prefer DH,1536bits 1 0.0002 0.0004
Prefer DH,2048bits 6067 1.1911 2.166
Prefer DH,2236bits 1 0.0002 0.0004
Prefer DH,3072bits 21 0.0041 0.0075
Prefer DH,4096bits 310 0.0609 0.1107
Prefer DH,768bits 170 0.0334 0.0607
Prefer ECDH,B-163,163bits 1 0.0002 0.0003
Prefer ECDH,B-571,570bits 1231 0.2417 0.315
Prefer ECDH,K-163,163bits 1 0.0002 0.0003
Prefer ECDH,K-571,570bits 1 0.0002 0.0003
Prefer ECDH,P-224,224bits 49 0.0096 0.0125
Prefer ECDH,P-256,256bits 327275 64.2533 83.7509
Prefer ECDH,P-384,384bits 2552 0.501 0.6531
Prefer ECDH,P-521,521bits 6909 1.3564 1.768
Prefer PFS 414728 81.4228 0
Support PFS 465404 91.372 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 1013 0.1989
brainpoolP384r1 1014 0.1991
brainpoolP512r1 1015 0.1993
prime192v1 1346 0.2643
prime256v1 389473 76.4646
prime256v1 Only 338238 66.4057
secp160k1 1313 0.2578
secp160r1 1315 0.2582
secp160r2 1312 0.2576
secp192k1 1335 0.2621
secp224k1 1403 0.2754
secp224r1 3044 0.5976
secp224r1 Only 2 0.0004
secp256k1 2305 0.4525
secp384r1 51317 10.075
secp384r1 Only 330 0.0648
secp521r1 20958 4.1146
secp521r1 Only 124 0.0243
sect163k1 1322 0.2595
sect163k1 Only 2 0.0004
sect163r1 1320 0.2592
sect163r2 1319 0.259
sect163r2 Only 1 0.0002
sect193r1 1316 0.2584
sect193r2 1315 0.2582
sect233k1 1395 0.2739
sect233r1 1395 0.2739
sect239k1 1394 0.2737
sect283k1 2280 0.4476
sect283r1 2279 0.4474
sect409k1 2281 0.4478
sect409r1 2278 0.4472
sect571k1 2291 0.4498
sect571r1 2290 0.4496
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 76188 14.9579
True 263977 51.8261
order-specific 263 0.0516
unknown 168923 33.1644
ECC curve ordering Count Percent
-------------------------+---------+--------
client 3661 0.7188
inconclusive-noecc 9 0.0018
server 386286 75.8389
unknown 119395 23.4406
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 35626 6.9944
ECDSA-SHA1 Only 4 0.0008
ECDSA-SHA224 35618 6.9928
ECDSA-SHA256 35628 6.9948
ECDSA-SHA384 35625 6.9942
ECDSA-SHA512 35631 6.9954
ECDSA-SHA512 Only 6 0.0012
RSA-MD5 165235 32.4403
RSA-SHA1 341873 67.1193
RSA-SHA1 Only 46530 9.1352
RSA-SHA224 277602 54.5011
RSA-SHA256 301111 59.1166
RSA-SHA256 Only 4859 0.954
RSA-SHA384 278555 54.6882
RSA-SHA512 278643 54.7055
RSA-SHA512 Only 93 0.0183
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 243146 47.7364
indeterminate 8 0.0016
intolerant 3556 0.6981
order-fallback 16 0.0031
server 136828 26.8632
unsupported 22608 4.4386
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 35612 6.9916
ECDSA intolerant 39 0.0077
RSA False 163780 32.1546
RSA SHA1 152230 29.8871
RSA intolerant 30949 6.0762
RSA soft-nopfs 1543 0.3029
Renegotiation Count Percent
-------------------------+---------+--------
False 6729 1.3211
insecure 20615 4.0473
secure 482007 94.6316
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 10877 2.1355
False 6729 1.3211
NONE 491745 96.5434
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 2 0.0004
1 only 2 0.0004
2 2 0.0004
2 only 2 0.0004
5 4 0.0008
5 only 4 0.0008
10 7 0.0014
10 only 7 0.0014
15 10 0.002
15 only 10 0.002
30 10 0.002
30 only 9 0.0018
60 100 0.0196
60 only 92 0.0181
65 1 0.0002
65 only 1 0.0002
70 6 0.0012
100 12 0.0024
100 only 12 0.0024
120 32 0.0063
120 only 32 0.0063
128 3 0.0006
128 only 3 0.0006
150 2 0.0004
180 52 0.0102
180 only 50 0.0098
240 14 0.0027
240 only 14 0.0027
300 227236 44.6129
300 only 222350 43.6536
302 1 0.0002
302 only 1 0.0002
360 3 0.0006
360 only 1 0.0002
400 7 0.0014
400 only 7 0.0014
420 113 0.0222
420 only 82 0.0161
450 1 0.0002
450 only 1 0.0002
480 12 0.0024
480 only 12 0.0024
500 4 0.0008
500 only 4 0.0008
540 1 0.0002
540 only 1 0.0002
600 23677 4.6485
600 only 23483 4.6104
720 1 0.0002
720 only 1 0.0002
840 2 0.0004
840 only 2 0.0004
900 664 0.1304
900 only 648 0.1272
960 2 0.0004
960 only 2 0.0004
1200 1996 0.3919
1200 only 1989 0.3905
1500 8 0.0016
1500 only 7 0.0014
1800 449 0.0882
1800 only 441 0.0866
2400 6 0.0012
2400 only 6 0.0012
2700 6 0.0012
2700 only 6 0.0012
3000 20 0.0039
3000 only 20 0.0039
3600 463 0.0909
3600 only 439 0.0862
3900 1 0.0002
3900 only 1 0.0002
5400 15 0.0029
5400 only 5 0.001
6000 6 0.0012
6000 only 6 0.0012
7200 15785 3.099
7200 only 15761 3.0943
10800 2395 0.4702
10800 only 2391 0.4694
14400 73 0.0143
14400 only 73 0.0143
18000 14 0.0027
18000 only 14 0.0027
21600 5069 0.9952
21600 only 5067 0.9948
28800 1936 0.3801
28800 only 846 0.1661
36000 1219 0.2393
36000 only 1212 0.2379
43200 32 0.0063
43200 only 32 0.0063
60000 1 0.0002
60000 only 1 0.0002
64800 50264 9.8682
64800 only 50206 9.8569
72000 10 0.002
72000 only 10 0.002
84600 1 0.0002
84600 only 1 0.0002
86000 37 0.0073
86000 only 37 0.0073
86400 3516 0.6903
86400 only 3515 0.6901
100800 12467 2.4476
100800 only 12460 2.4463
115200 1 0.0002
115200 only 1 0.0002
129600 7 0.0014
129600 only 7 0.0014
172800 8 0.0016
172800 only 8 0.0016
216000 1 0.0002
216000 only 1 0.0002
432000 2 0.0004
432000 only 2 0.0004
604800 1 0.0002
864000 2 0.0004
864000 only 2 0.0004
2592000 1 0.0002
2592000 only 1 0.0002
None 167946 32.9725
None only 161562 31.7192
Certificate sig alg Count Percent
-------------------------+---------+--------
None 13903 2.7296
ecdsa-with-SHA256 35609 6.9911
sha1WithRSAEncryption 118117 23.1897
sha256WithRSAEncryption 355741 69.842
sha384WithRSAEncryption 5 0.001
sha512WithRSAEncryption 17 0.0033
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 35649 6.9989
ECDSA 384 6 0.0012
ECDSA 521 1 0.0002
RSA 1024 81 0.0159
RSA 10240 7 0.0014
RSA 2048 455461 89.4199
RSA 2049 3 0.0006
RSA 2056 2 0.0004
RSA 2058 2 0.0004
RSA 2064 1 0.0002
RSA 2080 2 0.0004
RSA 2084 5 0.001
RSA 2408 1 0.0002
RSA 2432 2 0.0004
RSA 2480 1 0.0002
RSA 2890 1 0.0002
RSA 3071 2 0.0004
RSA 3072 111 0.0218
RSA 3102 1 0.0002
RSA 3248 3 0.0006
RSA 4042 1 0.0002
RSA 4048 1 0.0002
RSA 4056 25 0.0049
RSA 4069 3 0.0006
RSA 4086 2 0.0004
RSA 4092 6 0.0012
RSA 4094 1 0.0002
RSA 4096 18024 3.5386
RSA 8192 5 0.001
RSA/ECDSA Dual Stack 50 0.0098
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 109199 21.4389
Unsupported 400152 78.5611
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 26076 5.1195
SSL2 Only 24 0.0047
SSL3 130306 25.5828
SSL3 Only 584 0.1147
SSL3 or TLS1 Only 75720 14.866
SSL3 or lower Only 607 0.1192
TLS1 506048 99.3515
TLS1 Only 44327 8.7026
TLS1 or lower Only 100132 19.6587
TLS1.1 396444 77.8332
TLS1.1 Only 30 0.0059
TLS1.1 or up Only 2473 0.4855
TLS1.2 406149 79.7385
TLS1.2 Only 1063 0.2087
TLS1.2, 1.0 but not 1.1 11004 2.1604
Statistics from 528021 chains provided by 691201 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 479672 69.3969
incomplete 23576 3.4109
untrusted 187953 27.1922
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 269 0.0509
3 525613 99.544
4 2106 0.3988
5 33 0.0062
CA key size in chains Count
-------------------------+---------
ECDSA 256 35610
ECDSA 384 35613
RSA 1024 255
RSA 2045 1
RSA 2048 860646
RSA 4096 125820
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 35610 6.744
ECDSA 384 35613 6.7446
RSA 1024 253 0.0479
RSA 2045 1 0.0002
RSA 2048 491885 93.1563
RSA 4096 125302 23.7305
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 35609
sha1WithRSAEncryption 136788
sha256WithRSAEncryption 246213
sha384WithRSAEncryption 111253
sha512WithRSAEncryption 61
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 137062 25.9577
112 355341 67.2968
128 35618 6.7456
Root CAs Count Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA 109891 20.8119
(d6325660) COMODO RSA Certification Authority 103786 19.6557
(5ad8a5d6) GlobalSign Root CA 51859 9.8214
(cbf06781) Go Daddy Root Certificate Authorit 48094 9.1083
(eed8c118) COMODO ECC Certification Authority 35597 6.7416
(b204d74a) VeriSign Class 3 Public Primary Ce 30261 5.731
(244b5494) DigiCert High Assurance EV Root CA 26028 4.9293
(2e4eed3c) thawte Primary Root CA 24484 4.6369
(157753a5) AddTrust External CA Root 12314 2.3321
(653b494a) Baltimore CyberTrust Root 12080 2.2878
(ae8153b9) StartCom Certification Authority 9217 1.7456
(3513523f) DigiCert Global Root CA 7329 1.388
(fc5a8f99) USERTrust RSA Certification Author 7360 1.3939
(4bfab552) Starfield Root Certificate Authori 6079 1.1513
(f081611a) The Go Daddy Group, Inc. 5382 1.0193
(480720ec) GeoTrust Primary Certification Aut 5448 1.0318
(f387163d) Starfield Technologies, Inc. 5310 1.0056
Scan performed between 17th of August and 4th of September 2015.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic