TLS scan results for August 2014
Hubert Kario
hkario at redhat.com
Mon Aug 25 12:26:12 UTC 2014
Not many exciting changes, just continuation of previous trends.
SHA-256 has grown by 2%, RC4 basically unchanged.
As always, detailed commentary on my blog:
https://securitypitfalls.wordpress.com/2014/08/25/august-2014-scan-results/
SSL/TLS survey of 397695 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 345059 86.7647
3DES Only 209 0.0526
AES 369030 92.7922
AES Only 1951 0.4906
AES-CBC Only 1030 0.259
AES-GCM 162425 40.8416
AES-GCM Only 41 0.0103
CAMELLIA 164197 41.2872
CAMELLIA Only 4 0.001
CHACHA20 14719 3.7011
CHACHA20 Only 6 0.0015
RC4 350479 88.1276
RC4 Only 3807 0.9573
RC4 Preferred 74692 18.7812
RC4 forced in TLS1.1+ 51533 12.9579
x:FF 29 RC4 Only 6327 1.5909
x:FF 29 RC4 Preferred 16784 4.2203
x:FF 29 incompatible 301 0.0757
z:ADH-AES128-GCM-SHA256 348 0.0875
z:ADH-AES128-SHA 1444 0.3631
z:ADH-AES128-SHA256 324 0.0815
z:ADH-AES256-GCM-SHA384 335 0.0842
z:ADH-AES256-SHA 1447 0.3638
z:ADH-AES256-SHA256 328 0.0825
z:ADH-CAMELLIA128-SHA 692 0.174
z:ADH-CAMELLIA256-SHA 699 0.1758
z:ADH-DES-CBC-SHA 699 0.1758
z:ADH-DES-CBC3-SHA 1490 0.3747
z:ADH-RC4-MD5 1297 0.3261
z:ADH-SEED-SHA 514 0.1292
z:AECDH-AES128-SHA 14496 3.645
z:AECDH-AES256-SHA 14533 3.6543
z:AECDH-DES-CBC3-SHA 14471 3.6387
z:AECDH-NULL-SHA 22 0.0055
z:AECDH-RC4-SHA 13603 3.4205
z:DES-CBC-MD5 26778 6.7333
z:DES-CBC-SHA 69202 17.4008
z:DHE-RSA-SEED-SHA 70054 17.615
z:ECDHE-RSA-NULL-SHA 25 0.0063
z:EDH-RSA-DES-CBC-SHA 60963 15.3291
z:EXP-ADH-DES-CBC-SHA 489 0.123
z:EXP-ADH-RC4-MD5 493 0.124
z:EXP-DES-CBC-SHA 54942 13.8151
z:EXP-EDH-RSA-DES-CBC-SHA 43030 10.8198
z:EXP-RC2-CBC-MD5 59737 15.0208
z:IDEA-CBC-MD5 4021 1.0111
z:IDEA-CBC-SHA 64231 16.1508
z:NULL-MD5 353 0.0888
z:NULL-SHA 351 0.0883
z:NULL-SHA256 7 0.0018
z:RC2-CBC-MD5 30955 7.7836
z:SEED-SHA 83118 20.8999
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 177721 44.6878
Server side 219974 55.3122
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 1555 0.391
AECDH 14564 3.6621
DHE 202555 50.9322
ECDHE 184261 46.3322
ECDHE and DHE 73679 18.5265
RSA 396177 99.6183
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 186744 46.9566 92.1942
DH,2048bits 14169 3.5628 6.9951
DH,2226bits 2 0.0005 0.001
DH,3072bits 4 0.001 0.002
DH,3242bits 1 0.0003 0.0005
DH,3248bits 2 0.0005 0.001
DH,4096bits 703 0.1768 0.3471
DH,512bits 43198 10.8621 21.3266
DH,768bits 759 0.1908 0.3747
DH,8192bits 2 0.0005 0.001
ECDH,B-163,163bits 13 0.0033 0.0071
ECDH,B-571,570bits 398 0.1001 0.216
ECDH,P-224,224bits 4 0.001 0.0022
ECDH,P-256,256bits 182896 45.989 99.2592
ECDH,P-384,384bits 232 0.0583 0.1259
ECDH,P-521,521bits 821 0.2064 0.4456
Prefer DH,1024bits 115759 29.1075 57.1494
Prefer DH,2048bits 1154 0.2902 0.5697
Prefer DH,4096bits 50 0.0126 0.0247
Prefer DH,512bits 2 0.0005 0.001
Prefer DH,768bits 87 0.0219 0.043
Prefer ECDH,B-163,163bits 13 0.0033 0.0071
Prefer ECDH,B-571,570bits 318 0.08 0.1726
Prefer ECDH,P-224,224bits 1 0.0003 0.0005
Prefer ECDH,P-256,256bits 134334 33.7781 72.9042
Prefer ECDH,P-384,384bits 157 0.0395 0.0852
Prefer ECDH,P-521,521bits 749 0.1883 0.4065
Prefer PFS 252624 63.522 0
Support PFS 313137 78.738 0
TLS session ticket hint Count Percent
-------------------------+---------+--------
5 1 0.0003
5 only 1 0.0003
10 3 0.0008
10 only 1 0.0003
30 2 0.0005
30 only 2 0.0005
42 1 0.0003
60 46 0.0116
60 only 41 0.0103
100 4 0.001
100 only 4 0.001
120 10 0.0025
120 only 10 0.0025
128 4 0.001
128 only 4 0.001
180 29 0.0073
180 only 29 0.0073
240 4 0.001
240 only 4 0.001
300 155200 39.0249
300 only 135627 34.1033
420 19 0.0048
420 only 10 0.0025
480 6 0.0015
480 only 6 0.0015
600 6888 1.732
600 only 6597 1.6588
900 216 0.0543
900 only 190 0.0478
960 2 0.0005
960 only 2 0.0005
1200 60 0.0151
1200 only 57 0.0143
1500 9 0.0023
1500 only 8 0.002
1800 123 0.0309
1800 only 120 0.0302
2100 1 0.0003
2100 only 1 0.0003
2400 1 0.0003
2400 only 1 0.0003
2700 2 0.0005
2700 only 2 0.0005
3000 5 0.0013
3000 only 4 0.001
3600 234 0.0588
3600 only 227 0.0571
5400 2 0.0005
6000 1 0.0003
6000 only 1 0.0003
7200 10748 2.7026
7200 only 8222 2.0674
10800 11 0.0028
10800 only 6 0.0015
14400 722 0.1815
14400 only 716 0.18
18000 1 0.0003
21600 26 0.0065
21600 only 26 0.0065
28800 3 0.0008
28800 only 3 0.0008
30720 1 0.0003
30720 only 1 0.0003
36000 402 0.1011
36000 only 399 0.1003
43200 6311 1.5869
43200 only 6224 1.565
64800 9640 2.424
64800 only 9602 2.4144
86000 32 0.008
86000 only 29 0.0073
86400 92 0.0231
86400 only 85 0.0214
100800 14758 3.7109
100800 only 57 0.0143
115200 1 0.0003
115200 only 1 0.0003
129600 7 0.0018
129600 only 6 0.0015
604800 1 0.0003
604800 only 1 0.0003
864000 6 0.0015
864000 only 6 0.0015
None 229357 57.6716
None only 192066 48.2948
Certificate sig alg Count Percent
-------------------------+---------+--------
None 15912 4.0011
ecdsa-with-SHA256 3 0.0008
sha1WithRSAEncryption 338957 85.2304
sha256WithRSAEncryption 58772 14.7782
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 8235 2.0707
ECDSA 384 1 0.0003
RSA 1024 1880 0.4727
RSA 2028 1 0.0003
RSA 2047 2 0.0005
RSA 2048 381923 96.0341
RSA 2056 5 0.0013
RSA 2058 1 0.0003
RSA 2060 1 0.0003
RSA 2064 1 0.0003
RSA 2080 2 0.0005
RSA 2084 5 0.0013
RSA 2408 3 0.0008
RSA 2432 28 0.007
RSA 2536 1 0.0003
RSA 2612 1 0.0003
RSA 3050 1 0.0003
RSA 3072 37 0.0093
RSA 3096 1 0.0003
RSA 3248 4 0.001
RSA 3600 1 0.0003
RSA 4042 1 0.0003
RSA 4046 2 0.0005
RSA 4048 2 0.0005
RSA 4086 1 0.0003
RSA 4092 2 0.0005
RSA 4096 13721 3.4501
RSA 4098 3 0.0008
RSA 4192 1 0.0003
RSA 8192 6 0.0015
RSA 16384 1 0.0003
RSA/ECDSA Dual Stack 8153 2.0501
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 41610 10.4628
Unsupported 356085 89.5372
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 48288 12.142
SSL2 Only 6029 1.516
SSL3 379667 95.4669
SSL3 Only 4125 1.0372
SSL3 or TLS1 Only 117512 29.5483
TLS1 385363 96.8991
TLS1 Only 3015 0.7581
TLS1.1 218025 54.8222
TLS1.1 Only 37 0.0093
TLS1.1 or up Only 709 0.1783
TLS1.2 229097 57.6062
TLS1.2 Only 374 0.094
TLS1.2, 1.0 but not 1.1 15264 3.8381
Scan performed between 8th and 19th of August 2014.
Statistics from 443385 chains provided by 585568 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 365544 62.4255
incomplete 29700 5.072
untrusted 190324 32.5025
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 2394 0.5399
3 431592 97.3402
4 9378 2.1151
5 21 0.0047
CA key size in chains Count
-------------------------+---------
ECDSA 256 3
ECDSA 384 3
RSA 1024 1733
RSA 2045 1
RSA 2048 874329
RSA 4096 17727
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 3 0.0007
ECDSA 384 3 0.0007
RSA 1024 1723 0.3886
RSA 2045 1 0.0002
RSA 2048 441708 99.6218
RSA 4096 17345 3.912
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 3
sha1WithRSAEncryption 387560
sha256WithRSAEncryption 50026
sha384WithRSAEncryption 12822
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 388390 87.5966
112 54992 12.4028
128 3 0.0007
Root CAs Count Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA 115908 26.1416
(157753a5) AddTrust External CA Root 69723 15.7252
(5ad8a5d6) GlobalSign Root CA 44630 10.0657
(2e4eed3c) thawte Primary Root CA 29574 6.67
(cbf06781) Go Daddy Root Certificate Authorit 28151 6.3491
(f081611a) The Go Daddy Group, Inc. 26956 6.0796
(b204d74a) VeriSign Class 3 Public Primary Ce 26596 5.9984
(244b5494) DigiCert High Assurance EV Root CA 22613 5.1001
(b13cc6df) UTN-USERFirst-Hardware 12983 2.9282
(40547a79) COMODO Certification Authority 11362 2.5626
(653b494a) Baltimore CyberTrust Root 10593 2.3891
(ae8153b9) StartCom Certification Authority 9134 2.0601
(f387163d) Starfield Technologies, Inc. 7934 1.7894
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario at redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
More information about the security
mailing list