SSL/TLS survey of 588324 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 521557 88.6513
3DES Only 618 0.105
3DES Preferred 1789 0.3041
3DES forced in TLS1.1+ 964 0.1639
AES 583623 99.201
AES Only 42928 7.2967
AES-CBC 583065 99.1061
AES-CBC Only 6504 1.1055
AES-GCM 482505 82.0135
AES-GCM Only 514 0.0874
CAMELLIA 258710 43.9741
CAMELLIA Only 3 0.0005
CHACHA20 80738 13.7234
CHACHA20 Only 4 0.0007
Insecure 56788 9.6525
RC4 168525 28.6449
RC4 Only 166 0.0282
RC4 Preferred 14971 2.5447
RC4 forced in TLS1.1+ 8083 1.3739
x:FF 29 3DES Only 661 0.1124
x:FF 29 3DES Preferred 2145 0.3646
x:FF 29 RC4 Only 245 0.0416
x:FF 29 RC4 Preferred 16797 2.8551
x:FF 29 incompatible 506 0.086
x:FF 35 3DES Only 669 0.1137
x:FF 35 3DES Preferred 2073 0.3524
x:FF 35 RC4 Only 285 0.0484
x:FF 35 RC4 Preferred 16818 2.8586
x:FF 35 incompatible 510 0.0867
x:FF 44 3DES Only 4449 0.7562
x:FF 44 3DES Preferred 8286 1.4084
x:FF 44 incompatible 795 0.1351
y:DHE-RSA-SEED-SHA 79291 13.4774
y:IDEA-CBC-SHA 75311 12.8009
y:SEED-SHA 89316 15.1814
z:ADH-AES128-GCM-SHA256 414 0.0704
z:ADH-AES128-SHA 763 0.1297
z:ADH-AES128-SHA256 275 0.0467
z:ADH-AES256-GCM-SHA384 425 0.0722
z:ADH-AES256-SHA 792 0.1346
z:ADH-AES256-SHA256 275 0.0467
z:ADH-CAMELLIA128-SHA 406 0.069
z:ADH-CAMELLIA128-SHA256 1 0.0002
z:ADH-CAMELLIA256-SHA 423 0.0719
z:ADH-CAMELLIA256-SHA256 1 0.0002
z:ADH-DES-CBC-SHA 338 0.0575
z:ADH-DES-CBC3-SHA 773 0.1314
z:ADH-RC4-MD5 578 0.0982
z:ADH-SEED-SHA 332 0.0564
z:AECDH-AES128-SHA 10505 1.7856
z:AECDH-AES256-SHA 10564 1.7956
z:AECDH-DES-CBC3-SHA 10475 1.7805
z:AECDH-NULL-SHA 91 0.0155
z:AECDH-RC4-SHA 9925 1.687
z:DES-CBC-MD5 6864 1.1667
z:DES-CBC-SHA 35454 6.0263
z:DES-CBC3-MD5 17200 2.9236
z:ECDHE-RSA-NULL-SHA 98 0.0167
z:EDH-RSA-DES-CBC-SHA 30414 5.1696
z:EXP-ADH-DES-CBC-SHA 188 0.032
z:EXP-ADH-RC4-MD5 186 0.0316
z:EXP-DES-CBC-SHA 11293 1.9195
z:EXP-EDH-RSA-DES-CBC-SHA 8983 1.5269
z:EXP-RC2-CBC-MD5 13517 2.2975
z:EXP-RC4-MD5 14150 2.4051
z:EXP1024-DES-CBC-SHA 3580 0.6085
z:EXP1024-RC4-SHA 3641 0.6189
z:IDEA-CBC-MD5 1486 0.2526
z:NULL-MD5 239 0.0406
z:NULL-SHA 242 0.0411
z:NULL-SHA256 33 0.0056
z:RC2-CBC-MD5 7118 1.2099
z:RC4-64-MD5 762 0.1295
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 151229 25.7051
Server side 437095 74.2949
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 941 0.1599
AECDH 10576 1.7976
DHE 319231 54.2611
ECDH 2 0.0003
ECDHE 509684 86.6332
ECDHE and DHE 272378 46.2973
RSA 505946 85.9979
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 122627 20.8434 38.4132
DH,2048bits 183782 31.2382 57.5702
DH,2236bits 92 0.0156 0.0288
DH,2430bits 1 0.0002 0.0003
DH,2432bits 3 0.0005 0.0009
DH,2560bits 1 0.0002 0.0003
DH,3072bits 122 0.0207 0.0382
DH,3092bits 2 0.0003 0.0006
DH,3196bits 1 0.0002 0.0003
DH,4094bits 1 0.0002 0.0003
DH,4096bits 12216 2.0764 3.8267
DH,512bits 91 0.0155 0.0285
DH,6144bits 1 0.0002 0.0003
DH,768bits 384 0.0653 0.1203
DH,8192bits 9 0.0015 0.0028
ECDH,B-571,570bits 2788 0.4739 0.547
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,P-192,192bits 39 0.0066 0.0077
ECDH,P-224,224bits 92 0.0156 0.0181
ECDH,P-256,256bits 484945 82.4282 95.1462
ECDH,P-384,384bits 8059 1.3698 1.5812
ECDH,P-521,521bits 15676 2.6645 3.0756
ECDH,brainpoolP512r1,512bits 1 0.0002 0.0002
Prefer DH,1024bits 46364 7.8807 14.5237
Prefer DH,2048bits 5558 0.9447 1.7411
Prefer DH,3072bits 11 0.0019 0.0034
Prefer DH,4096bits 389 0.0661 0.1219
Prefer DH,768bits 45 0.0076 0.0141
Prefer ECDH,B-571,570bits 2562 0.4355 0.5027
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,P-192,192bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 89 0.0151 0.0175
Prefer ECDH,P-256,256bits 446551 75.9022 87.6133
Prefer ECDH,P-384,384bits 6159 1.0469 1.2084
Prefer ECDH,P-521,521bits 14444 2.4551 2.8339
Prefer ECDH,brainpoolP512r1,512bits 1 0.0002 0.0002
Prefer PFS 522175 88.7564 0
Support PFS 556537 94.597 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 15666 2.6628
brainpoolP384r1 15673 2.664
brainpoolP512r1 15677 2.6647
prime192v1 1721 0.2925
prime256v1 505771 85.9681
prime256v1 Only 424806 72.2061
secp160k1 1634 0.2777
secp160r1 1641 0.2789
secp160r2 1633 0.2776
secp192k1 1647 0.2799
secp224k1 1732 0.2944
secp224r1 5585 0.9493
secp256k1 17871 3.0376
secp384r1 83624 14.2139
secp384r1 Only 2663 0.4526
secp521r1 47374 8.0524
secp521r1 Only 142 0.0241
sect163k1 1637 0.2782
sect163r1 1636 0.2781
sect163r2 1637 0.2782
sect193r1 1636 0.2781
sect193r2 1636 0.2781
sect233k1 1728 0.2937
sect233r1 1725 0.2932
sect239k1 1721 0.2925
sect283k1 17205 2.9244
sect283r1 17203 2.9241
sect409k1 17203 2.9241
sect409r1 17200 2.9236
sect571k1 17204 2.9242
sect571r1 17205 2.9244
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 56188 9.5505
True 384116 65.2899
order-specific 30 0.0051
unknown 147990 25.1545
ECC curve ordering Count Percent
-------------------------+---------+--------
client 12072 2.0519
inconclusive-noecc 8 0.0014
server 496534 84.3981
unknown 79710 13.5487
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 53235 9.0486
ECDSA-SHA1 Only 7 0.0012
ECDSA-SHA224 53208 9.044
ECDSA-SHA256 70734 12.023
ECDSA-SHA384 70725 12.0214
ECDSA-SHA512 70735 12.0231
ECDSA-SHA512 Only 16 0.0027
RSA-MD5 32419 5.5104
RSA-SHA1 439804 74.7554
RSA-SHA1 Only 34182 5.8101
RSA-SHA224 364514 61.958
RSA-SHA256 414576 70.4673
RSA-SHA256 Only 7888 1.3408
RSA-SHA384 377143 64.1046
RSA-SHA384 Only 4 0.0007
RSA-SHA512 377071 64.0924
RSA-SHA512 Only 85 0.0144
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 276407 46.9821
indeterminate 52 0.0088
intolerant 6076 1.0328
order-fallback 9 0.0015
server 217108 36.9028
unsupported 15976 2.7155
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 53190 9.0409
ECDSA intolerant 134 0.0228
ECDSA pfs-rsa-SHA512 17450 2.9661
ECDSA soft-nopfs 9 0.0015
RSA False 32115 5.4587
RSA SHA1 374923 63.7273
RSA intolerant 41684 7.0852
RSA pfs-ecdsa-SHA512 26 0.0044
RSA soft-nopfs 481 0.0818
Renegotiation Count Percent
-------------------------+---------+--------
False 5021 0.8534
insecure 16740 2.8454
secure 566563 96.3012
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 7345 1.2485
False 5021 0.8534
NONE 575958 97.8981
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 2 0.0003
1 only 2 0.0003
2 1 0.0002
2 only 1 0.0002
5 9 0.0015
5 only 9 0.0015
10 8 0.0014
10 only 8 0.0014
15 7 0.0012
15 only 7 0.0012
30 24 0.0041
30 only 24 0.0041
60 159 0.027
60 only 151 0.0257
65 2 0.0003
65 only 2 0.0003
70 8 0.0014
70 only 7 0.0012
75 1 0.0002
75 only 1 0.0002
90 1 0.0002
90 only 1 0.0002
100 15 0.0025
100 only 15 0.0025
120 24 0.0041
120 only 24 0.0041
128 6 0.001
128 only 5 0.0008
150 2 0.0003
180 72 0.0122
180 only 70 0.0119
240 13 0.0022
240 only 13 0.0022
244 2 0.0003
244 only 2 0.0003
300 294538 50.0639
300 only 291166 49.4908
302 2 0.0003
302 only 2 0.0003
360 3 0.0005
360 only 2 0.0003
400 4 0.0007
400 only 4 0.0007
420 133 0.0226
420 only 113 0.0192
480 11 0.0019
480 only 10 0.0017
500 3 0.0005
500 only 3 0.0005
540 4 0.0007
540 only 4 0.0007
600 28048 4.7674
600 only 27923 4.7462
700 3 0.0005
700 only 3 0.0005
840 2 0.0003
840 only 2 0.0003
900 1508 0.2563
900 only 1487 0.2528
960 4 0.0007
960 only 4 0.0007
1000 1 0.0002
1000 only 1 0.0002
1200 3403 0.5784
1200 only 3400 0.5779
1210 2 0.0003
1210 only 2 0.0003
1320 1 0.0002
1320 only 1 0.0002
1380 1 0.0002
1380 only 1 0.0002
1440 1 0.0002
1440 only 1 0.0002
1500 7 0.0012
1500 only 6 0.001
1800 698 0.1186
1800 only 680 0.1156
1980 2 0.0003
1980 only 2 0.0003
2100 2 0.0003
2100 only 1 0.0002
2160 1 0.0002
2160 only 1 0.0002
2400 9 0.0015
2400 only 9 0.0015
2700 10 0.0017
2700 only 10 0.0017
3000 38 0.0065
3000 only 38 0.0065
3300 1 0.0002
3300 only 1 0.0002
3600 1035 0.1759
3600 only 1024 0.1741
3900 2 0.0003
3900 only 2 0.0003
4200 1 0.0002
4500 1 0.0002
4500 only 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 22 0.0037
5400 only 6 0.001
6000 345 0.0586
6000 only 345 0.0586
7200 15012 2.5517
7200 only 14995 2.5488
8100 1 0.0002
8100 only 1 0.0002
9000 2 0.0003
9000 only 2 0.0003
10800 5061 0.8602
10800 only 5045 0.8575
14400 106 0.018
14400 only 106 0.018
18000 11 0.0019
18000 only 11 0.0019
21600 4326 0.7353
21600 only 4324 0.735
25200 1 0.0002
25200 only 1 0.0002
28800 2688 0.4569
28800 only 2688 0.4569
30000 3 0.0005
30000 only 1 0.0002
36000 1246 0.2118
36000 only 1240 0.2108
43200 61 0.0104
43200 only 61 0.0104
54000 1 0.0002
54000 only 1 0.0002
60000 2 0.0003
60000 only 2 0.0003
64800 70216 11.9349
64800 only 70188 11.9302
72000 12 0.002
72000 only 12 0.002
79200 1 0.0002
79200 only 1 0.0002
86400 2835 0.4819
86400 only 2826 0.4803
100800 9392 1.5964
100800 only 9375 1.5935
108000 1 0.0002
108000 only 1 0.0002
115200 1 0.0002
115200 only 1 0.0002
129600 7 0.0012
129600 only 7 0.0012
172800 55 0.0093
172800 only 55 0.0093
216000 4 0.0007
216000 only 4 0.0007
259200 3 0.0005
259200 only 3 0.0005
432000 1 0.0002
432000 only 1 0.0002
604800 1 0.0002
864000 3 0.0005
864000 only 3 0.0005
7776000 1 0.0002
7776000 only 1 0.0002
None 150759 25.6252
None only 147078 24.9995
Certificate sig alg Count Percent
-------------------------+---------+--------
None 11191 1.9022
ecdsa-with-SHA256 67977 11.5543
sha1WithRSAEncryption 23775 4.0411
sha256WithRSAEncryption 514022 87.3706
sha384WithRSAEncryption 8 0.0014
sha512WithRSAEncryption 67 0.0114
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 70749 12.0255
ECDSA 384 34 0.0058
ECDSA 521 1 0.0002
RSA 1024 17 0.0029
RSA 2048 507589 86.2771
RSA 2049 2 0.0003
RSA 2056 1 0.0002
RSA 2058 3 0.0005
RSA 2059 1 0.0002
RSA 2084 1 0.0002
RSA 2086 1 0.0002
RSA 2096 3 0.0005
RSA 2408 1 0.0002
RSA 2432 2 0.0003
RSA 2560 1 0.0002
RSA 2948 1 0.0002
RSA 3072 156 0.0265
RSA 3073 1 0.0002
RSA 3096 2 0.0003
RSA 3248 2 0.0003
RSA 4048 4 0.0007
RSA 4056 16 0.0027
RSA 4069 1 0.0002
RSA 4086 3 0.0005
RSA 4092 2 0.0003
RSA 4094 1 0.0002
RSA 4095 1 0.0002
RSA 4096 29945 5.0899
RSA 4196 1 0.0002
RSA 8192 11 0.0019
RSA 8392 1 0.0002
RSA/ECDSA Dual Stack 20215 3.436
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 127611 21.6906
Unsupported 460713 78.3094
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 17372 2.9528
SSL2 Only 13 0.0022
SSL3 102349 17.3967
SSL3 Only 1020 0.1734
SSL3 or TLS1 Only 54445 9.2543
SSL3 or lower Only 1028 0.1747
TLS1 576797 98.0407
TLS1 Only 33030 5.6143
TLS1 or lower Only 70001 11.8984
TLS1.1 507108 86.1954
TLS1.1 Only 42 0.0071
TLS1.1 or up Only 10330 1.7558
TLS1.2 515617 87.6417
TLS1.2 Only 3098 0.5266
TLS1.2, 1.0 but not 1.1 7000 1.1898
Statistics from 622291 chains provided by 724741 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 563959 77.8152
incomplete 21088 2.9097
untrusted 139694 19.275
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 2 0.0003
3 618971 99.4665
4 3305 0.5311
5 13 0.0021
CA key size in chains Count
-------------------------+---------
ECDSA 256 67969
ECDSA 384 67967
RSA 1024 10
RSA 2045 2
RSA 2048 918447
RSA 4096 193516
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 67969 10.9224
ECDSA 384 67967 10.9221
RSA 1024 8 0.0013
RSA 2045 2 0.0003
RSA 2048 553908 89.0111
RSA 4096 192863 30.9924
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 67958
sha1WithRSAEncryption 27126
sha256WithRSAEncryption 356410
sha384WithRSAEncryption 174062
sha512WithRSAEncryption 64
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 27123 4.3586
112 527185 84.7168
128 67983 10.9246
Most common root CAs Count Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 156327 25.1212
(2c543cd1) GeoTrust Global CA 97389 15.6501
(eed8c118) COMODO ECC Certification Authority 67950 10.9193
(5ad8a5d6) GlobalSign Root CA 54936 8.828
(cbf06781) Go Daddy Root Certificate Authorit 48751 7.8341
(b204d74a) VeriSign Class 3 Public Primary Ce 32016 5.1449
(244b5494) DigiCert High Assurance EV Root CA 19865 3.1922
(2e4eed3c) thawte Primary Root CA 18906 3.0381
(fc5a8f99) USERTrust RSA Certification Author 17597 2.8278
(2e5ac55d) DST Root CA X3 17594 2.8273
(653b494a) Baltimore CyberTrust Root 11729 1.8848
(3513523f) DigiCert Global Root CA 10305 1.656
(ae8153b9) StartCom Certification Authority 9737 1.5647
(4bfab552) Starfield Root Certificate Authori 8211 1.3195
Scan performed between 30th of May and 18th of June 2016
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic