Just continuation of established trends, most website administrators vulnerable to Logjam haven't taken any action to fix it on their side. As always, detailed analysis on my blog: https://securitypitfalls.wordpress.com/2015/07/14/june-2015-scan-results/ SSL/TLS survey of 496355 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 414245 83.4574 3DES Only 840 0.1692 AES 485964 97.9065 AES Only 17816 3.5894 AES-CBC 485837 97.881 AES-CBC Only 9490 1.9119 AES-GCM 331682 66.8235 AES-GCM Only 32 0.0064 CAMELLIA 216922 43.703 CAMELLIA Only 4 0.0008 CHACHA20 58723 11.8308 CHACHA20 Only 22 0.0044 Insecure 75670 15.2451 RC4 263495 53.086 RC4 Only 1710 0.3445 RC4 Preferred 33485 6.7462 RC4 forced in TLS1.1+ 18129 3.6524 x:FF 29 RC4 Only 2047 0.4124 x:FF 29 RC4 Preferred 37569 7.569 x:FF 29 incompatible 124 0.025 x:FF 35 RC4 Only 2377 0.4789 x:FF 35 RC4 Preferred 37715 7.5984 x:FF 35 incompatible 128 0.0258 y:DHE-RSA-SEED-SHA 101229 20.3945 y:IDEA-CBC-SHA 85830 17.2921 y:SEED-SHA 103066 20.7646 z:ADH-AES128-GCM-SHA256 311 0.0627 z:ADH-AES128-SHA 1107 0.223 z:ADH-AES128-SHA256 213 0.0429 z:ADH-AES256-GCM-SHA384 318 0.0641 z:ADH-AES256-SHA 1115 0.2246 z:ADH-AES256-SHA256 215 0.0433 z:ADH-CAMELLIA128-SHA 669 0.1348 z:ADH-CAMELLIA256-SHA 677 0.1364 z:ADH-DES-CBC-SHA 349 0.0703 z:ADH-DES-CBC3-SHA 1128 0.2273 z:ADH-RC4-MD5 1007 0.2029 z:ADH-SEED-SHA 605 0.1219 z:AECDH-AES128-SHA 17615 3.5489 z:AECDH-AES256-SHA 17629 3.5517 z:AECDH-DES-CBC3-SHA 17568 3.5394 z:AECDH-NULL-SHA 41 0.0083 z:AECDH-RC4-SHA 16900 3.4048 z:DES-CBC-MD5 14286 2.8782 z:DES-CBC-SHA 40810 8.2219 z:DES-CBC3-MD5 28088 5.6589 z:ECDHE-RSA-NULL-SHA 53 0.0107 z:EDH-RSA-DES-CBC-SHA 34934 7.0381 z:EXP-ADH-DES-CBC-SHA 252 0.0508 z:EXP-ADH-RC4-MD5 252 0.0508 z:EXP-DES-CBC-SHA 19650 3.9589 z:EXP-EDH-RSA-DES-CBC-SHA 16259 3.2757 z:EXP-RC2-CBC-MD5 23866 4.8083 z:EXP-RC4-MD5 25158 5.0685 z:EXP1024-DES-CBC-SHA 6288 1.2668 z:EXP1024-RC4-SHA 6374 1.2842 z:IDEA-CBC-MD5 2558 0.5154 z:NULL-MD5 259 0.0522 z:NULL-SHA 261 0.0526 z:NULL-SHA256 20 0.004 z:RC2-CBC-MD5 14614 2.9443 z:RC4-64-MD5 1161 0.2339 Cipher ordering Count Percent -------------------------+---------+------- Client side 132994 26.7941 Server side 363361 73.2059 Supported Handshakes Count Percent -------------------------+---------+------- ADH 1238 0.2494 AECDH 17668 3.5595 DHE 280798 56.572 ECDH 1 0.0002 ECDHE 358229 72.1719 ECDHE and DHE 196228 39.5338 RSA 455866 91.8427 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 210208 42.3503 74.8609 DH,1536bits 2 0.0004 0.0007 DH,2048bits 62891 12.6706 22.3972 DH,2236bits 3 0.0006 0.0011 DH,3072bits 2689 0.5417 0.9576 DH,4096bits 4249 0.856 1.5132 DH,512bits 73 0.0147 0.026 DH,6144bits 1 0.0002 0.0004 DH,768bits 729 0.1469 0.2596 ECDH,B-163,163bits 1 0.0002 0.0003 ECDH,B-571,570bits 1330 0.268 0.3713 ECDH,K-571,570bits 1 0.0002 0.0003 ECDH,P-192,192bits 2 0.0004 0.0006 ECDH,P-224,224bits 67 0.0135 0.0187 ECDH,P-256,256bits 349478 70.4089 97.5571 ECDH,P-384,384bits 3644 0.7342 1.0172 ECDH,P-521,521bits 6198 1.2487 1.7302 Prefer DH,1024bits 81235 16.3663 28.93 Prefer DH,1536bits 1 0.0002 0.0004 Prefer DH,2048bits 3908 0.7873 1.3917 Prefer DH,2236bits 1 0.0002 0.0004 Prefer DH,3072bits 27 0.0054 0.0096 Prefer DH,4096bits 120 0.0242 0.0427 Prefer DH,512bits 2 0.0004 0.0007 Prefer DH,768bits 347 0.0699 0.1236 Prefer ECDH,B-163,163bits 1 0.0002 0.0003 Prefer ECDH,B-571,570bits 1124 0.2265 0.3138 Prefer ECDH,K-571,570bits 1 0.0002 0.0003 Prefer ECDH,P-224,224bits 40 0.0081 0.0112 Prefer ECDH,P-256,256bits 293410 59.1129 81.9057 Prefer ECDH,P-384,384bits 2068 0.4166 0.5773 Prefer ECDH,P-521,521bits 5823 1.1732 1.6255 Prefer PFS 388108 78.1916 0 Support PFS 442799 89.2101 0 Supported ECC curves Count Percent -------------------------+---------+-------- brainpoolP256r1 364 0.0733 brainpoolP384r1 364 0.0733 brainpoolP512r1 364 0.0733 prime192v1 1331 0.2682 prime256v1 357188 71.9622 prime256v1 Only 311537 62.765 secp160k1 1298 0.2615 secp160r1 1303 0.2625 secp160r2 1298 0.2615 secp192k1 1315 0.2649 secp224k1 1370 0.276 secp224r1 2711 0.5462 secp224r1 Only 2 0.0004 secp256k1 1587 0.3197 secp384r1 45900 9.2474 secp384r1 Only 249 0.0502 secp521r1 13918 2.804 secp521r1 Only 115 0.0232 sect163k1 1300 0.2619 sect163k1 Only 3 0.0006 sect163r1 1297 0.2613 sect163r2 1298 0.2615 sect163r2 Only 1 0.0002 sect193r1 1297 0.2613 sect193r2 1297 0.2613 sect233k1 1362 0.2744 sect233r1 1361 0.2742 sect239k1 1360 0.274 sect283k1 1566 0.3155 sect283r1 1566 0.3155 sect409k1 1566 0.3155 sect409r1 1565 0.3153 sect571k1 1575 0.3173 sect571r1 1574 0.3171 Unsupported curve fallback Count Percent ------------------------------+---------+-------- False 80483 16.2148 True 231859 46.7123 order-specific 16 0.0032 unknown 183997 37.0696 ECC curve ordering Count Percent -------------------------+---------+-------- client 2665 0.5369 inconclusive-noecc 16 0.0032 server 354894 71.5 unknown 138780 27.9598 TLSv1.2 PFS supported sigalgs Count Percent ------------------------------+---------+-------- ECDSA-SHA1 31932 6.4333 ECDSA-SHA1 Only 1 0.0002 ECDSA-SHA224 31953 6.4375 ECDSA-SHA256 31989 6.4448 ECDSA-SHA384 32035 6.4541 ECDSA-SHA512 32097 6.4665 ECDSA-SHA512 Only 62 0.0125 RSA-MD5 151912 30.6055 RSA-SHA1 316124 63.6891 RSA-SHA1 Only 44717 9.0091 RSA-SHA224 256857 51.7486 RSA-SHA256 276593 55.7248 RSA-SHA256 Only 4237 0.8536 RSA-SHA384 257841 51.9469 RSA-SHA512 258008 51.9805 RSA-SHA512 Only 160 0.0322 TLSv1.2 PFS ordering Count Percent ------------------------------+---------+-------- client 237214 47.7912 indeterminate 8 0.0016 intolerant 3109 0.6264 order-fallback 18 0.0036 server 113482 22.8631 unsupported 28681 5.7783 TLSv1.2 PFS sigalg fallback Count Percent ------------------------------+---------+-------- ECDSA SHA1 31910 6.4289 ECDSA intolerant 295 0.0594 ECDSA soft-nopfs 1 0.0002 RSA False 147535 29.7237 RSA SHA1 141919 28.5922 RSA intolerant 28072 5.6556 RSA soft-nopfs 4494 0.9054 Renegotiation Count Percent -------------------------+---------+-------- False 7988 1.6093 insecure 22086 4.4496 secure 466281 93.941 Compression Count Percent -------------------------+---------+-------- 1 (zlib compression) 12174 2.4527 False 7988 1.6093 NONE 476193 95.938 TLS session ticket hint Count Percent -------------------------+---------+-------- 1 3 0.0006 1 only 3 0.0006 2 2 0.0004 2 only 2 0.0004 5 2 0.0004 5 only 2 0.0004 10 7 0.0014 10 only 7 0.0014 15 10 0.002 15 only 10 0.002 30 11 0.0022 30 only 11 0.0022 60 95 0.0191 60 only 90 0.0181 70 6 0.0012 100 15 0.003 100 only 15 0.003 120 31 0.0062 120 only 31 0.0062 128 2 0.0004 128 only 2 0.0004 150 2 0.0004 180 52 0.0105 180 only 50 0.0101 240 9 0.0018 240 only 9 0.0018 300 215043 43.3244 300 only 209657 42.2393 400 7 0.0014 400 only 7 0.0014 420 112 0.0226 420 only 68 0.0137 480 12 0.0024 480 only 12 0.0024 500 3 0.0006 500 only 3 0.0006 540 1 0.0002 540 only 1 0.0002 600 21511 4.3338 600 only 21353 4.302 720 2 0.0004 720 only 1 0.0002 900 604 0.1217 900 only 585 0.1179 960 2 0.0004 960 only 2 0.0004 1200 1894 0.3816 1200 only 1888 0.3804 1440 1 0.0002 1440 only 1 0.0002 1500 11 0.0022 1500 only 10 0.002 1800 411 0.0828 1800 only 405 0.0816 2400 6 0.0012 2400 only 6 0.0012 2700 8 0.0016 2700 only 8 0.0016 3000 14 0.0028 3000 only 13 0.0026 3300 1 0.0002 3300 only 1 0.0002 3600 424 0.0854 3600 only 409 0.0824 3900 2 0.0004 3900 only 2 0.0004 4200 1 0.0002 5400 15 0.003 5400 only 3 0.0006 6000 4 0.0008 6000 only 4 0.0008 7200 15262 3.0748 7200 only 10520 2.1195 10800 1975 0.3979 10800 only 1968 0.3965 14400 74 0.0149 14400 only 73 0.0147 18000 11 0.0022 18000 only 11 0.0022 21600 4863 0.9797 21600 only 4863 0.9797 28800 2439 0.4914 28800 only 2009 0.4048 36000 1142 0.2301 36000 only 1136 0.2289 43200 28 0.0056 43200 only 26 0.0052 60000 1 0.0002 60000 only 1 0.0002 64800 45917 9.2508 64800 only 45644 9.1958 72000 10 0.002 72000 only 10 0.002 86000 43 0.0087 86000 only 43 0.0087 86400 3392 0.6834 86400 only 3391 0.6832 100800 12408 2.4998 100800 only 12385 2.4952 129600 7 0.0014 129600 only 7 0.0014 172800 5 0.001 172800 only 5 0.001 216000 1 0.0002 216000 only 1 0.0002 432000 1 0.0002 432000 only 1 0.0002 604800 2 0.0004 604800 only 2 0.0004 864000 1 0.0002 864000 only 1 0.0002 None 179585 36.1808 None only 168439 33.9352 Certificate sig alg Count Percent -------------------------+---------+-------- None 18390 3.705 ecdsa-with-SHA256 32196 6.4865 sha1WithRSAEncryption 162789 32.7969 sha256WithRSAEncryption 301606 60.7642 sha384WithRSAEncryption 3 0.0006 sha512WithRSAEncryption 7 0.0014 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 32226 6.4925 ECDSA 384 7 0.0014 ECDSA 521 1 0.0002 RSA 1024 139 0.028 RSA 10240 4 0.0008 RSA 2047 1 0.0002 RSA 2048 446454 89.9465 RSA 2049 3 0.0006 RSA 2056 3 0.0006 RSA 2058 2 0.0004 RSA 2064 1 0.0002 RSA 2080 2 0.0004 RSA 2084 9 0.0018 RSA 2096 1 0.0002 RSA 2345 1 0.0002 RSA 2408 3 0.0006 RSA 2432 5 0.001 RSA 2612 2 0.0004 RSA 3071 1 0.0002 RSA 3072 96 0.0193 RSA 3096 1 0.0002 RSA 3102 1 0.0002 RSA 3248 2 0.0004 RSA 4042 1 0.0002 RSA 4048 2 0.0004 RSA 4056 26 0.0052 RSA 4069 1 0.0002 RSA 4086 2 0.0004 RSA 4092 7 0.0014 RSA 4096 17401 3.5058 RSA 8192 5 0.001 RSA/ECDSA Dual Stack 45 0.0091 OCSP stapling Count Percent -------------------------+---------+-------- Supported 97129 19.5685 Unsupported 399226 80.4315 Supported Protocols Count Percent -------------------------+---------+------- SSL2 28373 5.7163 SSL2 Only 30 0.006 SSL3 139997 28.205 SSL3 Only 891 0.1795 SSL3 or TLS1 Only 84026 16.9286 SSL3 or lower Only 919 0.1851 TLS1 493251 99.3746 TLS1 Only 48794 9.8305 TLS1 or lower Only 110400 22.2421 TLS1.1 372212 74.9891 TLS1.1 Only 33 0.0066 TLS1.1 or up Only 1982 0.3993 TLS1.2 382499 77.0616 TLS1.2 Only 916 0.1845 TLS1.2, 1.0 but not 1.1 11830 2.3834 Statistics from 517131 chains provided by 680456 hosts Server provided chains Count Percent -------------------------+---------+------- complete 470323 69.1188 incomplete 19965 2.9341 untrusted 190168 27.9471 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 328 0.0634 3 262695 50.7985 4 249615 48.2692 5 4493 0.8688 CA key size in chains Count -------------------------+--------- ECDSA 256 32189 ECDSA 384 32184 RSA 1024 65659 RSA 2045 1 RSA 2048 1046763 RSA 4096 115739 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 32189 6.2245 ECDSA 384 32184 6.2236 RSA 1024 65657 12.6964 RSA 2045 1 0.0002 RSA 2048 484420 93.6745 RSA 4096 114849 22.2089 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 32189 sha1WithRSAEncryption 287125 sha256WithRSAEncryption 256796 sha384WithRSAEncryption 199294 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 236752 45.7818 112 248197 47.995 128 32182 6.2232 Root CAs Count Percent ---------------------------------------------+---------+------- (861a399d) AddTrust Class 1 CA Root 126586 24.4785 (2c543cd1) GeoTrust Global CA 111618 21.5841 (f081611a) The Go Daddy Group, Inc. 52765 10.2034 (5ad8a5d6) GlobalSign Root CA 52501 10.1524 (eed8c118) COMODO ECC Certification Authority 32182 6.2232 (415660c1) VeriSign, Inc. 30856 5.9668 (aee5f10d) Entrust.net Certification Authorit 28570 5.5247 (6cc3c4c3) Thawte Server CA 25221 4.8771 (f387163d) Starfield Technologies, Inc. 11117 2.1497 (ae8153b9) StartCom Certification Authority 9414 1.8204 (653b494a) Baltimore CyberTrust Root 8928 1.7264 (578d5c04) Equifax 6563 1.2691 (244b5494) DigiCert High Assurance EV Root CA 6432 1.2438 Scan performed between 18th and 28th of June 2015. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
