Unfortunately during scanning the disk space on the server run out so the
results are not complete.
Other than that, no interesting developments, just continuation of established
trends.
SSL/TLS survey of 479178 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 419340 87.5124
3DES Only 506 0.1056
3DES Preferred 1692 0.3531
3DES forced in TLS1.1+ 922 0.1924
AES 474652 99.0555
AES Only 37306 7.7854
AES-CBC 474138 98.9482
AES-CBC Only 7523 1.57
AES-GCM 380917 79.4938
AES-GCM Only 466 0.0972
CAMELLIA 201933 42.1415
CAMELLIA Only 3 0.0006
CHACHA20 66326 13.8416
CHACHA20 Only 1 0.0002
Insecure 48383 10.0971
RC4 149250 31.1471
RC4 Only 177 0.0369
RC4 Preferred 15506 3.236
RC4 forced in TLS1.1+ 8442 1.7618
x:FF 29 3DES Only 550 0.1148
x:FF 29 3DES Preferred 2012 0.4199
x:FF 29 RC4 Only 265 0.0553
x:FF 29 RC4 Preferred 17097 3.568
x:FF 29 incompatible 321 0.067
x:FF 35 3DES Only 559 0.1167
x:FF 35 3DES Preferred 1924 0.4015
x:FF 35 RC4 Only 311 0.0649
x:FF 35 RC4 Preferred 17124 3.5736
x:FF 35 incompatible 325 0.0678
y:DHE-RSA-SEED-SHA 60590 12.6446
y:IDEA-CBC-SHA 58075 12.1197
y:SEED-SHA 70022 14.6129
z:ADH-AES128-GCM-SHA256 354 0.0739
z:ADH-AES128-SHA 605 0.1263
z:ADH-AES128-SHA256 246 0.0513
z:ADH-AES256-GCM-SHA384 367 0.0766
z:ADH-AES256-SHA 618 0.129
z:ADH-AES256-SHA256 245 0.0511
z:ADH-CAMELLIA128-SHA 316 0.0659
z:ADH-CAMELLIA256-SHA 321 0.067
z:ADH-DES-CBC-SHA 243 0.0507
z:ADH-DES-CBC3-SHA 620 0.1294
z:ADH-RC4-MD5 455 0.095
z:ADH-SEED-SHA 254 0.053
z:AECDH-AES128-SHA 7521 1.5696
z:AECDH-AES256-SHA 7556 1.5769
z:AECDH-DES-CBC3-SHA 7499 1.565
z:AECDH-NULL-SHA 45 0.0094
z:AECDH-RC4-SHA 7010 1.4629
z:DES-CBC-MD5 7605 1.5871
z:DES-CBC-SHA 30728 6.4126
z:DES-CBC3-MD5 17199 3.5893
z:ECDHE-RSA-NULL-SHA 53 0.0111
z:EDH-RSA-DES-CBC-SHA 25945 5.4145
z:EXP-ADH-DES-CBC-SHA 148 0.0309
z:EXP-ADH-RC4-MD5 145 0.0303
z:EXP-DES-CBC-SHA 10647 2.2219
z:EXP-EDH-RSA-DES-CBC-SHA 8346 1.7417
z:EXP-RC2-CBC-MD5 12795 2.6702
z:EXP-RC4-MD5 13391 2.7946
z:EXP1024-DES-CBC-SHA 3415 0.7127
z:EXP1024-RC4-SHA 3465 0.7231
z:IDEA-CBC-MD5 1613 0.3366
z:NULL-MD5 162 0.0338
z:NULL-SHA 169 0.0353
z:NULL-SHA256 38 0.0079
z:RC2-CBC-MD5 7754 1.6182
z:RC4-64-MD5 712 0.1486
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 116701 24.3544
Server side 362477 75.6456
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 753 0.1571
AECDH 7568 1.5794
DHE 255330 53.285
ECDH 2 0.0004
ECDHE 404645 84.4457
ECDHE and DHE 212045 44.2518
RSA 411697 85.9173
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 107150 22.3612 41.9653
DH,1338bits 1 0.0002 0.0004
DH,1536bits 1 0.0002 0.0004
DH,2048bits 139444 29.1007 54.6132
DH,2236bits 57 0.0119 0.0223
DH,2432bits 3 0.0006 0.0012
DH,3072bits 93 0.0194 0.0364
DH,3092bits 1 0.0002 0.0004
DH,4096bits 8367 1.7461 3.2769
DH,512bits 52 0.0109 0.0204
DH,768bits 313 0.0653 0.1226
DH,8192bits 7 0.0015 0.0027
ECDH,B-571,570bits 1786 0.3727 0.4414
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,P-192,192bits 15 0.0031 0.0037
ECDH,P-224,224bits 84 0.0175 0.0208
ECDH,P-256,256bits 389954 81.3798 96.3694
ECDH,P-384,384bits 4297 0.8967 1.0619
ECDH,P-521,521bits 10105 2.1088 2.4973
Prefer DH,1024bits 41750 8.7128 16.3514
Prefer DH,1536bits 1 0.0002 0.0004
Prefer DH,2048bits 4670 0.9746 1.829
Prefer DH,3072bits 7 0.0015 0.0027
Prefer DH,4096bits 333 0.0695 0.1304
Prefer DH,768bits 37 0.0077 0.0145
Prefer ECDH,B-571,570bits 1575 0.3287 0.3892
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 81 0.0169 0.02
Prefer ECDH,P-256,256bits 357787 74.6668 88.42
Prefer ECDH,P-384,384bits 3158 0.659 0.7804
Prefer ECDH,P-521,521bits 9166 1.9129 2.2652
Prefer PFS 418566 87.3508 0
Support PFS 447930 93.4788 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 5523 1.1526
brainpoolP384r1 5524 1.1528
brainpoolP512r1 5525 1.153
prime192v1 1353 0.2824
prime256v1 401476 83.7843
prime256v1 Only 345957 72.198
secp160k1 1299 0.2711
secp160r1 1304 0.2721
secp160r2 1299 0.2711
secp192k1 1314 0.2742
secp224k1 1392 0.2905
secp224r1 4371 0.9122
secp256k1 7238 1.5105
secp384r1 56063 11.6998
secp384r1 Only 584 0.1219
secp521r1 28028 5.8492
secp521r1 Only 125 0.0261
sect163k1 1310 0.2734
sect163k1 Only 3 0.0006
sect163r1 1306 0.2726
sect163r2 1307 0.2728
sect193r1 1306 0.2726
sect193r2 1304 0.2721
sect233k1 1387 0.2895
sect233r1 1386 0.2892
sect239k1 1383 0.2886
sect283k1 6795 1.4181
sect283k1 Only 1 0.0002
sect283r1 6792 1.4174
sect409k1 6793 1.4176
sect409r1 6793 1.4176
sect571k1 6797 1.4185
sect571r1 6797 1.4185
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 43974 9.177
True 304974 63.6452
order-specific 61 0.0127
unknown 130169 27.1651
ECC curve ordering Count Percent
-------------------------+---------+--------
client 6487 1.3538
inconclusive-noecc 8 0.0017
server 395730 82.5852
unknown 76953 16.0594
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 40044 8.3568
ECDSA-SHA1 Only 3 0.0006
ECDSA-SHA224 40035 8.3549
ECDSA-SHA256 54403 11.3534
ECDSA-SHA384 54398 11.3524
ECDSA-SHA512 54399 11.3526
ECDSA-SHA512 Only 1 0.0002
RSA-MD5 47971 10.0111
RSA-SHA1 347530 72.5263
RSA-SHA1 Only 36263 7.5678
RSA-SHA224 288147 60.1336
RSA-SHA256 318675 66.5045
RSA-SHA256 Only 6467 1.3496
RSA-SHA384 290085 60.538
RSA-SHA384 Only 2 0.0004
RSA-SHA512 290093 60.5397
RSA-SHA512 Only 126 0.0263
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 215610 44.9958
indeterminate 32 0.0067
intolerant 4623 0.9648
order-fallback 3 0.0006
server 175045 36.5303
unsupported 17219 3.5934
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 40031 8.3541
ECDSA intolerant 47 0.0098
ECDSA pfs-rsa-SHA512 14337 2.992
ECDSA soft-nopfs 1 0.0002
RSA False 47573 9.928
RSA SHA1 274148 57.2121
RSA intolerant 34088 7.1138
RSA pfs-ecdsa-SHA512 4 0.0008
RSA soft-nopfs 498 0.1039
Renegotiation Count Percent
-------------------------+---------+--------
False 5212 1.0877
insecure 15480 3.2305
secure 458486 95.6818
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 7370 1.5381
False 5212 1.0877
NONE 466596 97.3743
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 4 0.0008
1 only 4 0.0008
2 1 0.0002
2 only 1 0.0002
10 6 0.0013
10 only 6 0.0013
15 5 0.001
15 only 5 0.001
30 18 0.0038
30 only 17 0.0035
60 142 0.0296
60 only 138 0.0288
65 1 0.0002
65 only 1 0.0002
70 6 0.0013
100 15 0.0031
100 only 15 0.0031
120 24 0.005
120 only 24 0.005
128 3 0.0006
128 only 3 0.0006
150 1 0.0002
180 58 0.0121
180 only 55 0.0115
240 7 0.0015
240 only 7 0.0015
244 1 0.0002
244 only 1 0.0002
300 230415 48.0855
300 only 226909 47.3538
302 2 0.0004
302 only 2 0.0004
360 3 0.0006
360 only 1 0.0002
400 7 0.0015
400 only 7 0.0015
420 116 0.0242
420 only 93 0.0194
480 10 0.0021
480 only 10 0.0021
500 4 0.0008
500 only 4 0.0008
540 2 0.0004
540 only 2 0.0004
600 23920 4.9919
600 only 23758 4.9581
660 1 0.0002
660 only 1 0.0002
840 1 0.0002
840 only 1 0.0002
900 983 0.2051
900 only 962 0.2008
960 3 0.0006
960 only 3 0.0006
1000 1 0.0002
1000 only 1 0.0002
1200 2630 0.5489
1200 only 2627 0.5482
1320 1 0.0002
1320 only 1 0.0002
1500 2 0.0004
1500 only 1 0.0002
1800 500 0.1043
1800 only 491 0.1025
1980 2 0.0004
1980 only 2 0.0004
2100 2 0.0004
2100 only 1 0.0002
2400 7 0.0015
2400 only 7 0.0015
2700 10 0.0021
2700 only 10 0.0021
3000 26 0.0054
3000 only 26 0.0054
3600 664 0.1386
3600 only 655 0.1367
3900 1 0.0002
3900 only 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 15 0.0031
5400 only 8 0.0017
6000 214 0.0447
6000 only 214 0.0447
7200 14927 3.1151
7200 only 14908 3.1112
10800 3286 0.6858
10800 only 3277 0.6839
14400 93 0.0194
14400 only 91 0.019
18000 9 0.0019
18000 only 9 0.0019
21600 3668 0.7655
21600 only 3668 0.7655
25200 1 0.0002
25200 only 1 0.0002
28800 1854 0.3869
28800 only 1853 0.3867
36000 954 0.1991
36000 only 945 0.1972
43200 39 0.0081
43200 only 39 0.0081
60000 1 0.0002
60000 only 1 0.0002
64800 56248 11.7384
64800 only 56243 11.7374
72000 21 0.0044
72000 only 21 0.0044
79200 1 0.0002
79200 only 1 0.0002
86000 44 0.0092
86000 only 44 0.0092
86400 2743 0.5724
86400 only 2734 0.5706
100800 8629 1.8008
100800 only 8618 1.7985
115200 1 0.0002
115200 only 1 0.0002
129600 7 0.0015
129600 only 7 0.0015
172800 9 0.0019
172800 only 9 0.0019
216000 2 0.0004
216000 only 2 0.0004
259200 2 0.0004
259200 only 2 0.0004
432000 1 0.0002
432000 only 1 0.0002
604800 2 0.0004
864000 3 0.0006
864000 only 3 0.0006
7776000 2 0.0004
7776000 only 2 0.0004
None 130619 27.259
None only 126799 26.4618
Certificate sig alg Count Percent
-------------------------+---------+--------
None 8093 1.6889
ecdsa-with-SHA256 54346 11.3415
sha1WithRSAEncryption 32309 6.7426
sha256WithRSAEncryption 406902 84.9167
sha384WithRSAEncryption 3 0.0006
sha512WithRSAEncryption 52 0.0109
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 54398 11.3524
ECDSA 384 18 0.0038
ECDSA 521 1 0.0002
RSA 1024 28 0.0058
RSA 2048 416954 87.0144
RSA 2049 3 0.0006
RSA 2056 2 0.0004
RSA 2058 2 0.0004
RSA 2084 4 0.0008
RSA 2086 1 0.0002
RSA 2096 2 0.0004
RSA 2432 1 0.0002
RSA 3071 1 0.0002
RSA 3072 118 0.0246
RSA 3073 1 0.0002
RSA 3076 2 0.0004
RSA 3096 2 0.0004
RSA 3248 2 0.0004
RSA 4048 1 0.0002
RSA 4056 17 0.0035
RSA 4092 7 0.0015
RSA 4094 1 0.0002
RSA 4096 22025 4.5964
RSA 4098 1 0.0002
RSA 8192 4 0.0008
RSA 8392 1 0.0002
RSA/ECDSA Dual Stack 14407 3.0066
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 112039 23.3815
Unsupported 367139 76.6185
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 17376 3.6262
SSL2 Only 10 0.0021
SSL3 93563 19.5257
SSL3 Only 980 0.2045
SSL3 or TLS1 Only 47829 9.9815
SSL3 or lower Only 992 0.207
TLS1 472039 98.5102
TLS1 Only 29199 6.0936
TLS1 or lower Only 63377 13.2262
TLS1.1 404578 84.4317
TLS1.1 Only 297 0.062
TLS1.1 or up Only 5984 1.2488
TLS1.2 412518 86.0887
TLS1.2 Only 2158 0.4504
TLS1.2, 1.0 but not 1.1 7981 1.6656
Statistics from 487333 chains provided by 621854 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 436283 70.1584
incomplete 20784 3.3423
untrusted 164787 26.4993
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 12 0.0025
3 485364 99.596
4 1945 0.3991
5 12 0.0025
CA key size in chains Count
-------------------------+---------
ECDSA 256 42987
ECDSA 384 42988
RSA 1024 28
RSA 2045 2
RSA 2048 746942
RSA 4096 143676
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 42987 8.8209
ECDSA 384 42988 8.8211
RSA 1024 26 0.0053
RSA 2045 2 0.0004
RSA 2048 443976 91.1032
RSA 4096 143127 29.3694
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 42983
sha1WithRSAEncryption 37695
sha256WithRSAEncryption 279113
sha384WithRSAEncryption 129437
sha512WithRSAEncryption 62
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 37722 7.7405
112 406613 83.4364
128.0 42998 8.8231
Root CAs Count Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 115692 23.7398
(2c543cd1) GeoTrust Global CA 85975 17.6419
(cbf06781) Go Daddy Root Certificate Authorit 43560 8.9384
(eed8c118) COMODO ECC Certification Authority 42977 8.8188
(5ad8a5d6) GlobalSign Root CA 41299 8.4745
(b204d74a) VeriSign Class 3 Public Primary Ce 28043 5.7544
(244b5494) DigiCert High Assurance EV Root CA 18414 3.7785
(2e4eed3c) thawte Primary Root CA 17524 3.5959
(fc5a8f99) USERTrust RSA Certification Author 13626 2.796
(653b494a) Baltimore CyberTrust Root 10432 2.1406
(3513523f) DigiCert Global Root CA 8525 1.7493
(ae8153b9) StartCom Certification Authority 7668 1.5735
(4bfab552) Starfield Root Certificate Authori 7663 1.5724
(480720ec) GeoTrust Primary Certification Aut 4978 1.0215
Scan performed between 22nd of February and 16th of March 2016
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic