TLS Survey for May 2014

Hubert Kario hkario at redhat.com
Mon May 19 18:17:21 UTC 2014


Hi all,

I've scanned the Alexa top 1 million again.

Since we've had Heartbleed in between this and previous scan,
the differences are visible.

Key points:
 * percent of RC4 only servers is falling (is 1.38%, was 1.77%)
 * percent of sites that prefer RC4 has fallen by small amount (is 18.7%,
   was 19.5%)...
 * ...but percent of sites that use RC4 in TLS1.1+ has grown (is 11.78%,
   was 10.4%)
 * percent of certificates signed with SHA256 has grown significantly
   (is 10%, was 5.2%)
 * emergence of first sites that use only certificates signed with ECDSA
 * number of sites supporting TLS1.2 continues to grow (is 54%,
   was 47%)

SSL/TLS survey of 318366 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate
installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      276767    86.9336
3DES Only                 138       0.0433
AES                       296231    93.0473
AES Only                  931       0.2924
AES-CBC Only              589       0.185
AES-GCM                   121700    38.2264
AES-GCM Only              4         0.0013
CAMELLIA                  127348    40.0005
CAMELLIA Only             1         0.0003
CHACHA20                  19834     6.2299
RC4                       283666    89.1006
RC4 Only                  4401      1.3824
RC4 Preferred             59422     18.6647
RC4 forced in TLS1.1+     37507     11.7811
z:ADH-DES-CBC-SHA         1031      0.3238
z:ADH-SEED-SHA            863       0.2711
z:AECDH-NULL-SHA          9         0.0028
z:DES-CBC-MD5             254       0.0798
z:DES-CBC-SHA             60478     18.9964
z:DHE-RSA-SEED-SHA        51890     16.2989
z:ECDHE-RSA-NULL-SHA      7         0.0022
z:EDH-RSA-DES-CBC-SHA     49291     15.4825
z:EXP-ADH-DES-CBC-SHA     625       0.1963
z:EXP-DES-CBC-SHA         49466     15.5375
z:EXP-EDH-RSA-DES-CBC-SHA 35342     11.1011
z:EXP-RC2-CBC-MD5         46932     14.7415
z:IDEA-CBC-MD5            27        0.0085
z:IDEA-CBC-SHA            51847     16.2853
z:NULL-MD5                319       0.1002
z:NULL-SHA                313       0.0983
z:NULL-SHA256             10        0.0031
z:RC2-CBC-MD5             281       0.0883
z:SEED-SHA                65444     20.5562

Supported Handshakes      Count     Percent
-------------------------+---------+-------
DHE                       153909    48.3434
ECDHE                     134412    42.2193

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               145147    45.5912  94.307
DH,2048bits               7568      2.3771   4.9172
DH,3072bits               2         0.0006   0.0013
DH,3248bits               2         0.0006   0.0013
DH,4096bits               428       0.1344   0.2781
DH,4097bits               2         0.0006   0.0013
DH,512bits                92        0.0289   0.0598
DH,768bits                673       0.2114   0.4373
ECDH,B-163,163bits        1         0.0003   0.0007
ECDH,B-571,570bits        294       0.0923   0.2187
ECDH,P-224,224bits        3         0.0009   0.0022
ECDH,P-256,256bits        133565    41.9533  99.3698
ECDH,P-384,384bits        165       0.0518   0.1228
ECDH,P-521,521bits        450       0.1413   0.3348
Prefer DH,1024bits        98851     31.0495  64.2269
Prefer DH,2048bits        2143      0.6731   1.3924
Prefer DH,4096bits        34        0.0107   0.0221
Prefer DH,512bits         1         0.0003   0.0006
Prefer DH,768bits         74        0.0232   0.0481
Prefer ECDH,B-163,163bits 1         0.0003   0.0007
Prefer ECDH,B-571,570bits 236       0.0741   0.1756
Prefer ECDH,P-256,256bits 94746     29.7601  70.4892
Prefer ECDH,P-384,384bits 115       0.0361   0.0856
Prefer ECDH,P-521,521bits 409       0.1285   0.3043
Prefer PFS                196610    61.756   0
Support PFS               245327    77.0582  0

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      9994      3.1392   
ecdsa-with-SHA256         2         0.0006   
sha1WithRSAEncryption     286277    89.9207  
sha256WithRSAEncryption   32146     10.0972  

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 384                 2         0.0006   
RSA 1024                  1935      0.6078   
RSA 2028                  1         0.0003   
RSA 2047                  2         0.0006   
RSA 2048                  304898    95.7696  
RSA 2049                  2         0.0006   
RSA 2056                  3         0.0009   
RSA 2058                  1         0.0003   
RSA 2060                  1         0.0003   
RSA 2064                  1         0.0003   
RSA 2080                  3         0.0009   
RSA 2084                  4         0.0013   
RSA 2345                  1         0.0003   
RSA 2408                  1         0.0003   
RSA 2432                  60        0.0188   
RSA 2536                  1         0.0003   
RSA 2612                  1         0.0003   
RSA 3000                  1         0.0003   
RSA 3050                  1         0.0003   
RSA 3072                  19        0.006    
RSA 3248                  3         0.0009   
RSA 3600                  1         0.0003   
RSA 4042                  1         0.0003   
RSA 4046                  1         0.0003   
RSA 4048                  1         0.0003   
RSA 4069                  1         0.0003   
RSA 4086                  1         0.0003   
RSA 4092                  2         0.0006   
RSA 4096                  11427     3.5893   
RSA 4098                  1         0.0003   
RSA 4192                  2         0.0006   
RSA 8192                  3         0.0009   
RSA/ECDSA Dual Stack      0         0.0

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      621       0.1951
SSL2 Only                 73        0.0229
SSL3                      314763    98.8683
SSL3 Only                 3524      1.1069
SSL3 or TLS1 Only         140708    44.1969
TLS1                      314191    98.6886
TLS1 Only                 1117      0.3509
TLS1.1                    164225    51.5837
TLS1.1 Only               8         0.0025
TLS1.1 or up Only         68        0.0214
TLS1.2                    173049    54.3554
TLS1.2 Only               48        0.0151
TLS1.2, 1.0 but not 1.1   12720     3.9954

Scan performed between 7th and 15th of May 2014,
full results available upon request - 45MiB xz
tarball.

-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario at redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic


More information about the security mailing list