TLS Survey for June 2014
Hubert Kario
hkario at redhat.com
Tue Jun 24 14:58:23 UTC 2014
"RC4 Only" servers have fallen below 1%!
Also, continued increase in SHA-256 signed certificates,
PFS support and TLS 1.2 penetration.
Detailed analysis and comparison to last month results is
available here:
https://securitypitfalls.wordpress.com/2014/06/24/rc4-only
This time the scan was performed using a SNI-aware scanner,
so the results are a bit different. On my blog are available
also last month results from a parallel, SNI-aware scan.
SSL/TLS survey of 350949 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 305304 86.9938
3DES Only 137 0.039
AES 329405 93.8612
AES Only 923 0.263
AES-CBC Only 616 0.1755
AES-GCM 137654 39.2234
AES-GCM Only 3 0.0009
CAMELLIA 141331 40.2711
CHACHA20 16443 4.6853
RC4 311666 88.8066
RC4 Only 3458 0.9853
RC4 Preferred 65353 18.6218
RC4 forced in TLS1.1+ 43096 12.2798
z:ADH-AES128-GCM-SHA256 320 0.0912
z:ADH-AES128-SHA 1336 0.3807
z:ADH-AES128-SHA256 299 0.0852
z:ADH-AES256-GCM-SHA384 305 0.0869
z:ADH-AES256-SHA 1338 0.3813
z:ADH-AES256-SHA256 302 0.0861
z:ADH-CAMELLIA128-SHA 706 0.2012
z:ADH-CAMELLIA256-SHA 713 0.2032
z:ADH-DES-CBC-SHA 740 0.2109
z:ADH-DES-CBC3-SHA 1405 0.4003
z:ADH-RC4-MD5 1268 0.3613
z:ADH-SEED-SHA 392 0.1117
z:AECDH-AES128-SHA 10114 2.8819
z:AECDH-AES256-SHA 10117 2.8828
z:AECDH-DES-CBC3-SHA 10087 2.8742
z:AECDH-NULL-SHA 16 0.0046
z:AECDH-RC4-SHA 9668 2.7548
z:DES-CBC-SHA 67043 19.1033
z:DHE-RSA-SEED-SHA 58392 16.6383
z:ECDHE-RSA-NULL-SHA 19 0.0054
z:EDH-RSA-DES-CBC-SHA 52382 14.9258
z:EXP-ADH-DES-CBC-SHA 453 0.1291
z:EXP-ADH-RC4-MD5 456 0.1299
z:EXP-DES-CBC-SHA 55024 15.6786
z:EXP-EDH-RSA-DES-CBC-SHA 37222 10.6061
z:EXP-RC2-CBC-MD5 52973 15.0942
z:IDEA-CBC-SHA 62257 17.7396
z:NULL-MD5 333 0.0949
z:NULL-SHA 330 0.094
z:NULL-SHA256 18 0.0051
z:SEED-SHA 72273 20.5936
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 1461 0.4163
AECDH 10145 2.8907
DHE 170916 48.7011
ECDH 1 0.0003
ECDHE 158213 45.0815
ECDHE and DHE 54584 15.5533
RSA 350676 99.9222
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 158684 45.2157 92.8433
DH,2048bits 10821 3.0834 6.3312
DH,2226bits 2 0.0006 0.0012
DH,3072bits 5 0.0014 0.0029
DH,3246bits 2 0.0006 0.0012
DH,3248bits 2 0.0006 0.0012
DH,4096bits 538 0.1533 0.3148
DH,512bits 37361 10.6457 21.8593
DH,768bits 720 0.2052 0.4213
ECDH,B-163,163bits 18 0.0051 0.0114
ECDH,B-571,570bits 347 0.0989 0.2193
ECDH,P-224,224bits 5 0.0014 0.0032
ECDH,P-256,256bits 157058 44.7524 99.27
ECDH,P-384,384bits 184 0.0524 0.1163
ECDH,P-521,521bits 683 0.1946 0.4317
Prefer DH,1024bits 103305 29.4359 60.442
Prefer DH,2048bits 2429 0.6921 1.4212
Prefer DH,4096bits 36 0.0103 0.0211
Prefer DH,512bits 2 0.0006 0.0012
Prefer DH,768bits 83 0.0237 0.0486
Prefer ECDH,B-163,163bits 18 0.0051 0.0114
Prefer ECDH,B-571,570bits 270 0.0769 0.1707
Prefer ECDH,P-224,224bits 3 0.0009 0.0019
Prefer ECDH,P-256,256bits 114187 32.5366 72.173
Prefer ECDH,P-384,384bits 120 0.0342 0.0758
Prefer ECDH,P-521,521bits 636 0.1812 0.402
Prefer PFS 221089 62.9975 0
Support PFS 274545 78.2293 0
TLS session ticket hint Count Percent
-------------------------+---------+--------
5 1 0.0003
5 only 1 0.0003
10 2 0.0006
10 only 2 0.0006
30 1 0.0003
30 only 1 0.0003
42 1 0.0003
42 only 1 0.0003
60 12 0.0034
60 only 7 0.002
120 2 0.0006
120 only 2 0.0006
128 1 0.0003
128 only 1 0.0003
180 21 0.006
180 only 21 0.006
300 125932 35.8833
300 only 110959 31.6168
420 8 0.0023
420 only 7 0.002
480 5 0.0014
480 only 5 0.0014
600 4723 1.3458
600 only 4590 1.3079
900 151 0.043
900 only 125 0.0356
960 1 0.0003
960 only 1 0.0003
1200 52 0.0148
1200 only 51 0.0145
1500 7 0.002
1500 only 7 0.002
1800 97 0.0276
1800 only 93 0.0265
2400 1 0.0003
2400 only 1 0.0003
3000 3 0.0009
3000 only 2 0.0006
3600 162 0.0462
3600 only 158 0.045
5400 1 0.0003
6000 1 0.0003
6000 only 1 0.0003
7200 10307 2.9369
7200 only 1565 0.4459
10800 5 0.0014
10800 only 2 0.0006
14400 675 0.1923
14400 only 675 0.1923
18000 3 0.0009
18000 only 1 0.0003
21600 23 0.0066
21600 only 23 0.0066
28800 5 0.0014
28800 only 5 0.0014
30720 1 0.0003
30720 only 1 0.0003
36000 521 0.1485
36000 only 519 0.1479
43200 6485 1.8478
43200 only 6481 1.8467
64800 8656 2.4665
64800 only 8651 2.465
86000 30 0.0085
86000 only 30 0.0085
86400 4061 1.1571
86400 only 4060 1.1569
100800 16457 4.6893
100800 only 13 0.0037
115200 1 0.0003
115200 only 1 0.0003
129600 6 0.0017
129600 only 6 0.0017
864000 6 0.0017
864000 only 6 0.0017
None 212871 60.6558
None only 172526 49.1598
Certificate sig alg Count Percent
-------------------------+---------+--------
None 11549 3.2908
ecdsa-with-SHA256 1 0.0003
sha1WithRSAEncryption 308984 88.0424
sha256WithRSAEncryption 41971 11.9593
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 9203 2.6223
ECDSA 384 2 0.0006
RSA 1024 1881 0.536
RSA 2028 1 0.0003
RSA 2047 2 0.0006
RSA 2048 336774 95.961
RSA 2056 3 0.0009
RSA 2058 1 0.0003
RSA 2060 1 0.0003
RSA 2064 1 0.0003
RSA 2080 2 0.0006
RSA 2084 4 0.0011
RSA 2408 1 0.0003
RSA 2432 58 0.0165
RSA 2536 1 0.0003
RSA 2612 1 0.0003
RSA 3050 1 0.0003
RSA 3072 31 0.0088
RSA 3073 1 0.0003
RSA 3248 4 0.0011
RSA 3600 1 0.0003
RSA 4042 1 0.0003
RSA 4046 2 0.0006
RSA 4048 2 0.0006
RSA 4086 1 0.0003
RSA 4092 2 0.0006
RSA 4096 12167 3.4669
RSA 4098 2 0.0006
RSA 4192 1 0.0003
RSA 8192 1 0.0003
RSA/ECDSA Dual Stack 9197 2.6206
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 52153 14.8606
Unsupported 298796 85.1394
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 1 0.0003
SSL3 346615 98.7651
SSL3 Only 3485 0.993
SSL3 or TLS1 Only 145785 41.5402
TLS1 346981 98.8694
TLS1 Only 1030 0.2935
TLS1.1 190351 54.2389
TLS1.1 Only 5 0.0014
TLS1.1 or up Only 29 0.0083
TLS1.2 201166 57.3206
TLS1.2 Only 14 0.004
TLS1.2, 1.0 but not 1.1 14702 4.1892
Scan performed between 10th and 24th June 2014.
Detailed scan results available on request (48MiB xz tarball)
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario at redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
More information about the security
mailing list