Sorry for being a bit late with the scan results. The bad news that there have been few changes, the bad news is that there have been few changes :) more detailed analysis on my blog: https://securitypitfalls.wordpress.com/2015/03/13/february-2015-scan-results/ SSL/TLS survey of 478847 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 389395 81.3193 3DES Only 446 0.0931 AES 452703 94.5402 AES Only 7959 1.6621 AES-CBC Only 4111 0.8585 AES-GCM 275395 57.5121 AES-GCM Only 21 0.0044 CAMELLIA 201517 42.0838 CAMELLIA Only 1 0.0002 CHACHA20 27231 5.6868 Insecure 88014 18.3804 RC4 362499 75.7025 RC4 Only 3578 0.7472 RC4 Preferred 63514 13.2639 RC4 forced in TLS1.1+ 40750 8.51 x:FF 29 RC4 Only 545 0.1138 x:FF 29 RC4 Preferred 68531 14.3117 x:FF 29 incompatible 135 0.0282 y:DHE-RSA-SEED-SHA 106333 22.206 y:IDEA-CBC-MD5 2911 0.6079 y:IDEA-CBC-SHA 85651 17.8869 y:SEED-SHA 103273 21.567 z:ADH-AES128-GCM-SHA256 352 0.0735 z:ADH-AES128-SHA 983 0.2053 z:ADH-AES128-SHA256 278 0.0581 z:ADH-AES256-GCM-SHA384 367 0.0766 z:ADH-AES256-SHA 995 0.2078 z:ADH-AES256-SHA256 282 0.0589 z:ADH-CAMELLIA128-SHA 440 0.0919 z:ADH-CAMELLIA256-SHA 449 0.0938 z:ADH-DES-CBC-SHA 378 0.0789 z:ADH-DES-CBC3-SHA 1011 0.2111 z:ADH-RC4-MD5 787 0.1644 z:ADH-SEED-SHA 293 0.0612 z:AECDH-AES128-SHA 14530 3.0344 z:AECDH-AES256-SHA 14530 3.0344 z:AECDH-DES-CBC3-SHA 14487 3.0254 z:AECDH-NULL-SHA 38 0.0079 z:AECDH-RC4-SHA 13507 2.8207 z:DES-CBC-MD5 18469 3.857 z:DES-CBC-SHA 49506 10.3386 z:DES-CBC3-MD5 33718 7.0415 z:ECDHE-RSA-NULL-SHA 43 0.009 z:EDH-RSA-DES-CBC-SHA 42281 8.8298 z:EXP-ADH-DES-CBC-SHA 302 0.0631 z:EXP-ADH-RC4-MD5 306 0.0639 z:EXP-DES-CBC-SHA 35244 7.3602 z:EXP-EDH-RSA-DES-CBC-SHA 24614 5.1403 z:EXP-RC2-CBC-MD5 40047 8.3632 z:EXP-RC4-MD5 42873 8.9534 z:EXP1024-DES-CBC-SHA 9396 1.9622 z:EXP1024-RC4-SHA 9557 1.9958 z:NULL-MD5 292 0.061 z:NULL-SHA 292 0.061 z:NULL-SHA256 12 0.0025 z:RC2-CBC-MD5 18829 3.9322 z:RC4-64-MD5 1529 0.3193 Cipher ordering Count Percent -------------------------+---------+------- Client side 141265 29.5011 Server side 337582 70.4989 Supported Handshakes Count Percent -------------------------+---------+------- ADH 1120 0.2339 AECDH 14557 3.04 DHE 256190 53.5014 ECDHE 305994 63.9022 ECDHE and DHE 154553 32.2761 RSA 446580 93.2615 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 214103 44.7122 83.572 DH,1536bits 1 0.0002 0.0004 DH,2048bits 39131 8.1719 15.2742 DH,2226bits 1 0.0002 0.0004 DH,2236bits 1 0.0002 0.0004 DH,3072bits 19 0.004 0.0074 DH,3248bits 2 0.0004 0.0008 DH,4094bits 1 0.0002 0.0004 DH,4096bits 2115 0.4417 0.8256 DH,512bits 87 0.0182 0.034 DH,768bits 759 0.1585 0.2963 DH,8192bits 1 0.0002 0.0004 ECDH,B-163,163bits 7 0.0015 0.0023 ECDH,B-571,570bits 707 0.1476 0.2311 ECDH,K-163,163bits 1 0.0002 0.0003 ECDH,P-224,224bits 51 0.0107 0.0167 ECDH,P-256,256bits 299807 62.6102 97.9781 ECDH,P-384,384bits 3156 0.6591 1.0314 ECDH,P-521,521bits 4454 0.9302 1.4556 Prefer DH,1024bits 99375 20.753 38.7896 Prefer DH,2048bits 2882 0.6019 1.1249 Prefer DH,2236bits 1 0.0002 0.0004 Prefer DH,4096bits 90 0.0188 0.0351 Prefer DH,512bits 3 0.0006 0.0012 Prefer DH,768bits 420 0.0877 0.1639 Prefer ECDH,B-163,163bits 7 0.0015 0.0023 Prefer ECDH,B-571,570bits 521 0.1088 0.1703 Prefer ECDH,K-163,163bits 1 0.0002 0.0003 Prefer ECDH,P-224,224bits 18 0.0038 0.0059 Prefer ECDH,P-256,256bits 243201 50.7889 79.479 Prefer ECDH,P-384,384bits 3079 0.643 1.0062 Prefer ECDH,P-521,521bits 4146 0.8658 1.3549 Prefer PFS 353744 73.8741 0 Support PFS 407631 85.1276 0 Supported ECC curves Count Percent -------------------------+---------+-------- brainpoolP256r1 77 0.0161 brainpoolP384r1 77 0.0161 brainpoolP512r1 77 0.0161 prime192v1 721 0.1506 prime256v1 305466 63.792 prime256v1 Only 265378 55.4202 secp160k1 689 0.1439 secp160r1 688 0.1437 secp160r2 688 0.1437 secp192k1 716 0.1495 secp224k1 747 0.156 secp224r1 1221 0.255 secp224r1 Only 1 0.0002 secp256k1 766 0.16 secp384r1 40252 8.406 secp384r1 Only 166 0.0347 secp521r1 9985 2.0852 secp521r1 Only 86 0.018 sect163k1 688 0.1437 sect163r1 688 0.1437 sect163r2 695 0.1451 sect163r2 Only 7 0.0015 sect193r1 688 0.1437 sect193r2 688 0.1437 sect233k1 738 0.1541 sect233r1 738 0.1541 sect239k1 737 0.1539 sect283k1 737 0.1539 sect283r1 737 0.1539 sect409k1 737 0.1539 sect409r1 737 0.1539 sect571k1 756 0.1579 sect571r1 756 0.1579 Unsupported curve fallback Count Percent ------------------------------+---------+-------- False 75947 15.8604 True 188432 39.3512 order-specific 12 0.0025 unknown 214456 44.7859 ECC curve ordering Count Percent -------------------------+---------+-------- client 1661 0.3469 inconclusive-noecc 4 0.0008 server 304074 63.5013 unknown 173108 36.151 TLSv1.2 PFS supported sigalgs Count Percent ------------------------------+---------+-------- ECDSA-SHA1 27872 5.8206 ECDSA-SHA224 27873 5.8209 ECDSA-SHA256 27873 5.8209 ECDSA-SHA384 27874 5.8211 ECDSA-SHA512 27874 5.8211 RSA-MD5 132832 27.74 RSA-MD5 Only 1 0.0002 RSA-SHA1 275469 57.5276 RSA-SHA1 Only 42560 8.888 RSA-SHA224 224806 46.9474 RSA-SHA256 235988 49.2825 RSA-SHA256 Only 2701 0.5641 RSA-SHA384 225210 47.0317 RSA-SHA512 225254 47.0409 RSA-SHA512 Only 39 0.0081 TLSv1.2 PFS ordering Count Percent ------------------------------+---------+-------- client 206251 43.0724 indeterminate 7 0.0015 intolerant 1409 0.2942 order-fallback 2 0.0004 server 98943 20.6628 unsupported 37273 7.7839 TLSv1.2 PFS sigalg fallback Count Percent ------------------------------+---------+-------- ECDSA SHA1 27871 5.8204 ECDSA intolerant 4 0.0008 ECDSA pfs-rsa-SHA512 1 0.0002 RSA False 131264 27.4125 RSA SHA1 125024 26.1094 RSA intolerant 20874 4.3592 RSA pfs-ecdsa-SHA512 1 0.0002 RSA soft-nopfs 1609 0.336 Renegotiation Count Percent -------------------------+---------+-------- False 9764 2.0391 insecure 25819 5.3919 secure 443264 92.569 Compression Count Percent -------------------------+---------+-------- 1 (zlib compression) 15459 3.2284 False 9764 2.0391 NONE 453624 94.7326 TLS session ticket hint Count Percent -------------------------+---------+-------- 1 2 0.0004 1 only 2 0.0004 2 2 0.0004 2 only 2 0.0004 5 1 0.0002 5 only 1 0.0002 10 4 0.0008 10 only 4 0.0008 15 8 0.0017 15 only 8 0.0017 30 10 0.0021 30 only 10 0.0021 60 71 0.0148 60 only 64 0.0134 65 1 0.0002 65 only 1 0.0002 70 4 0.0008 75 1 0.0002 75 only 1 0.0002 100 11 0.0023 100 only 11 0.0023 120 24 0.005 120 only 23 0.0048 128 3 0.0006 128 only 3 0.0006 180 47 0.0098 180 only 45 0.0094 240 11 0.0023 240 only 11 0.0023 300 201017 41.9794 300 only 192323 40.1638 360 2 0.0004 360 only 1 0.0002 400 4 0.0008 400 only 4 0.0008 420 37 0.0077 420 only 26 0.0054 480 16 0.0033 480 only 14 0.0029 500 4 0.0008 500 only 4 0.0008 600 14965 3.1252 600 only 14676 3.0649 720 1 0.0002 720 only 1 0.0002 840 1 0.0002 840 only 1 0.0002 900 520 0.1086 900 only 500 0.1044 960 2 0.0004 960 only 2 0.0004 1000 1 0.0002 1000 only 1 0.0002 1200 286 0.0597 1200 only 283 0.0591 1500 9 0.0019 1500 only 8 0.0017 1800 343 0.0716 1800 only 334 0.0698 2100 1 0.0002 2100 only 1 0.0002 2400 2 0.0004 2400 only 2 0.0004 2700 5 0.001 2700 only 5 0.001 3000 11 0.0023 3000 only 11 0.0023 3600 329 0.0687 3600 only 312 0.0652 5400 10 0.0021 6000 3 0.0006 6000 only 3 0.0006 7200 14085 2.9414 7200 only 11423 2.3855 10800 1006 0.2101 10800 only 1001 0.209 14400 1416 0.2957 14400 only 1415 0.2955 18000 1 0.0002 18000 only 1 0.0002 21600 4976 1.0392 21600 only 4973 1.0385 28800 12 0.0025 28800 only 11 0.0023 36000 980 0.2047 36000 only 975 0.2036 43200 101 0.0211 43200 only 101 0.0211 60000 1 0.0002 60000 only 1 0.0002 64800 45713 9.5465 64800 only 45710 9.5458 72000 8 0.0017 72000 only 8 0.0017 86000 28 0.0058 86000 only 28 0.0058 86400 225 0.047 86400 only 224 0.0468 93600 1 0.0002 93600 only 1 0.0002 100800 12805 2.6741 100800 only 12805 2.6741 129600 8 0.0017 129600 only 8 0.0017 172800 1 0.0002 172800 only 1 0.0002 604800 1 0.0002 604800 only 1 0.0002 864000 3 0.0006 864000 only 3 0.0006 None 191458 39.9831 None only 179709 37.5295 Certificate sig alg Count Percent -------------------------+---------+-------- None 15481 3.233 ecdsa-with-SHA256 27852 5.8165 sha1WithRSAEncryption 247414 51.6687 sha256WithRSAEncryption 203665 42.5324 sha512WithRSAEncryption 10 0.0021 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 27873 5.8209 ECDSA 384 4 0.0008 RSA 1024 586 0.1224 RSA 10240 4 0.0008 RSA 2028 1 0.0002 RSA 2047 1 0.0002 RSA 2048 434653 90.7707 RSA 2049 2 0.0004 RSA 2056 3 0.0006 RSA 2058 4 0.0008 RSA 2064 1 0.0002 RSA 2080 2 0.0004 RSA 2084 14 0.0029 RSA 2096 1 0.0002 RSA 2408 3 0.0006 RSA 2432 5 0.001 RSA 2612 1 0.0002 RSA 3072 81 0.0169 RSA 3102 1 0.0002 RSA 3248 3 0.0006 RSA 3600 1 0.0002 RSA 4042 1 0.0002 RSA 4048 2 0.0004 RSA 4056 32 0.0067 RSA 4069 1 0.0002 RSA 4086 2 0.0004 RSA 4092 2 0.0004 RSA 4096 15597 3.2572 RSA 4098 2 0.0004 RSA 8192 4 0.0008 RSA/ECDSA Dual Stack 30 0.0063 OCSP stapling Count Percent -------------------------+---------+-------- Supported 79626 16.6287 Unsupported 399221 83.3713 Supported Protocols Count Percent -------------------------+---------+------- SSL2 34004 7.1012 SSL2 Only 83 0.0173 SSL3 160049 33.4238 SSL3 Only 1554 0.3245 SSL3 or TLS1 Only 99562 20.792 SSL3 or lower Only 1597 0.3335 TLS1 476217 99.4508 TLS1 Only 53875 11.251 TLS1 or lower Only 130773 27.31 TLS1.1 333272 69.5988 TLS1.1 Only 6 0.0013 TLS1.1 or up Only 690 0.1441 TLS1.2 343871 71.8123 TLS1.2 Only 495 0.1034 TLS1.2, 1.0 but not 1.1 12594 2.6301 Statistics from 506677 chains provided by 663743 hosts Server provided chains Count Percent -------------------------+---------+------- complete 445855 67.1728 incomplete 28915 4.3564 untrusted 188973 28.4708 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 1250 0.2467 3 435699 85.9915 4 69697 13.7557 5 31 0.0061 CA key size in chains Count -------------------------+--------- ECDSA 256 27724 ECDSA 384 27724 RSA 1024 1237 RSA 2045 1 RSA 2048 945864 RSA 4096 79313 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 27724 5.4717 ECDSA 384 27724 5.4717 RSA 1024 1233 0.2434 RSA 2045 1 0.0002 RSA 2048 477582 94.2577 RSA 4096 78697 15.532 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 27724 sha1WithRSAEncryption 272982 sha256WithRSAEncryption 141436 sha384WithRSAEncryption 133014 sha512WithRSAEncryption 30 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 273108 53.9018 112 205843 40.6261 128 27726 5.4721 Root CAs Count Percent ---------------------------------------------+---------+------- (2c543cd1) GeoTrust Global CA 112003 22.1054 (157753a5) AddTrust External CA Root 103054 20.3392 (5ad8a5d6) GlobalSign Root CA 51402 10.1449 (cbf06781) Go Daddy Root Certificate Authorit 42982 8.4831 (b204d74a) VeriSign Class 3 Public Primary Ce 29072 5.7378 (eed8c118) COMODO ECC Certification Authority 27720 5.4709 (2e4eed3c) thawte Primary Root CA 26917 5.3125 (244b5494) DigiCert High Assurance EV Root CA 23747 4.6868 (653b494a) Baltimore CyberTrust Root 11804 2.3297 (f081611a) The Go Daddy Group, Inc. 11749 2.3188 (b13cc6df) UTN-USERFirst-Hardware 9836 1.9413 (ae8153b9) StartCom Certification Authority 9546 1.884 (f387163d) Starfield Technologies, Inc. 8019 1.5827 (40547a79) COMODO Certification Authority 6997 1.381 (3513523f) DigiCert Global Root CA 5757 1.1362 Scan performed between 19th and 27th of February 2015. -- Regards, Hubert Kario
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
