TLS Scan results for September 2014
Hubert Kario
hkario at redhat.com
Mon Sep 29 18:15:59 UTC 2014
This month's results biggest surprise is the relative lack of changes :)
2% more servers use SHA256 signed certificates, 1% more use PFS suites and
that's basically all.
A bit more detailed description of results on my blog:
https://securitypitfalls.wordpress.com/2014/09/29/scan-results-for-september-2014/
SSL/TLS survey of 402742 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 349454 86.7687
3DES Only 164 0.0407
AES 374868 93.0789
AES Only 1017 0.2525
AES-CBC Only 553 0.1373
AES-GCM 172322 42.7872
AES-GCM Only 7 0.0017
CAMELLIA 170577 42.3539
CHACHA20 15137 3.7585
Insecure 79666 19.7809
RC4 355750 88.332
RC4 Only 3845 0.9547
RC4 Preferred 71713 17.8062
RC4 forced in TLS1.1+ 50461 12.5294
x:FF 29 RC4 Only 5961 1.4801
x:FF 29 RC4 Preferred 15338 3.8084
x:FF 29 incompatible 165 0.041
y:DHE-RSA-SEED-SHA 75372 18.7147
y:IDEA-CBC-MD5 4020 0.9982
y:IDEA-CBC-SHA 67863 16.8502
y:SEED-SHA 87504 21.7271
z:ADH-AES128-GCM-SHA256 358 0.0889
z:ADH-AES128-SHA 1346 0.3342
z:ADH-AES128-SHA256 333 0.0827
z:ADH-AES256-GCM-SHA384 344 0.0854
z:ADH-AES256-SHA 1349 0.335
z:ADH-AES256-SHA256 336 0.0834
z:ADH-CAMELLIA128-SHA 697 0.1731
z:ADH-CAMELLIA256-SHA 705 0.1751
z:ADH-DES-CBC-SHA 666 0.1654
z:ADH-DES-CBC3-SHA 1395 0.3464
z:ADH-RC4-MD5 1196 0.297
z:ADH-SEED-SHA 433 0.1075
z:AECDH-AES128-SHA 15360 3.8139
z:AECDH-AES256-SHA 15366 3.8153
z:AECDH-DES-CBC3-SHA 15329 3.8062
z:AECDH-NULL-SHA 20 0.005
z:AECDH-RC4-SHA 14410 3.578
z:DES-CBC-MD5 26107 6.4823
z:DES-CBC-SHA 69455 17.2455
z:ECDHE-RSA-NULL-SHA 25 0.0062
z:EDH-RSA-DES-CBC-SHA 61413 15.2487
z:EXP-ADH-DES-CBC-SHA 474 0.1177
z:EXP-ADH-RC4-MD5 476 0.1182
z:EXP-DES-CBC-SHA 54674 13.5754
z:EXP-EDH-RSA-DES-CBC-SHA 42941 10.6622
z:EXP-RC2-CBC-MD5 59213 14.7025
z:NULL-MD5 331 0.0822
z:NULL-SHA 334 0.0829
z:NULL-SHA256 10 0.0025
z:RC2-CBC-MD5 30259 7.5132
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 178562 44.3366
Server side 224180 55.6634
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 1459 0.3623
AECDH 15393 3.822
DHE 206612 51.3013
ECDHE 196029 48.6736
ECDHE and DHE 80995 20.1109
RSA 402219 99.8701
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 189005 46.9295 91.4782
DH,2048bits 15870 3.9405 7.6811
DH,2226bits 2 0.0005 0.001
DH,2430bits 1 0.0002 0.0005
DH,3072bits 5 0.0012 0.0024
DH,3246bits 2 0.0005 0.001
DH,3248bits 1 0.0002 0.0005
DH,4096bits 803 0.1994 0.3887
DH,512bits 43127 10.7083 20.8734
DH,768bits 731 0.1815 0.3538
DH,8192bits 1 0.0002 0.0005
ECDH,B-163,163bits 13 0.0032 0.0066
ECDH,B-571,570bits 405 0.1006 0.2066
ECDH,P-224,224bits 6 0.0015 0.0031
ECDH,P-256,256bits 194476 48.288 99.2078
ECDH,P-384,384bits 453 0.1125 0.2311
ECDH,P-521,521bits 988 0.2453 0.504
Prefer DH,1024bits 113032 28.0656 54.7074
Prefer DH,2048bits 1222 0.3034 0.5914
Prefer DH,3072bits 1 0.0002 0.0005
Prefer DH,4096bits 53 0.0132 0.0257
Prefer DH,512bits 1 0.0002 0.0005
Prefer DH,768bits 92 0.0228 0.0445
Prefer ECDH,B-163,163bits 13 0.0032 0.0066
Prefer ECDH,B-571,570bits 332 0.0824 0.1694
Prefer ECDH,P-224,224bits 4 0.001 0.002
Prefer ECDH,P-256,256bits 144871 35.9712 73.9028
Prefer ECDH,P-384,384bits 379 0.0941 0.1933
Prefer ECDH,P-521,521bits 933 0.2317 0.4759
Prefer PFS 260933 64.7891 0
Support PFS 321646 79.864 0
TLS session ticket hint Count Percent
-------------------------+---------+--------
5 2 0.0005
5 only 2 0.0005
30 8 0.002
30 only 2 0.0005
60 44 0.0109
60 only 38 0.0094
100 6 0.0015
100 only 6 0.0015
120 12 0.003
120 only 12 0.003
128 3 0.0007
128 only 2 0.0005
180 26 0.0065
180 only 26 0.0065
240 1 0.0002
240 only 1 0.0002
300 162695 40.3968
300 only 143072 35.5245
420 20 0.005
420 only 11 0.0027
480 8 0.002
480 only 8 0.002
600 7769 1.929
600 only 7515 1.866
900 243 0.0603
900 only 223 0.0554
960 3 0.0007
960 only 3 0.0007
1000 1 0.0002
1000 only 1 0.0002
1200 57 0.0142
1200 only 55 0.0137
1500 8 0.002
1500 only 7 0.0017
1800 171 0.0425
1800 only 158 0.0392
2100 1 0.0002
2100 only 1 0.0002
2400 1 0.0002
2400 only 1 0.0002
2700 5 0.0012
2700 only 5 0.0012
3000 4 0.001
3000 only 3 0.0007
3600 234 0.0581
3600 only 221 0.0549
4500 1 0.0002
4500 only 1 0.0002
5400 1 0.0002
6000 2 0.0005
6000 only 2 0.0005
7200 10762 2.6722
7200 only 8269 2.0532
10800 11 0.0027
10800 only 6 0.0015
14400 813 0.2019
14400 only 809 0.2009
21600 580 0.144
21600 only 580 0.144
28800 14 0.0035
28800 only 14 0.0035
36000 399 0.0991
36000 only 397 0.0986
43200 5617 1.3947
43200 only 5615 1.3942
64800 10296 2.5565
64800 only 10285 2.5537
72000 7 0.0017
72000 only 7 0.0017
86000 29 0.0072
86000 only 27 0.0067
86400 105 0.0261
86400 only 104 0.0258
100800 14914 3.7031
100800 only 16 0.004
129600 5 0.0012
129600 only 5 0.0012
604800 1 0.0002
604800 only 1 0.0002
864000 6 0.0015
864000 only 6 0.0015
None 225221 55.9219
None only 187861 46.6455
Certificate sig alg Count Percent
-------------------------+---------+--------
None 16643 4.1324
ecdsa-with-SHA256 4 0.001
sha1WithRSAEncryption 335932 83.4112
sha256WithRSAEncryption 66851 16.599
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 8237 2.0452
ECDSA 384 1 0.0002
RSA 1024 1763 0.4377
RSA 2028 1 0.0002
RSA 2047 2 0.0005
RSA 2048 386945 96.0776
RSA 2049 1 0.0002
RSA 2056 6 0.0015
RSA 2058 2 0.0005
RSA 2060 1 0.0002
RSA 2064 2 0.0005
RSA 2080 2 0.0005
RSA 2084 7 0.0017
RSA 2345 1 0.0002
RSA 2408 3 0.0007
RSA 2432 12 0.003
RSA 2536 1 0.0002
RSA 2612 1 0.0002
RSA 3072 38 0.0094
RSA 3096 1 0.0002
RSA 3248 2 0.0005
RSA 3600 1 0.0002
RSA 4042 1 0.0002
RSA 4046 2 0.0005
RSA 4048 2 0.0005
RSA 4086 1 0.0002
RSA 4092 2 0.0005
RSA 4096 13950 3.4638
RSA 4098 3 0.0007
RSA 4192 1 0.0002
RSA 8192 3 0.0007
RSA/ECDSA Dual Stack 8234 2.0445
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 44490 11.0468
Unsupported 358252 88.9532
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 47267 11.7363
SSL2 Only 5715 1.419
SSL3 385853 95.8065
SSL3 Only 3108 0.7717
SSL3 or TLS1 Only 113041 28.0678
TLS1 393018 97.5856
TLS1 Only 2663 0.6612
TLS1.1 229677 57.0283
TLS1.1 Only 4 0.001
TLS1.1 or up Only 101 0.0251
TLS1.2 239781 59.5371
TLS1.2 Only 46 0.0114
TLS1.2, 1.0 but not 1.1 14607 3.6269
Statistics from 447622 chains provided by 593860 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 369705 62.2546
incomplete 29348 4.9419
untrusted 194807 32.8035
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 2255 0.5038
3 433123 96.7609
4 12223 2.7307
5 21 0.0047
CA key size in chains Count
-------------------------+---------
ECDSA 256 4
ECDSA 384 4
RSA 1024 1516
RSA 2045 1
RSA 2048 883076
RSA 4096 20653
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 4 0.0009
ECDSA 384 4 0.0009
RSA 1024 1506 0.3364
RSA 2045 1 0.0002
RSA 2048 446153 99.6718
RSA 4096 20317 4.5389
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 4
sha1WithRSAEncryption 383519
sha256WithRSAEncryption 55325
sha384WithRSAEncryption 18784
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 384294 85.8523
112 63324 14.1468
128.0 4 0.0009
Most common root CAs Count Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA 118018 26.3655
(157753a5) AddTrust External CA Root 71841 16.0495
(5ad8a5d6) GlobalSign Root CA 45383 10.1387
(cbf06781) Go Daddy Root Certificate Authorit 31016 6.9291
(2e4eed3c) thawte Primary Root CA 27902 6.2334
(b204d74a) VeriSign Class 3 Public Primary Ce 26452 5.9095
(f081611a) The Go Daddy Group, Inc. 24930 5.5694
(244b5494) DigiCert High Assurance EV Root CA 22937 5.1242
(b13cc6df) UTN-USERFirst-Hardware 12647 2.8254
(40547a79) COMODO Certification Authority 11095 2.4787
(653b494a) Baltimore CyberTrust Root 10622 2.373
(ae8153b9) StartCom Certification Authority 9143 2.0426
(f387163d) Starfield Technologies, Inc. 8283 1.8504
(480720ec) GeoTrust Primary Certification Aut 4545 1.0154
Scan performed between 10th and 18th of September 2014.
--
Regards,
Hubert Kario
More information about the security
mailing list