TLS scan results for November 2015

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Not much changes since October, mostly continuation of established 
trends. Curiously, percentage of servers supporting just AES ciphers 
jumped suddenly just over 3%.

More detailed analysis on my blog:
https://securitypitfalls.wordpress.com/2015/12/07/november-2015-scan-results/


SSL/TLS survey of 530912 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate 
installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      457179    86.112
3DES Only                 577       0.1087
AES                       523844    98.6687
AES Only                  40463     7.6214
AES-CBC                   523220    98.5512
AES-CBC Only              10280     1.9363
AES-GCM                   398334    75.0283
AES-GCM Only              481       0.0906
CAMELLIA                  217685    41.0021
CAMELLIA Only             1         0.0002
CHACHA20                  67665     12.7451
CHACHA20 Only             2         0.0004
Insecure                  60479     11.3915
RC4                       191727    36.1128
RC4 Only                  977       0.184
RC4 Preferred             21462     4.0425
RC4 forced in TLS1.1+     11194     2.1084
x:FF 29 RC4 Only          1213      0.2285
x:FF 29 RC4 Preferred     23754     4.4742
x:FF 29 incompatible      400       0.0753
x:FF 35 RC4 Only          1476      0.278
x:FF 35 RC4 Preferred     23839     4.4902
x:FF 35 incompatible      402       0.0757
y:DHE-RSA-SEED-SHA        65003     12.2436
y:IDEA-CBC-SHA            59414     11.1909
y:SEED-SHA                76068     14.3278
z:ADH-AES128-GCM-SHA256   396       0.0746
z:ADH-AES128-SHA          744       0.1401
z:ADH-AES128-SHA256       292       0.055
z:ADH-AES256-GCM-SHA384   408       0.0768
z:ADH-AES256-SHA          756       0.1424
z:ADH-AES256-SHA256       293       0.0552
z:ADH-CAMELLIA128-SHA     374       0.0704
z:ADH-CAMELLIA256-SHA     382       0.072
z:ADH-DES-CBC-SHA         303       0.0571
z:ADH-DES-CBC3-SHA        756       0.1424
z:ADH-RC4-MD5             616       0.116
z:ADH-SEED-SHA            305       0.0574
z:AECDH-AES128-SHA        10719     2.019
z:AECDH-AES256-SHA        10755     2.0258
z:AECDH-DES-CBC3-SHA      10685     2.0126
z:AECDH-NULL-SHA          63        0.0119
z:AECDH-RC4-SHA           10125     1.9071
z:DES-CBC-MD5             11270     2.1228
z:DES-CBC-SHA             36559     6.8861
z:DES-CBC3-MD5            23236     4.3766
z:ECDHE-RSA-NULL-SHA      68        0.0128
z:EDH-RSA-DES-CBC-SHA     31274     5.8906
z:EXP-ADH-DES-CBC-SHA     203       0.0382
z:EXP-ADH-RC4-MD5         199       0.0375
z:EXP-DES-CBC-SHA         14643     2.7581
z:EXP-EDH-RSA-DES-CBC-SHA 11812     2.2249
z:EXP-RC2-CBC-MD5         17779     3.3488
z:EXP-RC4-MD5             18577     3.4991
z:EXP1024-DES-CBC-SHA     4531      0.8534
z:EXP1024-RC4-SHA         4613      0.8689
z:IDEA-CBC-MD5            2255      0.4247
z:NULL-MD5                237       0.0446
z:NULL-SHA                236       0.0445
z:NULL-SHA256             32        0.006
z:RC2-CBC-MD5             11512     2.1683
z:RC4-64-MD5              922       0.1737

Cipher ordering           Count     Percent
-------------------------+---------+-------
Client side               134022    25.2437
Server side               396890    74.7563

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       896       0.1688
AECDH                     10782     2.0308
DHE                       289298    54.4908
ECDH                      3         0.0006
ECDHE                     425231    80.0944
ECDHE and DHE             223210    42.0427
RSA                       458647    86.3885

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               159457    30.0345  55.1186
DH,1536bits               1         0.0002   0.0003
DH,2048bits               121879    22.9565  42.1292
DH,2236bits               14        0.0026   0.0048
DH,3072bits               108       0.0203   0.0373
DH,3092bits               1         0.0002   0.0003
DH,4096bits               7458      1.4048   2.578
DH,512bits                40        0.0075   0.0138
DH,6144bits               1         0.0002   0.0003
DH,768bits                439       0.0827   0.1517
DH,8192bits               2         0.0004   0.0007
ECDH,B-571,570bits        1680      0.3164   0.3951
ECDH,K-571,570bits        1         0.0002   0.0002
ECDH,P-192,192bits        11        0.0021   0.0026
ECDH,P-224,224bits        81        0.0153   0.019
ECDH,P-256,256bits        411892    77.582   96.8631
ECDH,P-384,384bits        3589      0.676    0.844
ECDH,P-521,521bits        9333      1.7579   2.1948
Prefer DH,1024bits        58262     10.9739  20.1391
Prefer DH,1536bits        1         0.0002   0.0003
Prefer DH,2048bits        10378     1.9547   3.5873
Prefer DH,2236bits        1         0.0002   0.0003
Prefer DH,3072bits        13        0.0024   0.0045
Prefer DH,4096bits        392       0.0738   0.1355
Prefer DH,768bits         66        0.0124   0.0228
Prefer ECDH,B-571,570bits 1478      0.2784   0.3476
Prefer ECDH,K-571,570bits 1         0.0002   0.0002
Prefer ECDH,P-224,224bits 78        0.0147   0.0183
Prefer ECDH,P-256,256bits 370937    69.8679  87.2319
Prefer ECDH,P-384,384bits 3291      0.6199   0.7739
Prefer ECDH,P-521,521bits 8426      1.5871   1.9815
Prefer PFS                453324    85.3859  0
Support PFS               491319    92.5425  0

Supported ECC curves      Count     Percent 
-------------------------+---------+--------
brainpoolP256r1           2073      0.3905   
brainpoolP384r1           2074      0.3906   
brainpoolP512r1           2074      0.3906   
prime192v1                1449      0.2729   
prime256v1                422425    79.5659  
prime256v1 Only           368568    69.4217  
secp160k1                 1406      0.2648   
secp160r1                 1411      0.2658   
secp160r2                 1406      0.2648   
secp192k1                 1423      0.268    
secp224k1                 1491      0.2808   
secp224r1                 4011      0.7555   
secp256k1                 3482      0.6559   
secp384r1                 54256     10.2194  
secp384r1 Only            444       0.0836   
secp521r1                 23612     4.4474   
secp521r1 Only            128       0.0241   
sect163k1                 1415      0.2665   
sect163k1 Only            2         0.0004   
sect163r1                 1413      0.2661   
sect163r2                 1409      0.2654   
sect193r1                 1409      0.2654   
sect193r2                 1407      0.265    
sect233k1                 1486      0.2799   
sect233r1                 1486      0.2799   
sect239k1                 1486      0.2799   
sect283k1                 3447      0.6493   
sect283k1 Only            2         0.0004   
sect283r1                 3442      0.6483   
sect409k1                 3444      0.6487   
sect409r1                 3443      0.6485   
sect571k1                 3454      0.6506   
sect571r1                 3454      0.6506   

Unsupported curve fallback     Count     Percent 
------------------------------+---------+--------
False                          69315     13.0558  
True                           299493    56.411   
order-specific                 82        0.0154   
unknown                        162022    30.5177  

ECC curve ordering        Count     Percent 
-------------------------+---------+--------
client                    5116      0.9636   
inconclusive-noecc        8         0.0015   
server                    417915    78.7164  
unknown                   107873    20.3184  

TLSv1.2 PFS supported sigalgs  Count     Percent 
------------------------------+---------+--------
ECDSA-SHA1                     39752     7.4875   
ECDSA-SHA1 Only                2         0.0004   
ECDSA-SHA224                   39755     7.4881   
ECDSA-SHA256                   53701     10.1149  
ECDSA-SHA384                   53712     10.1169  
ECDSA-SHA512                   53734     10.1211  
ECDSA-SHA512 Only              22        0.0041   
RSA-MD5                        164964    31.0718  
RSA-SHA1                       368019    69.3183  
RSA-SHA1 Only                  42674     8.0379   
RSA-SHA224                     303273    57.123   
RSA-SHA256                     332849    62.6938  
RSA-SHA256 Only                6204      1.1686   
RSA-SHA384                     304966    57.4419  
RSA-SHA384 Only                1         0.0002   
RSA-SHA512                     305210    57.4879  
RSA-SHA512 Only                277       0.0522   

TLSv1.2 PFS ordering           Count     Percent 
------------------------------+---------+--------
client                         233407    43.9634  
indeterminate                  45        0.0085   
intolerant                     4576      0.8619   
order-fallback                 8         0.0015   
server                         177923    33.5127  
unsupported                    21601     4.0687   

TLSv1.2 PFS sigalg fallback    Count     Percent 
------------------------------+---------+--------
ECDSA SHA1                     39724     7.4822   
ECDSA intolerant               116       0.0218   
ECDSA pfs-rsa-SHA512           13917     2.6213   
ECDSA soft-nopfs               3         0.0006   
RSA False                      163706    30.8349  
RSA SHA1                       176523    33.249   
RSA intolerant                 35829     6.7486   
RSA pfs-ecdsa-SHA512           27        0.0051   
RSA soft-nopfs                 1308      0.2464   

Renegotiation             Count     Percent 
-------------------------+---------+--------
False                     6621      1.2471   
insecure                  18673     3.5172   
secure                    505618    95.2357  

Compression               Count     Percent 
-------------------------+---------+--------
1 (zlib compression)      9772      1.8406   
False                     6621      1.2471   
NONE                      514519    96.9123  

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
1                         4         0.0008   
1 only                    4         0.0008   
2                         2         0.0004   
2 only                    2         0.0004   
10                        11        0.0021   
10 only                   11        0.0021   
15                        10        0.0019   
15 only                   10        0.0019   
30                        10        0.0019   
30 only                   9         0.0017   
60                        97        0.0183   
60 only                   90        0.017    
65                        2         0.0004   
65 only                   2         0.0004   
70                        6         0.0011   
100                       15        0.0028   
100 only                  15        0.0028   
120                       27        0.0051   
120 only                  27        0.0051   
128                       2         0.0004   
128 only                  2         0.0004   
150                       2         0.0004   
180                       41        0.0077   
180 only                  38        0.0072   
240                       5         0.0009   
240 only                  5         0.0009   
300                       244735    46.0971  
300 only                  240267    45.2555  
302                       3         0.0006   
302 only                  3         0.0006   
360                       2         0.0004   
360 only                  1         0.0002   
400                       8         0.0015   
400 only                  8         0.0015   
420                       124       0.0234   
420 only                  97        0.0183   
450                       1         0.0002   
450 only                  1         0.0002   
480                       13        0.0024   
480 only                  13        0.0024   
500                       3         0.0006   
500 only                  3         0.0006   
540                       1         0.0002   
540 only                  1         0.0002   
600                       26475     4.9867   
600 only                  26305     4.9547   
700                       1         0.0002   
700 only                  1         0.0002   
720                       1         0.0002   
720 only                  1         0.0002   
840                       1         0.0002   
840 only                  1         0.0002   
900                       878       0.1654   
900 only                  861       0.1622   
960                       2         0.0004   
960 only                  2         0.0004   
1200                      2334      0.4396   
1200 only                 2330      0.4389   
1320                      1         0.0002   
1320 only                 1         0.0002   
1500                      9         0.0017   
1500 only                 8         0.0015   
1800                      499       0.094    
1800 only                 490       0.0923   
1980                      1         0.0002   
1980 only                 1         0.0002   
2100                      1         0.0002   
2100 only                 1         0.0002   
2400                      8         0.0015   
2400 only                 8         0.0015   
2700                      10        0.0019   
2700 only                 10        0.0019   
3000                      26        0.0049   
3000 only                 26        0.0049   
3600                      573       0.1079   
3600 only                 560       0.1055   
3900                      3         0.0006   
3900 only                 3         0.0006   
4200                      1         0.0002   
5160                      1         0.0002   
5160 only                 1         0.0002   
5400                      13        0.0024   
5400 only                 6         0.0011   
6000                      179       0.0337   
6000 only                 179       0.0337   
7200                      15645     2.9468   
7200 only                 15623     2.9427   
10800                     3114      0.5865   
10800 only                3110      0.5858   
14400                     99        0.0186   
14400 only                99        0.0186   
18000                     8         0.0015   
18000 only                8         0.0015   
21600                     4849      0.9133   
21600 only                4637      0.8734   
25200                     1         0.0002   
25200 only                1         0.0002   
28800                     3555      0.6696   
28800 only                3543      0.6673   
36000                     1157      0.2179   
36000 only                1150      0.2166   
43200                     40        0.0075   
43200 only                40        0.0075   
60000                     1         0.0002   
60000 only                1         0.0002   
64800                     51789     9.7547   
64800 only                51762     9.7496   
72000                     29        0.0055   
72000 only                29        0.0055   
84600                     1         0.0002   
84600 only                1         0.0002   
86000                     39        0.0073   
86000 only                39        0.0073   
86400                     3482      0.6559   
86400 only                3471      0.6538   
100800                    10699     2.0152   
100800 only               10688     2.0131   
129600                    10        0.0019   
129600 only               10        0.0019   
172800                    9         0.0017   
172800 only               9         0.0017   
216000                    2         0.0004   
216000 only               2         0.0004   
432000                    2         0.0004   
432000 only               2         0.0004   
604800                    5         0.0009   
604800 only               3         0.0006   
864000                    3         0.0006   
864000 only               3         0.0006   
None                      165273    31.13    
None only                 160236    30.1813  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      11419     2.1508   
ecdsa-with-SHA256         53709     10.1164  
sha1WithRSAEncryption     79229     14.9232  
sha256WithRSAEncryption   413158    77.8204  
sha384WithRSAEncryption   6         0.0011   
sha512WithRSAEncryption   33        0.0062   

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 53748     10.1237  
ECDSA 384                 12        0.0023   
ECDSA 521                 1         0.0002   
RSA 1024                  38        0.0072   
RSA 10240                 8         0.0015   
RSA 2048                  470388    88.6     
RSA 2049                  4         0.0008   
RSA 2056                  1         0.0002   
RSA 2058                  2         0.0004   
RSA 2064                  1         0.0002   
RSA 2084                  3         0.0006   
RSA 2096                  1         0.0002   
RSA 2408                  2         0.0004   
RSA 2432                  2         0.0004   
RSA 2480                  1         0.0002   
RSA 3071                  1         0.0002   
RSA 3072                  144       0.0271   
RSA 3096                  2         0.0004   
RSA 3120                  2         0.0004   
RSA 3248                  2         0.0004   
RSA 4042                  1         0.0002   
RSA 4048                  1         0.0002   
RSA 4056                  22        0.0041   
RSA 4069                  1         0.0002   
RSA 4086                  1         0.0002   
RSA 4092                  6         0.0011   
RSA 4094                  1         0.0002   
RSA 4096                  20509     3.863    
RSA 4098                  1         0.0002   
RSA 4196                  1         0.0002   
RSA 8192                  3         0.0006   
RSA/ECDSA Dual Stack      13986     2.6343

OCSP stapling             Count     Percent 
-------------------------+---------+--------
Supported                 115313    21.7198  
Unsupported               415599    78.2802  

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      23492     4.4248
SSL2 Only                 19        0.0036
SSL3                      121502    22.8855
SSL3 Only                 470       0.0885
SSL3 or TLS1 Only         68017     12.8114
SSL3 or lower Only        487       0.0917
TLS1                      525297    98.9424
TLS1 Only                 40462     7.6212
TLS1 or lower Only        89960     16.9444
TLS1.1                    427273    80.4791
TLS1.1 Only               312       0.0588
TLS1.1 or up Only         4757      0.896
TLS1.2                    437543    82.4135
TLS1.2 Only               2067      0.3893
TLS1.2, 1.0 but not 1.1   11005     2.0728



Statistics from 566530 chains provided by 702674 hosts

Server provided chains    Count     Percent
-------------------------+---------+-------
complete                  500948    71.2917
incomplete                27324     3.8886
untrusted                 174402    24.8198

Trusted chain statistics
========================

Chain length              Count     Percent
-------------------------+---------+-------
2                         40        0.0071
3                         564250    99.5975
4                         2220      0.3919
5                         20        0.0035

CA key size in chains     Count
-------------------------+---------
ECDSA 256                 53700     
ECDSA 384                 53703     
RSA 1024                  38        
RSA 2045                  3         
RSA 2048                  886848    
RSA 4096                  140988    

Chains with CA key        Count     Percent
-------------------------+---------+-------
ECDSA 256                 53700     9.4788
ECDSA 384                 53703     9.4793
RSA 1024                  36        0.0064
RSA 2045                  3         0.0005
RSA 2048                  512489    90.4611
RSA 4096                  140488    24.798

Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384              53695     
sha1WithRSAEncryption          87476     
sha256WithRSAEncryption        301918    
sha384WithRSAEncryption        125587    
sha512WithRSAEncryption        74        

Eff. host cert chain LoS  Count     Percent
-------------------------+---------+-------
80                        87515     15.4475
112                       425304    75.0718
128                       53711     9.4807

Root CAs                                      Count     Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 116038    20.4822
(2c543cd1) GeoTrust Global CA                 109648    19.3543
(eed8c118) COMODO ECC Certification Authority 53687     9.4765
(cbf06781) Go Daddy Root Certificate Authorit 48182     8.5048
(5ad8a5d6) GlobalSign Root CA                 44132     7.7899
(b204d74a) VeriSign Class 3 Public Primary Ce 32386     5.7166
(244b5494) DigiCert High Assurance EV Root CA 26649     4.7039
(2e4eed3c) thawte Primary Root CA             22839     4.0314
(157753a5) AddTrust External CA Root          21671     3.8252
(653b494a) Baltimore CyberTrust Root          12055     2.1279
(fc5a8f99) USERTrust RSA Certification Author 9450      1.668
(ae8153b9) StartCom Certification Authority   9327      1.6463
(4bfab552) Starfield Root Certificate Authori 9162      1.6172
(3513523f) DigiCert Global Root CA            8636      1.5244

Scan performed between 22nd November and 3rd of December 2015

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

Attachment: signature.asc
Description: This is a digitally signed message part.

--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux