TLS Survey for May 2014
Hubert Kario
hkario at redhat.com
Mon May 19 18:17:21 UTC 2014
Hi all,
I've scanned the Alexa top 1 million again.
Since we've had Heartbleed in between this and previous scan,
the differences are visible.
Key points:
* percent of RC4 only servers is falling (is 1.38%, was 1.77%)
* percent of sites that prefer RC4 has fallen by small amount (is 18.7%,
was 19.5%)...
* ...but percent of sites that use RC4 in TLS1.1+ has grown (is 11.78%,
was 10.4%)
* percent of certificates signed with SHA256 has grown significantly
(is 10%, was 5.2%)
* emergence of first sites that use only certificates signed with ECDSA
* number of sites supporting TLS1.2 continues to grow (is 54%,
was 47%)
SSL/TLS survey of 318366 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate
installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 276767 86.9336
3DES Only 138 0.0433
AES 296231 93.0473
AES Only 931 0.2924
AES-CBC Only 589 0.185
AES-GCM 121700 38.2264
AES-GCM Only 4 0.0013
CAMELLIA 127348 40.0005
CAMELLIA Only 1 0.0003
CHACHA20 19834 6.2299
RC4 283666 89.1006
RC4 Only 4401 1.3824
RC4 Preferred 59422 18.6647
RC4 forced in TLS1.1+ 37507 11.7811
z:ADH-DES-CBC-SHA 1031 0.3238
z:ADH-SEED-SHA 863 0.2711
z:AECDH-NULL-SHA 9 0.0028
z:DES-CBC-MD5 254 0.0798
z:DES-CBC-SHA 60478 18.9964
z:DHE-RSA-SEED-SHA 51890 16.2989
z:ECDHE-RSA-NULL-SHA 7 0.0022
z:EDH-RSA-DES-CBC-SHA 49291 15.4825
z:EXP-ADH-DES-CBC-SHA 625 0.1963
z:EXP-DES-CBC-SHA 49466 15.5375
z:EXP-EDH-RSA-DES-CBC-SHA 35342 11.1011
z:EXP-RC2-CBC-MD5 46932 14.7415
z:IDEA-CBC-MD5 27 0.0085
z:IDEA-CBC-SHA 51847 16.2853
z:NULL-MD5 319 0.1002
z:NULL-SHA 313 0.0983
z:NULL-SHA256 10 0.0031
z:RC2-CBC-MD5 281 0.0883
z:SEED-SHA 65444 20.5562
Supported Handshakes Count Percent
-------------------------+---------+-------
DHE 153909 48.3434
ECDHE 134412 42.2193
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 145147 45.5912 94.307
DH,2048bits 7568 2.3771 4.9172
DH,3072bits 2 0.0006 0.0013
DH,3248bits 2 0.0006 0.0013
DH,4096bits 428 0.1344 0.2781
DH,4097bits 2 0.0006 0.0013
DH,512bits 92 0.0289 0.0598
DH,768bits 673 0.2114 0.4373
ECDH,B-163,163bits 1 0.0003 0.0007
ECDH,B-571,570bits 294 0.0923 0.2187
ECDH,P-224,224bits 3 0.0009 0.0022
ECDH,P-256,256bits 133565 41.9533 99.3698
ECDH,P-384,384bits 165 0.0518 0.1228
ECDH,P-521,521bits 450 0.1413 0.3348
Prefer DH,1024bits 98851 31.0495 64.2269
Prefer DH,2048bits 2143 0.6731 1.3924
Prefer DH,4096bits 34 0.0107 0.0221
Prefer DH,512bits 1 0.0003 0.0006
Prefer DH,768bits 74 0.0232 0.0481
Prefer ECDH,B-163,163bits 1 0.0003 0.0007
Prefer ECDH,B-571,570bits 236 0.0741 0.1756
Prefer ECDH,P-256,256bits 94746 29.7601 70.4892
Prefer ECDH,P-384,384bits 115 0.0361 0.0856
Prefer ECDH,P-521,521bits 409 0.1285 0.3043
Prefer PFS 196610 61.756 0
Support PFS 245327 77.0582 0
Certificate sig alg Count Percent
-------------------------+---------+--------
None 9994 3.1392
ecdsa-with-SHA256 2 0.0006
sha1WithRSAEncryption 286277 89.9207
sha256WithRSAEncryption 32146 10.0972
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 384 2 0.0006
RSA 1024 1935 0.6078
RSA 2028 1 0.0003
RSA 2047 2 0.0006
RSA 2048 304898 95.7696
RSA 2049 2 0.0006
RSA 2056 3 0.0009
RSA 2058 1 0.0003
RSA 2060 1 0.0003
RSA 2064 1 0.0003
RSA 2080 3 0.0009
RSA 2084 4 0.0013
RSA 2345 1 0.0003
RSA 2408 1 0.0003
RSA 2432 60 0.0188
RSA 2536 1 0.0003
RSA 2612 1 0.0003
RSA 3000 1 0.0003
RSA 3050 1 0.0003
RSA 3072 19 0.006
RSA 3248 3 0.0009
RSA 3600 1 0.0003
RSA 4042 1 0.0003
RSA 4046 1 0.0003
RSA 4048 1 0.0003
RSA 4069 1 0.0003
RSA 4086 1 0.0003
RSA 4092 2 0.0006
RSA 4096 11427 3.5893
RSA 4098 1 0.0003
RSA 4192 2 0.0006
RSA 8192 3 0.0009
RSA/ECDSA Dual Stack 0 0.0
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 621 0.1951
SSL2 Only 73 0.0229
SSL3 314763 98.8683
SSL3 Only 3524 1.1069
SSL3 or TLS1 Only 140708 44.1969
TLS1 314191 98.6886
TLS1 Only 1117 0.3509
TLS1.1 164225 51.5837
TLS1.1 Only 8 0.0025
TLS1.1 or up Only 68 0.0214
TLS1.2 173049 54.3554
TLS1.2 Only 48 0.0151
TLS1.2, 1.0 but not 1.1 12720 3.9954
Scan performed between 7th and 15th of May 2014,
full results available upon request - 45MiB xz
tarball.
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario at redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
More information about the security
mailing list