"RC4 Only" servers have fallen below 1%! Also, continued increase in SHA-256 signed certificates, PFS support and TLS 1.2 penetration. Detailed analysis and comparison to last month results is available here: https://securitypitfalls.wordpress.com/2014/06/24/rc4-only This time the scan was performed using a SNI-aware scanner, so the results are a bit different. On my blog are available also last month results from a parallel, SNI-aware scan. SSL/TLS survey of 350949 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 305304 86.9938 3DES Only 137 0.039 AES 329405 93.8612 AES Only 923 0.263 AES-CBC Only 616 0.1755 AES-GCM 137654 39.2234 AES-GCM Only 3 0.0009 CAMELLIA 141331 40.2711 CHACHA20 16443 4.6853 RC4 311666 88.8066 RC4 Only 3458 0.9853 RC4 Preferred 65353 18.6218 RC4 forced in TLS1.1+ 43096 12.2798 z:ADH-AES128-GCM-SHA256 320 0.0912 z:ADH-AES128-SHA 1336 0.3807 z:ADH-AES128-SHA256 299 0.0852 z:ADH-AES256-GCM-SHA384 305 0.0869 z:ADH-AES256-SHA 1338 0.3813 z:ADH-AES256-SHA256 302 0.0861 z:ADH-CAMELLIA128-SHA 706 0.2012 z:ADH-CAMELLIA256-SHA 713 0.2032 z:ADH-DES-CBC-SHA 740 0.2109 z:ADH-DES-CBC3-SHA 1405 0.4003 z:ADH-RC4-MD5 1268 0.3613 z:ADH-SEED-SHA 392 0.1117 z:AECDH-AES128-SHA 10114 2.8819 z:AECDH-AES256-SHA 10117 2.8828 z:AECDH-DES-CBC3-SHA 10087 2.8742 z:AECDH-NULL-SHA 16 0.0046 z:AECDH-RC4-SHA 9668 2.7548 z:DES-CBC-SHA 67043 19.1033 z:DHE-RSA-SEED-SHA 58392 16.6383 z:ECDHE-RSA-NULL-SHA 19 0.0054 z:EDH-RSA-DES-CBC-SHA 52382 14.9258 z:EXP-ADH-DES-CBC-SHA 453 0.1291 z:EXP-ADH-RC4-MD5 456 0.1299 z:EXP-DES-CBC-SHA 55024 15.6786 z:EXP-EDH-RSA-DES-CBC-SHA 37222 10.6061 z:EXP-RC2-CBC-MD5 52973 15.0942 z:IDEA-CBC-SHA 62257 17.7396 z:NULL-MD5 333 0.0949 z:NULL-SHA 330 0.094 z:NULL-SHA256 18 0.0051 z:SEED-SHA 72273 20.5936 Supported Handshakes Count Percent -------------------------+---------+------- ADH 1461 0.4163 AECDH 10145 2.8907 DHE 170916 48.7011 ECDH 1 0.0003 ECDHE 158213 45.0815 ECDHE and DHE 54584 15.5533 RSA 350676 99.9222 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 158684 45.2157 92.8433 DH,2048bits 10821 3.0834 6.3312 DH,2226bits 2 0.0006 0.0012 DH,3072bits 5 0.0014 0.0029 DH,3246bits 2 0.0006 0.0012 DH,3248bits 2 0.0006 0.0012 DH,4096bits 538 0.1533 0.3148 DH,512bits 37361 10.6457 21.8593 DH,768bits 720 0.2052 0.4213 ECDH,B-163,163bits 18 0.0051 0.0114 ECDH,B-571,570bits 347 0.0989 0.2193 ECDH,P-224,224bits 5 0.0014 0.0032 ECDH,P-256,256bits 157058 44.7524 99.27 ECDH,P-384,384bits 184 0.0524 0.1163 ECDH,P-521,521bits 683 0.1946 0.4317 Prefer DH,1024bits 103305 29.4359 60.442 Prefer DH,2048bits 2429 0.6921 1.4212 Prefer DH,4096bits 36 0.0103 0.0211 Prefer DH,512bits 2 0.0006 0.0012 Prefer DH,768bits 83 0.0237 0.0486 Prefer ECDH,B-163,163bits 18 0.0051 0.0114 Prefer ECDH,B-571,570bits 270 0.0769 0.1707 Prefer ECDH,P-224,224bits 3 0.0009 0.0019 Prefer ECDH,P-256,256bits 114187 32.5366 72.173 Prefer ECDH,P-384,384bits 120 0.0342 0.0758 Prefer ECDH,P-521,521bits 636 0.1812 0.402 Prefer PFS 221089 62.9975 0 Support PFS 274545 78.2293 0 TLS session ticket hint Count Percent -------------------------+---------+-------- 5 1 0.0003 5 only 1 0.0003 10 2 0.0006 10 only 2 0.0006 30 1 0.0003 30 only 1 0.0003 42 1 0.0003 42 only 1 0.0003 60 12 0.0034 60 only 7 0.002 120 2 0.0006 120 only 2 0.0006 128 1 0.0003 128 only 1 0.0003 180 21 0.006 180 only 21 0.006 300 125932 35.8833 300 only 110959 31.6168 420 8 0.0023 420 only 7 0.002 480 5 0.0014 480 only 5 0.0014 600 4723 1.3458 600 only 4590 1.3079 900 151 0.043 900 only 125 0.0356 960 1 0.0003 960 only 1 0.0003 1200 52 0.0148 1200 only 51 0.0145 1500 7 0.002 1500 only 7 0.002 1800 97 0.0276 1800 only 93 0.0265 2400 1 0.0003 2400 only 1 0.0003 3000 3 0.0009 3000 only 2 0.0006 3600 162 0.0462 3600 only 158 0.045 5400 1 0.0003 6000 1 0.0003 6000 only 1 0.0003 7200 10307 2.9369 7200 only 1565 0.4459 10800 5 0.0014 10800 only 2 0.0006 14400 675 0.1923 14400 only 675 0.1923 18000 3 0.0009 18000 only 1 0.0003 21600 23 0.0066 21600 only 23 0.0066 28800 5 0.0014 28800 only 5 0.0014 30720 1 0.0003 30720 only 1 0.0003 36000 521 0.1485 36000 only 519 0.1479 43200 6485 1.8478 43200 only 6481 1.8467 64800 8656 2.4665 64800 only 8651 2.465 86000 30 0.0085 86000 only 30 0.0085 86400 4061 1.1571 86400 only 4060 1.1569 100800 16457 4.6893 100800 only 13 0.0037 115200 1 0.0003 115200 only 1 0.0003 129600 6 0.0017 129600 only 6 0.0017 864000 6 0.0017 864000 only 6 0.0017 None 212871 60.6558 None only 172526 49.1598 Certificate sig alg Count Percent -------------------------+---------+-------- None 11549 3.2908 ecdsa-with-SHA256 1 0.0003 sha1WithRSAEncryption 308984 88.0424 sha256WithRSAEncryption 41971 11.9593 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 9203 2.6223 ECDSA 384 2 0.0006 RSA 1024 1881 0.536 RSA 2028 1 0.0003 RSA 2047 2 0.0006 RSA 2048 336774 95.961 RSA 2056 3 0.0009 RSA 2058 1 0.0003 RSA 2060 1 0.0003 RSA 2064 1 0.0003 RSA 2080 2 0.0006 RSA 2084 4 0.0011 RSA 2408 1 0.0003 RSA 2432 58 0.0165 RSA 2536 1 0.0003 RSA 2612 1 0.0003 RSA 3050 1 0.0003 RSA 3072 31 0.0088 RSA 3073 1 0.0003 RSA 3248 4 0.0011 RSA 3600 1 0.0003 RSA 4042 1 0.0003 RSA 4046 2 0.0006 RSA 4048 2 0.0006 RSA 4086 1 0.0003 RSA 4092 2 0.0006 RSA 4096 12167 3.4669 RSA 4098 2 0.0006 RSA 4192 1 0.0003 RSA 8192 1 0.0003 RSA/ECDSA Dual Stack 9197 2.6206 OCSP stapling Count Percent -------------------------+---------+-------- Supported 52153 14.8606 Unsupported 298796 85.1394 Supported Protocols Count Percent -------------------------+---------+------- SSL2 1 0.0003 SSL3 346615 98.7651 SSL3 Only 3485 0.993 SSL3 or TLS1 Only 145785 41.5402 TLS1 346981 98.8694 TLS1 Only 1030 0.2935 TLS1.1 190351 54.2389 TLS1.1 Only 5 0.0014 TLS1.1 or up Only 29 0.0083 TLS1.2 201166 57.3206 TLS1.2 Only 14 0.004 TLS1.2, 1.0 but not 1.1 14702 4.1892 Scan performed between 10th and 24th June 2014. Detailed scan results available on request (48MiB xz tarball) -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hkario@xxxxxxxxxx Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
