This month's results biggest surprise is the relative lack of changes :) 2% more servers use SHA256 signed certificates, 1% more use PFS suites and that's basically all. A bit more detailed description of results on my blog: https://securitypitfalls.wordpress.com/2014/09/29/scan-results-for-september-2014/ SSL/TLS survey of 402742 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 349454 86.7687 3DES Only 164 0.0407 AES 374868 93.0789 AES Only 1017 0.2525 AES-CBC Only 553 0.1373 AES-GCM 172322 42.7872 AES-GCM Only 7 0.0017 CAMELLIA 170577 42.3539 CHACHA20 15137 3.7585 Insecure 79666 19.7809 RC4 355750 88.332 RC4 Only 3845 0.9547 RC4 Preferred 71713 17.8062 RC4 forced in TLS1.1+ 50461 12.5294 x:FF 29 RC4 Only 5961 1.4801 x:FF 29 RC4 Preferred 15338 3.8084 x:FF 29 incompatible 165 0.041 y:DHE-RSA-SEED-SHA 75372 18.7147 y:IDEA-CBC-MD5 4020 0.9982 y:IDEA-CBC-SHA 67863 16.8502 y:SEED-SHA 87504 21.7271 z:ADH-AES128-GCM-SHA256 358 0.0889 z:ADH-AES128-SHA 1346 0.3342 z:ADH-AES128-SHA256 333 0.0827 z:ADH-AES256-GCM-SHA384 344 0.0854 z:ADH-AES256-SHA 1349 0.335 z:ADH-AES256-SHA256 336 0.0834 z:ADH-CAMELLIA128-SHA 697 0.1731 z:ADH-CAMELLIA256-SHA 705 0.1751 z:ADH-DES-CBC-SHA 666 0.1654 z:ADH-DES-CBC3-SHA 1395 0.3464 z:ADH-RC4-MD5 1196 0.297 z:ADH-SEED-SHA 433 0.1075 z:AECDH-AES128-SHA 15360 3.8139 z:AECDH-AES256-SHA 15366 3.8153 z:AECDH-DES-CBC3-SHA 15329 3.8062 z:AECDH-NULL-SHA 20 0.005 z:AECDH-RC4-SHA 14410 3.578 z:DES-CBC-MD5 26107 6.4823 z:DES-CBC-SHA 69455 17.2455 z:ECDHE-RSA-NULL-SHA 25 0.0062 z:EDH-RSA-DES-CBC-SHA 61413 15.2487 z:EXP-ADH-DES-CBC-SHA 474 0.1177 z:EXP-ADH-RC4-MD5 476 0.1182 z:EXP-DES-CBC-SHA 54674 13.5754 z:EXP-EDH-RSA-DES-CBC-SHA 42941 10.6622 z:EXP-RC2-CBC-MD5 59213 14.7025 z:NULL-MD5 331 0.0822 z:NULL-SHA 334 0.0829 z:NULL-SHA256 10 0.0025 z:RC2-CBC-MD5 30259 7.5132 Cipher ordering Count Percent -------------------------+---------+------- Client side 178562 44.3366 Server side 224180 55.6634 Supported Handshakes Count Percent -------------------------+---------+------- ADH 1459 0.3623 AECDH 15393 3.822 DHE 206612 51.3013 ECDHE 196029 48.6736 ECDHE and DHE 80995 20.1109 RSA 402219 99.8701 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 189005 46.9295 91.4782 DH,2048bits 15870 3.9405 7.6811 DH,2226bits 2 0.0005 0.001 DH,2430bits 1 0.0002 0.0005 DH,3072bits 5 0.0012 0.0024 DH,3246bits 2 0.0005 0.001 DH,3248bits 1 0.0002 0.0005 DH,4096bits 803 0.1994 0.3887 DH,512bits 43127 10.7083 20.8734 DH,768bits 731 0.1815 0.3538 DH,8192bits 1 0.0002 0.0005 ECDH,B-163,163bits 13 0.0032 0.0066 ECDH,B-571,570bits 405 0.1006 0.2066 ECDH,P-224,224bits 6 0.0015 0.0031 ECDH,P-256,256bits 194476 48.288 99.2078 ECDH,P-384,384bits 453 0.1125 0.2311 ECDH,P-521,521bits 988 0.2453 0.504 Prefer DH,1024bits 113032 28.0656 54.7074 Prefer DH,2048bits 1222 0.3034 0.5914 Prefer DH,3072bits 1 0.0002 0.0005 Prefer DH,4096bits 53 0.0132 0.0257 Prefer DH,512bits 1 0.0002 0.0005 Prefer DH,768bits 92 0.0228 0.0445 Prefer ECDH,B-163,163bits 13 0.0032 0.0066 Prefer ECDH,B-571,570bits 332 0.0824 0.1694 Prefer ECDH,P-224,224bits 4 0.001 0.002 Prefer ECDH,P-256,256bits 144871 35.9712 73.9028 Prefer ECDH,P-384,384bits 379 0.0941 0.1933 Prefer ECDH,P-521,521bits 933 0.2317 0.4759 Prefer PFS 260933 64.7891 0 Support PFS 321646 79.864 0 TLS session ticket hint Count Percent -------------------------+---------+-------- 5 2 0.0005 5 only 2 0.0005 30 8 0.002 30 only 2 0.0005 60 44 0.0109 60 only 38 0.0094 100 6 0.0015 100 only 6 0.0015 120 12 0.003 120 only 12 0.003 128 3 0.0007 128 only 2 0.0005 180 26 0.0065 180 only 26 0.0065 240 1 0.0002 240 only 1 0.0002 300 162695 40.3968 300 only 143072 35.5245 420 20 0.005 420 only 11 0.0027 480 8 0.002 480 only 8 0.002 600 7769 1.929 600 only 7515 1.866 900 243 0.0603 900 only 223 0.0554 960 3 0.0007 960 only 3 0.0007 1000 1 0.0002 1000 only 1 0.0002 1200 57 0.0142 1200 only 55 0.0137 1500 8 0.002 1500 only 7 0.0017 1800 171 0.0425 1800 only 158 0.0392 2100 1 0.0002 2100 only 1 0.0002 2400 1 0.0002 2400 only 1 0.0002 2700 5 0.0012 2700 only 5 0.0012 3000 4 0.001 3000 only 3 0.0007 3600 234 0.0581 3600 only 221 0.0549 4500 1 0.0002 4500 only 1 0.0002 5400 1 0.0002 6000 2 0.0005 6000 only 2 0.0005 7200 10762 2.6722 7200 only 8269 2.0532 10800 11 0.0027 10800 only 6 0.0015 14400 813 0.2019 14400 only 809 0.2009 21600 580 0.144 21600 only 580 0.144 28800 14 0.0035 28800 only 14 0.0035 36000 399 0.0991 36000 only 397 0.0986 43200 5617 1.3947 43200 only 5615 1.3942 64800 10296 2.5565 64800 only 10285 2.5537 72000 7 0.0017 72000 only 7 0.0017 86000 29 0.0072 86000 only 27 0.0067 86400 105 0.0261 86400 only 104 0.0258 100800 14914 3.7031 100800 only 16 0.004 129600 5 0.0012 129600 only 5 0.0012 604800 1 0.0002 604800 only 1 0.0002 864000 6 0.0015 864000 only 6 0.0015 None 225221 55.9219 None only 187861 46.6455 Certificate sig alg Count Percent -------------------------+---------+-------- None 16643 4.1324 ecdsa-with-SHA256 4 0.001 sha1WithRSAEncryption 335932 83.4112 sha256WithRSAEncryption 66851 16.599 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 8237 2.0452 ECDSA 384 1 0.0002 RSA 1024 1763 0.4377 RSA 2028 1 0.0002 RSA 2047 2 0.0005 RSA 2048 386945 96.0776 RSA 2049 1 0.0002 RSA 2056 6 0.0015 RSA 2058 2 0.0005 RSA 2060 1 0.0002 RSA 2064 2 0.0005 RSA 2080 2 0.0005 RSA 2084 7 0.0017 RSA 2345 1 0.0002 RSA 2408 3 0.0007 RSA 2432 12 0.003 RSA 2536 1 0.0002 RSA 2612 1 0.0002 RSA 3072 38 0.0094 RSA 3096 1 0.0002 RSA 3248 2 0.0005 RSA 3600 1 0.0002 RSA 4042 1 0.0002 RSA 4046 2 0.0005 RSA 4048 2 0.0005 RSA 4086 1 0.0002 RSA 4092 2 0.0005 RSA 4096 13950 3.4638 RSA 4098 3 0.0007 RSA 4192 1 0.0002 RSA 8192 3 0.0007 RSA/ECDSA Dual Stack 8234 2.0445 OCSP stapling Count Percent -------------------------+---------+-------- Supported 44490 11.0468 Unsupported 358252 88.9532 Supported Protocols Count Percent -------------------------+---------+------- SSL2 47267 11.7363 SSL2 Only 5715 1.419 SSL3 385853 95.8065 SSL3 Only 3108 0.7717 SSL3 or TLS1 Only 113041 28.0678 TLS1 393018 97.5856 TLS1 Only 2663 0.6612 TLS1.1 229677 57.0283 TLS1.1 Only 4 0.001 TLS1.1 or up Only 101 0.0251 TLS1.2 239781 59.5371 TLS1.2 Only 46 0.0114 TLS1.2, 1.0 but not 1.1 14607 3.6269 Statistics from 447622 chains provided by 593860 hosts Server provided chains Count Percent -------------------------+---------+------- complete 369705 62.2546 incomplete 29348 4.9419 untrusted 194807 32.8035 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 2255 0.5038 3 433123 96.7609 4 12223 2.7307 5 21 0.0047 CA key size in chains Count -------------------------+--------- ECDSA 256 4 ECDSA 384 4 RSA 1024 1516 RSA 2045 1 RSA 2048 883076 RSA 4096 20653 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 4 0.0009 ECDSA 384 4 0.0009 RSA 1024 1506 0.3364 RSA 2045 1 0.0002 RSA 2048 446153 99.6718 RSA 4096 20317 4.5389 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 4 sha1WithRSAEncryption 383519 sha256WithRSAEncryption 55325 sha384WithRSAEncryption 18784 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 384294 85.8523 112 63324 14.1468 128.0 4 0.0009 Most common root CAs Count Percent ---------------------------------------------+---------+------- (2c543cd1) GeoTrust Global CA 118018 26.3655 (157753a5) AddTrust External CA Root 71841 16.0495 (5ad8a5d6) GlobalSign Root CA 45383 10.1387 (cbf06781) Go Daddy Root Certificate Authorit 31016 6.9291 (2e4eed3c) thawte Primary Root CA 27902 6.2334 (b204d74a) VeriSign Class 3 Public Primary Ce 26452 5.9095 (f081611a) The Go Daddy Group, Inc. 24930 5.5694 (244b5494) DigiCert High Assurance EV Root CA 22937 5.1242 (b13cc6df) UTN-USERFirst-Hardware 12647 2.8254 (40547a79) COMODO Certification Authority 11095 2.4787 (653b494a) Baltimore CyberTrust Root 10622 2.373 (ae8153b9) StartCom Certification Authority 9143 2.0426 (f387163d) Starfield Technologies, Inc. 8283 1.8504 (480720ec) GeoTrust Primary Certification Aut 4545 1.0154 Scan performed between 10th and 18th of September 2014. -- Regards, Hubert Kario -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
