Not many exciting changes, just continuation of previous trends. SHA-256 has grown by 2%, RC4 basically unchanged. As always, detailed commentary on my blog: https://securitypitfalls.wordpress.com/2014/08/25/august-2014-scan-results/ SSL/TLS survey of 397695 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 345059 86.7647 3DES Only 209 0.0526 AES 369030 92.7922 AES Only 1951 0.4906 AES-CBC Only 1030 0.259 AES-GCM 162425 40.8416 AES-GCM Only 41 0.0103 CAMELLIA 164197 41.2872 CAMELLIA Only 4 0.001 CHACHA20 14719 3.7011 CHACHA20 Only 6 0.0015 RC4 350479 88.1276 RC4 Only 3807 0.9573 RC4 Preferred 74692 18.7812 RC4 forced in TLS1.1+ 51533 12.9579 x:FF 29 RC4 Only 6327 1.5909 x:FF 29 RC4 Preferred 16784 4.2203 x:FF 29 incompatible 301 0.0757 z:ADH-AES128-GCM-SHA256 348 0.0875 z:ADH-AES128-SHA 1444 0.3631 z:ADH-AES128-SHA256 324 0.0815 z:ADH-AES256-GCM-SHA384 335 0.0842 z:ADH-AES256-SHA 1447 0.3638 z:ADH-AES256-SHA256 328 0.0825 z:ADH-CAMELLIA128-SHA 692 0.174 z:ADH-CAMELLIA256-SHA 699 0.1758 z:ADH-DES-CBC-SHA 699 0.1758 z:ADH-DES-CBC3-SHA 1490 0.3747 z:ADH-RC4-MD5 1297 0.3261 z:ADH-SEED-SHA 514 0.1292 z:AECDH-AES128-SHA 14496 3.645 z:AECDH-AES256-SHA 14533 3.6543 z:AECDH-DES-CBC3-SHA 14471 3.6387 z:AECDH-NULL-SHA 22 0.0055 z:AECDH-RC4-SHA 13603 3.4205 z:DES-CBC-MD5 26778 6.7333 z:DES-CBC-SHA 69202 17.4008 z:DHE-RSA-SEED-SHA 70054 17.615 z:ECDHE-RSA-NULL-SHA 25 0.0063 z:EDH-RSA-DES-CBC-SHA 60963 15.3291 z:EXP-ADH-DES-CBC-SHA 489 0.123 z:EXP-ADH-RC4-MD5 493 0.124 z:EXP-DES-CBC-SHA 54942 13.8151 z:EXP-EDH-RSA-DES-CBC-SHA 43030 10.8198 z:EXP-RC2-CBC-MD5 59737 15.0208 z:IDEA-CBC-MD5 4021 1.0111 z:IDEA-CBC-SHA 64231 16.1508 z:NULL-MD5 353 0.0888 z:NULL-SHA 351 0.0883 z:NULL-SHA256 7 0.0018 z:RC2-CBC-MD5 30955 7.7836 z:SEED-SHA 83118 20.8999 Cipher ordering Count Percent -------------------------+---------+------- Client side 177721 44.6878 Server side 219974 55.3122 Supported Handshakes Count Percent -------------------------+---------+------- ADH 1555 0.391 AECDH 14564 3.6621 DHE 202555 50.9322 ECDHE 184261 46.3322 ECDHE and DHE 73679 18.5265 RSA 396177 99.6183 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 186744 46.9566 92.1942 DH,2048bits 14169 3.5628 6.9951 DH,2226bits 2 0.0005 0.001 DH,3072bits 4 0.001 0.002 DH,3242bits 1 0.0003 0.0005 DH,3248bits 2 0.0005 0.001 DH,4096bits 703 0.1768 0.3471 DH,512bits 43198 10.8621 21.3266 DH,768bits 759 0.1908 0.3747 DH,8192bits 2 0.0005 0.001 ECDH,B-163,163bits 13 0.0033 0.0071 ECDH,B-571,570bits 398 0.1001 0.216 ECDH,P-224,224bits 4 0.001 0.0022 ECDH,P-256,256bits 182896 45.989 99.2592 ECDH,P-384,384bits 232 0.0583 0.1259 ECDH,P-521,521bits 821 0.2064 0.4456 Prefer DH,1024bits 115759 29.1075 57.1494 Prefer DH,2048bits 1154 0.2902 0.5697 Prefer DH,4096bits 50 0.0126 0.0247 Prefer DH,512bits 2 0.0005 0.001 Prefer DH,768bits 87 0.0219 0.043 Prefer ECDH,B-163,163bits 13 0.0033 0.0071 Prefer ECDH,B-571,570bits 318 0.08 0.1726 Prefer ECDH,P-224,224bits 1 0.0003 0.0005 Prefer ECDH,P-256,256bits 134334 33.7781 72.9042 Prefer ECDH,P-384,384bits 157 0.0395 0.0852 Prefer ECDH,P-521,521bits 749 0.1883 0.4065 Prefer PFS 252624 63.522 0 Support PFS 313137 78.738 0 TLS session ticket hint Count Percent -------------------------+---------+-------- 5 1 0.0003 5 only 1 0.0003 10 3 0.0008 10 only 1 0.0003 30 2 0.0005 30 only 2 0.0005 42 1 0.0003 60 46 0.0116 60 only 41 0.0103 100 4 0.001 100 only 4 0.001 120 10 0.0025 120 only 10 0.0025 128 4 0.001 128 only 4 0.001 180 29 0.0073 180 only 29 0.0073 240 4 0.001 240 only 4 0.001 300 155200 39.0249 300 only 135627 34.1033 420 19 0.0048 420 only 10 0.0025 480 6 0.0015 480 only 6 0.0015 600 6888 1.732 600 only 6597 1.6588 900 216 0.0543 900 only 190 0.0478 960 2 0.0005 960 only 2 0.0005 1200 60 0.0151 1200 only 57 0.0143 1500 9 0.0023 1500 only 8 0.002 1800 123 0.0309 1800 only 120 0.0302 2100 1 0.0003 2100 only 1 0.0003 2400 1 0.0003 2400 only 1 0.0003 2700 2 0.0005 2700 only 2 0.0005 3000 5 0.0013 3000 only 4 0.001 3600 234 0.0588 3600 only 227 0.0571 5400 2 0.0005 6000 1 0.0003 6000 only 1 0.0003 7200 10748 2.7026 7200 only 8222 2.0674 10800 11 0.0028 10800 only 6 0.0015 14400 722 0.1815 14400 only 716 0.18 18000 1 0.0003 21600 26 0.0065 21600 only 26 0.0065 28800 3 0.0008 28800 only 3 0.0008 30720 1 0.0003 30720 only 1 0.0003 36000 402 0.1011 36000 only 399 0.1003 43200 6311 1.5869 43200 only 6224 1.565 64800 9640 2.424 64800 only 9602 2.4144 86000 32 0.008 86000 only 29 0.0073 86400 92 0.0231 86400 only 85 0.0214 100800 14758 3.7109 100800 only 57 0.0143 115200 1 0.0003 115200 only 1 0.0003 129600 7 0.0018 129600 only 6 0.0015 604800 1 0.0003 604800 only 1 0.0003 864000 6 0.0015 864000 only 6 0.0015 None 229357 57.6716 None only 192066 48.2948 Certificate sig alg Count Percent -------------------------+---------+-------- None 15912 4.0011 ecdsa-with-SHA256 3 0.0008 sha1WithRSAEncryption 338957 85.2304 sha256WithRSAEncryption 58772 14.7782 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 8235 2.0707 ECDSA 384 1 0.0003 RSA 1024 1880 0.4727 RSA 2028 1 0.0003 RSA 2047 2 0.0005 RSA 2048 381923 96.0341 RSA 2056 5 0.0013 RSA 2058 1 0.0003 RSA 2060 1 0.0003 RSA 2064 1 0.0003 RSA 2080 2 0.0005 RSA 2084 5 0.0013 RSA 2408 3 0.0008 RSA 2432 28 0.007 RSA 2536 1 0.0003 RSA 2612 1 0.0003 RSA 3050 1 0.0003 RSA 3072 37 0.0093 RSA 3096 1 0.0003 RSA 3248 4 0.001 RSA 3600 1 0.0003 RSA 4042 1 0.0003 RSA 4046 2 0.0005 RSA 4048 2 0.0005 RSA 4086 1 0.0003 RSA 4092 2 0.0005 RSA 4096 13721 3.4501 RSA 4098 3 0.0008 RSA 4192 1 0.0003 RSA 8192 6 0.0015 RSA 16384 1 0.0003 RSA/ECDSA Dual Stack 8153 2.0501 OCSP stapling Count Percent -------------------------+---------+-------- Supported 41610 10.4628 Unsupported 356085 89.5372 Supported Protocols Count Percent -------------------------+---------+------- SSL2 48288 12.142 SSL2 Only 6029 1.516 SSL3 379667 95.4669 SSL3 Only 4125 1.0372 SSL3 or TLS1 Only 117512 29.5483 TLS1 385363 96.8991 TLS1 Only 3015 0.7581 TLS1.1 218025 54.8222 TLS1.1 Only 37 0.0093 TLS1.1 or up Only 709 0.1783 TLS1.2 229097 57.6062 TLS1.2 Only 374 0.094 TLS1.2, 1.0 but not 1.1 15264 3.8381 Scan performed between 8th and 19th of August 2014. Statistics from 443385 chains provided by 585568 hosts Server provided chains Count Percent -------------------------+---------+------- complete 365544 62.4255 incomplete 29700 5.072 untrusted 190324 32.5025 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 2394 0.5399 3 431592 97.3402 4 9378 2.1151 5 21 0.0047 CA key size in chains Count -------------------------+--------- ECDSA 256 3 ECDSA 384 3 RSA 1024 1733 RSA 2045 1 RSA 2048 874329 RSA 4096 17727 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 3 0.0007 ECDSA 384 3 0.0007 RSA 1024 1723 0.3886 RSA 2045 1 0.0002 RSA 2048 441708 99.6218 RSA 4096 17345 3.912 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 3 sha1WithRSAEncryption 387560 sha256WithRSAEncryption 50026 sha384WithRSAEncryption 12822 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 388390 87.5966 112 54992 12.4028 128 3 0.0007 Root CAs Count Percent ---------------------------------------------+---------+------- (2c543cd1) GeoTrust Global CA 115908 26.1416 (157753a5) AddTrust External CA Root 69723 15.7252 (5ad8a5d6) GlobalSign Root CA 44630 10.0657 (2e4eed3c) thawte Primary Root CA 29574 6.67 (cbf06781) Go Daddy Root Certificate Authorit 28151 6.3491 (f081611a) The Go Daddy Group, Inc. 26956 6.0796 (b204d74a) VeriSign Class 3 Public Primary Ce 26596 5.9984 (244b5494) DigiCert High Assurance EV Root CA 22613 5.1001 (b13cc6df) UTN-USERFirst-Hardware 12983 2.9282 (40547a79) COMODO Certification Authority 11362 2.5626 (653b494a) Baltimore CyberTrust Root 10593 2.3891 (ae8153b9) StartCom Certification Authority 9134 2.0601 (f387163d) Starfield Technologies, Inc. 7934 1.7894 -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hkario@xxxxxxxxxx Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
