Since this month's results are a bit less interesting: small changes of already established trends with regards to RC4, SHA256 and TLS1.2 adoption, I'm spicing them up with the addition of CA certificate statistics :) The addition of the CA cert statistics is also the reason for the late release of data, sorry. Full analysis and commentary available here: https://securitypitfalls.wordpress.com/2014/08/03/july-2014-scan-results/ SSL/TLS survey of 393337 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 344071 87.4749 3DES Only 152 0.0386 AES 364726 92.7261 AES Only 879 0.2235 AES-CBC Only 510 0.1297 AES-GCM 156262 39.7273 AES-GCM Only 6 0.0015 CAMELLIA 161308 41.0101 CHACHA20 15543 3.9516 RC4 350784 89.1815 RC4 Only 3734 0.9493 RC4 Preferred 69540 17.6795 RC4 forced in TLS1.1+ 45989 11.692 x:FF 29 RC4 Only 6429 1.6345 x:FF 29 RC4 Preferred 16265 4.1351 x:FF 29 incompatible 103 0.0262 z:ADH-AES128-GCM-SHA256 351 0.0892 z:ADH-AES128-SHA 1439 0.3658 z:ADH-AES128-SHA256 325 0.0826 z:ADH-AES256-GCM-SHA384 337 0.0857 z:ADH-AES256-SHA 1445 0.3674 z:ADH-AES256-SHA256 330 0.0839 z:ADH-CAMELLIA128-SHA 722 0.1836 z:ADH-CAMELLIA256-SHA 733 0.1864 z:ADH-DES-CBC-SHA 723 0.1838 z:ADH-DES-CBC3-SHA 1496 0.3803 z:ADH-RC4-MD5 1326 0.3371 z:ADH-SEED-SHA 587 0.1492 z:AECDH-AES128-SHA 13159 3.3455 z:AECDH-AES256-SHA 13161 3.346 z:AECDH-DES-CBC3-SHA 13122 3.3361 z:AECDH-NULL-SHA 14 0.0036 z:AECDH-RC4-SHA 12264 3.1179 z:DES-CBC-MD5 27892 7.0911 z:DES-CBC-SHA 76809 19.5275 z:DHE-RSA-SEED-SHA 68828 17.4985 z:ECDHE-RSA-NULL-SHA 17 0.0043 z:EDH-RSA-DES-CBC-SHA 61870 15.7295 z:EXP-ADH-DES-CBC-SHA 469 0.1192 z:EXP-ADH-RC4-MD5 473 0.1203 z:EXP-DES-CBC-SHA 62566 15.9065 z:EXP-EDH-RSA-DES-CBC-SHA 44087 11.2085 z:EXP-RC2-CBC-MD5 67561 17.1764 z:IDEA-CBC-MD5 10575 2.6885 z:IDEA-CBC-SHA 70335 17.8816 z:NULL-MD5 339 0.0862 z:NULL-SHA 337 0.0857 z:NULL-SHA256 6 0.0015 z:RC2-CBC-MD5 38543 9.799 z:SEED-SHA 83026 21.1081 Cipher ordering Count Percent -------------------------+---------+------- Client side 183896 46.7528 Server side 209441 53.2472 Supported Handshakes Count Percent -------------------------+---------+------- ADH 1562 0.3971 AECDH 13188 3.3529 DHE 198612 50.4941 ECDH 1 0.0003 ECDHE 175607 44.6454 ECDHE and DHE 67049 17.0462 RSA 393014 99.9179 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 183927 46.7607 92.6062 DH,2048bits 13134 3.3391 6.6129 DH,2226bits 2 0.0005 0.001 DH,3072bits 4 0.001 0.002 DH,3248bits 4 0.001 0.002 DH,4096bits 620 0.1576 0.3122 DH,512bits 44238 11.2468 22.2736 DH,768bits 771 0.196 0.3882 DH,8192bits 1 0.0003 0.0005 ECDH,B-163,163bits 16 0.0041 0.0091 ECDH,B-571,570bits 392 0.0997 0.2232 ECDH,P-224,224bits 4 0.001 0.0023 ECDH,P-256,256bits 174312 44.3162 99.2626 ECDH,P-384,384bits 207 0.0526 0.1179 ECDH,P-521,521bits 764 0.1942 0.4351 Prefer DH,1024bits 117558 29.8873 59.1898 Prefer DH,2048bits 1721 0.4375 0.8665 Prefer DH,4096bits 54 0.0137 0.0272 Prefer DH,512bits 2 0.0005 0.001 Prefer DH,768bits 87 0.0221 0.0438 Prefer ECDH,B-163,163bits 16 0.0041 0.0091 Prefer ECDH,B-571,570bits 304 0.0773 0.1731 Prefer ECDH,P-224,224bits 1 0.0003 0.0006 Prefer ECDH,P-256,256bits 126826 32.2436 72.2215 Prefer ECDH,P-384,384bits 135 0.0343 0.0769 Prefer ECDH,P-521,521bits 699 0.1777 0.398 Prefer PFS 247403 62.8985 0 Support PFS 307170 78.0933 0 TLS session ticket hint Count Percent -------------------------+---------+-------- 5 2 0.0005 5 only 2 0.0005 10 2 0.0005 30 1 0.0003 30 only 1 0.0003 60 15 0.0038 60 only 10 0.0025 120 7 0.0018 120 only 6 0.0015 128 5 0.0013 128 only 5 0.0013 180 24 0.0061 180 only 24 0.0061 240 7 0.0018 240 only 7 0.0018 300 145958 37.1076 300 only 127245 32.3501 420 12 0.0031 420 only 10 0.0025 480 6 0.0015 480 only 6 0.0015 600 6491 1.6502 600 only 6280 1.5966 900 188 0.0478 900 only 158 0.0402 960 2 0.0005 960 only 2 0.0005 1200 54 0.0137 1200 only 52 0.0132 1500 12 0.0031 1500 only 11 0.0028 1800 121 0.0308 1800 only 116 0.0295 2400 1 0.0003 2400 only 1 0.0003 2700 1 0.0003 2700 only 1 0.0003 3000 5 0.0013 3000 only 4 0.001 3600 239 0.0608 3600 only 235 0.0597 5400 2 0.0005 6000 1 0.0003 6000 only 1 0.0003 7200 10678 2.7147 7200 only 1678 0.4266 10800 7 0.0018 10800 only 3 0.0008 14400 650 0.1653 14400 only 650 0.1653 18000 1 0.0003 18000 only 1 0.0003 21600 27 0.0069 21600 only 27 0.0069 28800 5 0.0013 28800 only 5 0.0013 30720 1 0.0003 30720 only 1 0.0003 36000 477 0.1213 36000 only 477 0.1213 43200 6420 1.6322 43200 only 6420 1.6322 64800 9211 2.3418 64800 only 9208 2.341 86000 28 0.0071 86000 only 26 0.0066 86400 4228 1.0749 86400 only 4223 1.0736 100800 15552 3.9539 100800 only 11 0.0028 115200 1 0.0003 115200 only 1 0.0003 129600 7 0.0018 129600 only 7 0.0018 864000 6 0.0015 864000 only 6 0.0015 None 236414 60.1047 None only 192884 49.0378 Certificate sig alg Count Percent -------------------------+---------+-------- None 14656 3.7261 sha1WithRSAEncryption 343217 87.2577 sha256WithRSAEncryption 50153 12.7506 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 8717 2.2162 RSA 1024 1894 0.4815 RSA 2028 1 0.0003 RSA 2047 1 0.0003 RSA 2048 377818 96.0545 RSA 2049 1 0.0003 RSA 2056 5 0.0013 RSA 2058 1 0.0003 RSA 2060 1 0.0003 RSA 2064 1 0.0003 RSA 2080 2 0.0005 RSA 2084 5 0.0013 RSA 2408 3 0.0008 RSA 2432 48 0.0122 RSA 2536 1 0.0003 RSA 2612 1 0.0003 RSA 3050 1 0.0003 RSA 3072 40 0.0102 RSA 3120 1 0.0003 RSA 3248 3 0.0008 RSA 3600 1 0.0003 RSA 4042 1 0.0003 RSA 4046 2 0.0005 RSA 4048 2 0.0005 RSA 4086 1 0.0003 RSA 4092 2 0.0005 RSA 4096 13502 3.4327 RSA 4098 3 0.0008 RSA 4192 1 0.0003 RSA 8192 5 0.0013 RSA 16384 1 0.0003 RSA/ECDSA Dual Stack 8714 2.2154 OCSP stapling Count Percent -------------------------+---------+-------- Supported 39893 10.1422 Unsupported 353444 89.8578 Supported Protocols Count Percent -------------------------+---------+------- SSL2 56197 14.2872 SSL2 Only 6140 1.561 SSL3 377423 95.9541 SSL3 Only 3710 0.9432 SSL3 or TLS1 Only 118014 30.0033 TLS1 382682 97.2911 TLS1 Only 2707 0.6882 TLS1.1 212833 54.1096 TLS1.1 Only 7 0.0018 TLS1.1 or up Only 74 0.0188 TLS1.2 223413 56.7994 TLS1.2 Only 34 0.0086 TLS1.2, 1.0 but not 1.1 14809 3.765 Statistics from 445095 chains provided by 582719 hosts ====================================================== Server provided chains Count Percent -------------------------+---------+------- complete 359484 61.6908 incomplete 29543 5.0699 untrusted 193692 33.2393 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 2414 0.5423 3 434366 97.5895 4 8292 1.863 5 23 0.0052 CA key size in chains Count -------------------------+--------- ECDSA 256 2 ECDSA 384 2 RSA 1024 1788 RSA 2045 1 RSA 2048 877819 RSA 4096 16502 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 2 0.0004 ECDSA 384 2 0.0004 RSA 1024 1776 0.399 RSA 2045 1 0.0002 RSA 2048 443399 99.619 RSA 4096 16134 3.6248 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 2 sha1WithRSAEncryption 397615 sha256WithRSAEncryption 42654 sha384WithRSAEncryption 10748 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 398413 89.5119 112 46680 10.4876 128 2 0.0004 Most common root CAs Count Percent ---------------------------------------------+---------+------- (2c543cd1) GeoTrust Global CA 119586 26.8675 (157753a5) AddTrust External CA Root 68556 15.4026 (5ad8a5d6) GlobalSign Root CA 44275 9.9473 (2e4eed3c) thawte Primary Root CA 29162 6.5519 (f081611a) The Go Daddy Group, Inc. 28250 6.347 (cbf06781) Go Daddy Root Certificate Authorit 26503 5.9545 (b204d74a) VeriSign Class 3 Public Primary Ce 26474 5.9479 (244b5494) DigiCert High Assurance EV Root CA 18086 4.0634 (653b494a) Baltimore CyberTrust Root 16986 3.8163 (b13cc6df) UTN-USERFirst-Hardware 13183 2.9618 (40547a79) COMODO Certification Authority 10947 2.4595 (ae8153b9) StartCom Certification Authority 9048 2.0328 (f387163d) Starfield Technologies, Inc. 7516 1.6886 Survey was conducted between 11th and 19th of July 2014. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hkario@xxxxxxxxxx Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
