TLS scan results for September 2015

Hubert Kario <hkario@xxxxxxxxxx> · Tue, 01 Dec 2015 17:23:54 +0100



no analysis for this month, sorry

SSL/TLS survey of 514491 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate 
installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      441032    85.722
3DES Only                 662       0.1287
AES                       506240    98.3963
AES Only                  20155     3.9175
AES-CBC                   506132    98.3753
AES-CBC Only              9532      1.8527
AES-GCM                   372880    72.4755
AES-GCM Only              53        0.0103
CAMELLIA                  228600    44.4323
CAMELLIA Only             1         0.0002
CHACHA20                  63632     12.368
CHACHA20 Only             1         0.0002
Insecure                  64742     12.5837
RC4                       231507    44.9973
RC4 Only                  1252      0.2433
RC4 Preferred             27685     5.381
RC4 forced in TLS1.1+     15710     3.0535
x:FF 29 RC4 Only          1532      0.2978
x:FF 29 RC4 Preferred     31430     6.109
x:FF 29 incompatible      137       0.0266
x:FF 35 RC4 Only          1845      0.3586
x:FF 35 RC4 Preferred     31550     6.1323
x:FF 35 incompatible      138       0.0268
y:DHE-RSA-SEED-SHA        86011     16.7177
y:IDEA-CBC-SHA            78923     15.34
y:SEED-SHA                96111     18.6808
z:ADH-AES128-GCM-SHA256   333       0.0647
z:ADH-AES128-SHA          745       0.1448
z:ADH-AES128-SHA256       236       0.0459
z:ADH-AES256-GCM-SHA384   343       0.0667
z:ADH-AES256-SHA          749       0.1456
z:ADH-AES256-SHA256       236       0.0459
z:ADH-CAMELLIA128-SHA     344       0.0669
z:ADH-CAMELLIA256-SHA     350       0.068
z:ADH-DES-CBC-SHA         321       0.0624
z:ADH-DES-CBC3-SHA        759       0.1475
z:ADH-RC4-MD5             621       0.1207
z:ADH-SEED-SHA            272       0.0529
z:AECDH-AES128-SHA        12374     2.4051
z:AECDH-AES256-SHA        12403     2.4107
z:AECDH-DES-CBC3-SHA      12331     2.3967
z:AECDH-NULL-SHA          55        0.0107
z:AECDH-RC4-SHA           11656     2.2655
z:DES-CBC-MD5             12201     2.3715
z:DES-CBC-SHA             37676     7.323
z:DES-CBC3-MD5            24906     4.8409
z:ECDHE-RSA-NULL-SHA      59        0.0115
z:EDH-RSA-DES-CBC-SHA     32341     6.286
z:EXP-ADH-DES-CBC-SHA     225       0.0437
z:EXP-ADH-RC4-MD5         222       0.0431
z:EXP-DES-CBC-SHA         16253     3.159
z:EXP-EDH-RSA-DES-CBC-SHA 13136     2.5532
z:EXP-RC2-CBC-MD5         19785     3.8455
z:EXP-RC4-MD5             20799     4.0426
z:EXP1024-DES-CBC-SHA     5124      0.9959
z:EXP1024-RC4-SHA         5211      1.0128
z:IDEA-CBC-MD5            2368      0.4603
z:NULL-MD5                228       0.0443
z:NULL-SHA                231       0.0449
z:NULL-SHA256             22        0.0043
z:RC2-CBC-MD5             12471     2.4239
z:RC4-64-MD5              1000      0.1944

Cipher ordering           Count     Percent
-------------------------+---------+-------
Client side               131154    25.492
Server side               383337    74.508

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       872       0.1695
AECDH                     12430     2.416
DHE                       282349    54.8793
ECDH                      3         0.0006
ECDHE                     400761    77.8947
ECDHE and DHE             210872    40.9865
RSA                       466026    90.58

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               176947    34.3926  62.6696
DH,1536bits               1         0.0002   0.0004
DH,2048bits               97579     18.9661  34.5597
DH,2236bits               10        0.0019   0.0035
DH,2560bits               1         0.0002   0.0004
DH,3072bits               1027      0.1996   0.3637
DH,3092bits               1         0.0002   0.0004
DH,4096bits               6303      1.2251   2.2323
DH,512bits                53        0.0103   0.0188
DH,768bits                502       0.0976   0.1778
DH,8192bits               1         0.0002   0.0004
ECDH,B-163,163bits        1         0.0002   0.0002
ECDH,B-571,570bits        1514      0.2943   0.3778
ECDH,K-163,163bits        1         0.0002   0.0002
ECDH,K-571,570bits        1         0.0002   0.0002
ECDH,P-192,192bits        2         0.0004   0.0005
ECDH,P-224,224bits        89        0.0173   0.0222
ECDH,P-256,256bits        389270    75.6612  97.1327
ECDH,P-384,384bits        2668      0.5186   0.6657
ECDH,P-521,521bits        8073      1.5691   2.0144
Prefer DH,1024bits        63712     12.3835  22.565
Prefer DH,1536bits        1         0.0002   0.0004
Prefer DH,2048bits        9342      1.8158   3.3087
Prefer DH,2236bits        1         0.0002   0.0004
Prefer DH,3072bits        14        0.0027   0.005
Prefer DH,4096bits        342       0.0665   0.1211
Prefer DH,768bits         102       0.0198   0.0361
Prefer ECDH,B-163,163bits 1         0.0002   0.0002
Prefer ECDH,B-571,570bits 1305      0.2536   0.3256
Prefer ECDH,K-163,163bits 1         0.0002   0.0002
Prefer ECDH,K-571,570bits 1         0.0002   0.0002
Prefer ECDH,P-224,224bits 55        0.0107   0.0137
Prefer ECDH,P-256,256bits 337269    65.5539  84.1571
Prefer ECDH,P-384,384bits 2525      0.4908   0.6301
Prefer ECDH,P-521,521bits 7266      1.4123   1.8131
Prefer PFS                421937    82.0106  0
Support PFS               472238    91.7874  0

Supported ECC curves      Count     Percent 
-------------------------+---------+--------
brainpoolP256r1           1285      0.2498   
brainpoolP384r1           1285      0.2498   
brainpoolP512r1           1285      0.2498   
prime192v1                1409      0.2739   
prime256v1                399379    77.626   
prime256v1 Only           346484    67.345   
secp160k1                 1372      0.2667   
secp160r1                 1376      0.2674   
secp160r2                 1372      0.2667   
secp192k1                 1393      0.2708   
secp224k1                 1466      0.2849   
secp224r1                 3478      0.676    
secp224r1 Only            2         0.0004   
secp256k1                 2664      0.5178   
secp384r1                 53002     10.3018  
secp384r1 Only            342       0.0665   
secp521r1                 22491     4.3715   
secp521r1 Only            118       0.0229   
sect163k1                 1376      0.2674   
sect163k1 Only            2         0.0004   
sect163r1                 1374      0.2671   
sect163r2                 1375      0.2673   
sect163r2 Only            1         0.0002   
sect193r1                 1374      0.2671   
sect193r2                 1374      0.2671   
sect233k1                 1460      0.2838   
sect233r1                 1458      0.2834   
sect239k1                 1458      0.2834   
sect283k1                 2637      0.5125   
sect283r1                 2637      0.5125   
sect409k1                 2637      0.5125   
sect409r1                 2637      0.5125   
sect571k1                 2650      0.5151   
sect571r1                 2650      0.5151   

Unsupported curve fallback     Count     Percent 
------------------------------+---------+--------
False                          69342     13.4778  
True                           279091    54.246   
order-specific                 247       0.048    
unknown                        165811    32.2282  

ECC curve ordering        Count     Percent 
-------------------------+---------+--------
client                    4128      0.8023   
inconclusive-noecc        10        0.0019   
server                    395723    76.9154  
unknown                   114630    22.2803  

TLSv1.2 PFS supported sigalgs  Count     Percent 
------------------------------+---------+--------
ECDSA-SHA1                     36846     7.1616   
ECDSA-SHA1 Only                3         0.0006   
ECDSA-SHA224                   36847     7.1618   
ECDSA-SHA256                   36861     7.1646   
ECDSA-SHA384                   36862     7.1648   
ECDSA-SHA512                   36877     7.1677   
ECDSA-SHA512 Only              15        0.0029   
RSA-MD5                        169404    32.9265  
RSA-SHA1                       349277    67.8879  
RSA-SHA1 Only                  46373     9.0134   
RSA-SHA224                     283789    55.1592  
RSA-SHA256                     309288    60.1153  
RSA-SHA256 Only                5302      1.0305   
RSA-SHA384                     284974    55.3895  
RSA-SHA384 Only                1         0.0002   
RSA-SHA512                     285175    55.4286  
RSA-SHA512 Only                218       0.0424   

TLSv1.2 PFS ordering           Count     Percent 
------------------------------+---------+--------
client                         247485    48.1029  
indeterminate                  113       0.022    
intolerant                     3917      0.7613   
order-fallback                 6         0.0012   
server                         141461    27.4953  
unsupported                    22160     4.3072   

TLSv1.2 PFS sigalg fallback    Count     Percent 
------------------------------+---------+--------
ECDSA SHA1                     36832     7.1589   
ECDSA intolerant               63        0.0122   
ECDSA pfs-rsa-SHA512           1         0.0002   
RSA False                      168019    32.6573  
RSA SHA1                       154614    30.0518  
RSA intolerant                 32671     6.3502   
RSA pfs-ecdsa-SHA512           1         0.0002   
RSA soft-nopfs                 1437      0.2793   

Renegotiation             Count     Percent 
-------------------------+---------+--------
False                     6340      1.2323   
insecure                  19961     3.8798   
secure                    488190    94.888   

Compression               Count     Percent 
-------------------------+---------+--------
1 (zlib compression)      10392     2.0199   
False                     6340      1.2323   
NONE                      497759    96.7479  

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
1                         4         0.0008   
1 only                    4         0.0008   
2                         2         0.0004   
2 only                    2         0.0004   
5                         1         0.0002   
5 only                    1         0.0002   
10                        7         0.0014   
10 only                   7         0.0014   
15                        8         0.0016   
15 only                   8         0.0016   
30                        11        0.0021   
30 only                   10        0.0019   
60                        93        0.0181   
60 only                   87        0.0169   
65                        1         0.0002   
65 only                   1         0.0002   
70                        7         0.0014   
100                       14        0.0027   
100 only                  14        0.0027   
120                       30        0.0058   
120 only                  30        0.0058   
128                       2         0.0004   
128 only                  2         0.0004   
150                       2         0.0004   
180                       39        0.0076   
180 only                  37        0.0072   
240                       14        0.0027   
240 only                  14        0.0027   
300                       232702    45.2296  
300 only                  227970    44.3098  
302                       2         0.0004   
302 only                  2         0.0004   
360                       2         0.0004   
360 only                  1         0.0002   
400                       7         0.0014   
400 only                  7         0.0014   
420                       113       0.022    
420 only                  87        0.0169   
480                       11        0.0021   
480 only                  11        0.0021   
500                       4         0.0008   
500 only                  4         0.0008   
540                       1         0.0002   
540 only                  1         0.0002   
600                       24187     4.7012   
600 only                  24031     4.6708   
720                       2         0.0004   
720 only                  2         0.0004   
840                       2         0.0004   
840 only                  2         0.0004   
900                       718       0.1396   
900 only                  702       0.1364   
960                       3         0.0006   
960 only                  3         0.0006   
1200                      2085      0.4053   
1200 only                 2080      0.4043   
1320                      1         0.0002   
1320 only                 1         0.0002   
1500                      11        0.0021   
1500 only                 10        0.0019   
1800                      473       0.0919   
1800 only                 468       0.091    
2100                      1         0.0002   
2100 only                 1         0.0002   
2400                      6         0.0012   
2400 only                 6         0.0012   
2700                      7         0.0014   
2700 only                 7         0.0014   
3000                      19        0.0037   
3000 only                 19        0.0037   
3600                      512       0.0995   
3600 only                 498       0.0968   
3900                      1         0.0002   
3900 only                 1         0.0002   
4200                      1         0.0002   
5160                      1         0.0002   
5160 only                 1         0.0002   
5400                      14        0.0027   
5400 only                 6         0.0012   
6000                      3         0.0006   
6000 only                 3         0.0006   
7200                      16177     3.1443   
7200 only                 16154     3.1398   
10800                     2416      0.4696   
10800 only                2411      0.4686   
14400                     70        0.0136   
14400 only                70        0.0136   
18000                     7         0.0014   
18000 only                7         0.0014   
21600                     4966      0.9652   
21600 only                4963      0.9646   
28800                     2049      0.3983   
28800 only                637       0.1238   
36000                     1187      0.2307   
36000 only                1176      0.2286   
43200                     35        0.0068   
43200 only                35        0.0068   
60000                     1         0.0002   
60000 only                1         0.0002   
64800                     51944     10.0962  
64800 only                51911     10.0898  
72000                     13        0.0025   
72000 only                13        0.0025   
86000                     31        0.006    
86000 only                31        0.006    
86400                     3546      0.6892   
86400 only                3543      0.6886   
100800                    11273     2.1911   
100800 only               11263     2.1892   
129600                    9         0.0017   
129600 only               9         0.0017   
172800                    7         0.0014   
172800 only               7         0.0014   
216000                    1         0.0002   
216000 only               1         0.0002   
432000                    2         0.0004   
432000 only               2         0.0004   
604800                    1         0.0002   
604800 only               1         0.0002   
864000                    3         0.0006   
864000 only               3         0.0006   
2592000                   1         0.0002   
2592000 only              1         0.0002   
None                      166108    32.2859  
None only                 159631    31.027   

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      13099     2.546    
ecdsa-with-SHA256         36858     7.164    
sha1WithRSAEncryption     100797    19.5916  
sha256WithRSAEncryption   377291    73.3329  
sha384WithRSAEncryption   6         0.0012   
sha512WithRSAEncryption   26        0.0051   

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 36891     7.1704   
ECDSA 384                 8         0.0016   
RSA 1024                  68        0.0132   
RSA 10240                 5         0.001    
RSA 2048                  459006    89.2156  
RSA 2049                  3         0.0006   
RSA 2056                  2         0.0004   
RSA 2058                  2         0.0004   
RSA 2064                  1         0.0002   
RSA 2078                  1         0.0002   
RSA 2080                  2         0.0004   
RSA 2084                  6         0.0012   
RSA 2096                  2         0.0004   
RSA 2408                  1         0.0002   
RSA 2432                  2         0.0004   
RSA 2480                  1         0.0002   
RSA 2890                  1         0.0002   
RSA 3024                  1         0.0002   
RSA 3071                  1         0.0002   
RSA 3072                  119       0.0231   
RSA 3248                  3         0.0006   
RSA 4042                  1         0.0002   
RSA 4048                  1         0.0002   
RSA 4056                  26        0.0051   
RSA 4069                  2         0.0004   
RSA 4092                  6         0.0012   
RSA 4094                  1         0.0002   
RSA 4096                  18374     3.5713   
RSA 8192                  5         0.001    
RSA/ECDSA Dual Stack      44        0.0086

OCSP stapling             Count     Percent 
-------------------------+---------+--------
Supported                 110108    21.4013  
Unsupported               404383    78.5987  

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      25202     4.8984
SSL2 Only                 15        0.0029
SSL3                      126817    24.649
SSL3 Only                 549       0.1067
SSL3 or TLS1 Only         72846     14.1588
SSL3 or lower Only        571       0.111
TLS1                      510753    99.2735
TLS1 Only                 43061     8.3696
TLS1 or lower Only        96394     18.7358
TLS1.1                    405071    78.7324
TLS1.1 Only               30        0.0058
TLS1.1 or up Only         2939      0.5712
TLS1.2                    415131    80.6877
TLS1.2 Only               1267      0.2463
TLS1.2, 1.0 but not 1.1   11078     2.1532

Statistics from 481615 chains provided by 696385 hosts

Server provided chains    Count     Percent
-------------------------+---------+-------
complete                  438491    62.9667
incomplete                20877     2.9979
untrusted                 237017    34.0353

Trusted chain statistics
========================

Chain length              Count     Percent
-------------------------+---------+-------
2                         214       0.0444
3                         479299    99.5191
4                         2064      0.4286
5                         38        0.0079

CA key size in chains     Count
-------------------------+---------
ECDSA 256                 21571     
ECDSA 384                 21574     
RSA 1024                  189       
RSA 2045                  3         
RSA 2048                  797792    
RSA 4096                  124027    

Chains with CA key        Count     Percent
-------------------------+---------+-------
ECDSA 256                 21571     4.4789
ECDSA 384                 21574     4.4795
RSA 1024                  187       0.0388
RSA 2045                  3         0.0006
RSA 2048                  459556    95.4198
RSA 4096                  123505    25.6439

Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384              21569     
sha1WithRSAEncryption          87272     
sha256WithRSAEncryption        264799    
sha384WithRSAEncryption        109831    
sha512WithRSAEncryption        70        

Eff. host cert chain LoS  Count     Percent
-------------------------+---------+-------
80                        87432     18.1539
112                       372602    77.3651
128                       21581     4.481

Root CAs                                      Count     Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA                 102403    21.2624
(d6325660) COMODO RSA Certification Authority 101866    21.1509
(cbf06781) Go Daddy Root Certificate Authorit 47350     9.8315
(5ad8a5d6) GlobalSign Root CA                 41408     8.5977
(b204d74a) VeriSign Class 3 Public Primary Ce 26837     5.5723
(244b5494) DigiCert High Assurance EV Root CA 25125     5.2168
(2e4eed3c) thawte Primary Root CA             22902     4.7553
(eed8c118) COMODO ECC Certification Authority 21557     4.476
(653b494a) Baltimore CyberTrust Root          11908     2.4725
(157753a5) AddTrust External CA Root          10009     2.0782
(ae8153b9) StartCom Certification Authority   8637      1.7933
(fc5a8f99) USERTrust RSA Certification Author 7875      1.6351
(3513523f) DigiCert Global Root CA            7502      1.5577
(4bfab552) Starfield Root Certificate Authori 6246      1.2969
(480720ec) GeoTrust Primary Certification Aut 5252      1.0905
(f387163d) Starfield Technologies, Inc.       4889      1.0151


Scan performed between 18th and 28th of September 2015.
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Attachment:
signature.asc

Description: This is a digitally signed message part.
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx