no analysis this time, I've been too busy, sorry SSL/TLS survey of 536563 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 459320 85.6041 AES 530014 98.7795 AES Only 45794 8.5347 AES-CBC 529364 98.6583 AES-CBC Only 10074 1.8775 AES-GCM 412370 76.854 AES-GCM Only 538 0.1003 CAMELLIA 222494 41.4665 CAMELLIA Only 3 0.0006 CHACHA20 69686 12.9875 CHACHA20 Only 6 0.0011 Insecure 57699 10.7534 RC4 183979 34.2884 RC4 Only 864 0.161 RC4 Preferred 19979 3.7235 RC4 forced in TLS1.1+ 10502 1.9573 x:FF 29 RC4 Only 1093 0.2037 x:FF 29 RC4 Preferred 22208 4.1389 x:FF 29 incompatible 391 0.0729 x:FF 35 RC4 Only 1327 0.2473 x:FF 35 RC4 Preferred 22286 4.1535 x:FF 35 incompatible 395 0.0736 y:DHE-RSA-SEED-SHA 66508 12.3952 y:IDEA-CBC-SHA 61454 11.4533 y:SEED-SHA 77575 14.4578 z:ADH-AES128-GCM-SHA256 397 0.074 z:ADH-AES128-SHA 727 0.1355 z:ADH-AES128-SHA256 282 0.0526 z:ADH-AES256-GCM-SHA384 407 0.0759 z:ADH-AES256-SHA 745 0.1388 z:ADH-AES256-SHA256 282 0.0526 z:ADH-CAMELLIA128-SHA 367 0.0684 z:ADH-CAMELLIA256-SHA 379 0.0706 z:ADH-DES-CBC-SHA 309 0.0576 z:ADH-DES-CBC3-SHA 744 0.1387 z:ADH-RC4-MD5 597 0.1113 z:ADH-SEED-SHA 296 0.0552 z:AECDH-AES128-SHA 9967 1.8576 z:AECDH-AES256-SHA 10016 1.8667 z:AECDH-DES-CBC3-SHA 9935 1.8516 z:AECDH-NULL-SHA 60 0.0112 z:AECDH-RC4-SHA 9381 1.7484 z:DES-CBC-MD5 10532 1.9629 z:DES-CBC-SHA 35384 6.5946 z:DES-CBC3-MD5 21789 4.0608 z:ECDHE-RSA-NULL-SHA 64 0.0119 z:EDH-RSA-DES-CBC-SHA 30143 5.6178 z:EXP-ADH-DES-CBC-SHA 206 0.0384 z:EXP-ADH-RC4-MD5 201 0.0375 z:EXP-DES-CBC-SHA 13685 2.5505 z:EXP-EDH-RSA-DES-CBC-SHA 10941 2.0391 z:EXP-RC2-CBC-MD5 16617 3.0969 z:EXP-RC4-MD5 17371 3.2375 z:EXP1024-DES-CBC-SHA 4273 0.7964 z:EXP1024-RC4-SHA 4354 0.8115 z:IDEA-CBC-MD5 2139 0.3986 z:NULL-MD5 227 0.0423 z:NULL-SHA 227 0.0423 z:NULL-SHA256 28 0.0052 z:RC2-CBC-MD5 10751 2.0037 z:RC4-64-MD5 880 0.164 Cipher ordering Count Percent -------------------------+---------+------- Client side 132599 24.7127 Server side 403964 75.2873 Supported Handshakes Count Percent -------------------------+---------+------- ADH 892 0.1662 AECDH 10038 1.8708 DHE 290879 54.2115 ECDH 3 0.0006 ECDHE 438449 81.7144 ECDHE and DHE 230817 43.0177 RSA 462690 86.2322 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 156486 29.1645 53.7976 DH,1338bits 1 0.0002 0.0003 DH,1536bits 1 0.0002 0.0003 DH,2048bits 125695 23.426 43.2121 DH,2236bits 13 0.0024 0.0045 DH,2432bits 2 0.0004 0.0007 DH,2560bits 1 0.0002 0.0003 DH,3072bits 96 0.0179 0.033 DH,3092bits 1 0.0002 0.0003 DH,4094bits 1 0.0002 0.0003 DH,4096bits 8225 1.5329 2.8276 DH,4098bits 1 0.0002 0.0003 DH,512bits 39 0.0073 0.0134 DH,6144bits 2 0.0004 0.0007 DH,768bits 413 0.077 0.142 DH,8192bits 2 0.0004 0.0007 ECDH,B-571,570bits 1680 0.3131 0.3832 ECDH,K-163,163bits 1 0.0002 0.0002 ECDH,P-192,192bits 13 0.0024 0.003 ECDH,P-224,224bits 85 0.0158 0.0194 ECDH,P-256,256bits 424488 79.1124 96.8158 ECDH,P-384,384bits 3868 0.7209 0.8822 ECDH,P-521,521bits 9879 1.8412 2.2532 Prefer DH,1024bits 55460 10.3362 19.0663 Prefer DH,1536bits 1 0.0002 0.0003 Prefer DH,2048bits 7764 1.447 2.6692 Prefer DH,3072bits 10 0.0019 0.0034 Prefer DH,4096bits 364 0.0678 0.1251 Prefer DH,768bits 48 0.0089 0.0165 Prefer ECDH,B-571,570bits 1483 0.2764 0.3382 Prefer ECDH,K-163,163bits 1 0.0002 0.0002 Prefer ECDH,P-224,224bits 82 0.0153 0.0187 Prefer ECDH,P-256,256bits 386031 71.9451 88.0447 Prefer ECDH,P-384,384bits 2985 0.5563 0.6808 Prefer ECDH,P-521,521bits 8928 1.6639 2.0363 Prefer PFS 463157 86.3192 0 Support PFS 498511 92.9082 0 Supported ECC curves Count Percent -------------------------+---------+-------- brainpoolP256r1 2250 0.4193 brainpoolP384r1 2253 0.4199 brainpoolP512r1 2257 0.4206 prime192v1 1426 0.2658 prime256v1 435505 81.1657 prime256v1 Only 381299 71.0632 secp160k1 1377 0.2566 secp160r1 1382 0.2576 secp160r2 1376 0.2564 secp192k1 1394 0.2598 secp224k1 1465 0.273 secp224r1 4037 0.7524 secp224r1 Only 1 0.0002 secp256k1 3628 0.6762 secp384r1 54625 10.1805 secp384r1 Only 479 0.0893 secp521r1 24462 4.559 secp521r1 Only 129 0.024 sect163k1 1388 0.2587 sect163k1 Only 1 0.0002 sect163r1 1387 0.2585 sect163r2 1387 0.2585 sect193r1 1385 0.2581 sect193r2 1384 0.2579 sect233k1 1466 0.2732 sect233r1 1464 0.2728 sect239k1 1461 0.2723 sect283k1 3583 0.6678 sect283r1 3581 0.6674 sect409k1 3584 0.668 sect409r1 3584 0.668 sect571k1 3594 0.6698 sect571r1 3596 0.6702 Unsupported curve fallback Count Percent ------------------------------+---------+-------- False 67862 12.6475 True 312481 58.2375 order-specific 96 0.0179 unknown 156124 29.097 ECC curve ordering Count Percent -------------------------+---------+-------- client 5459 1.0174 inconclusive-noecc 12 0.0022 server 430685 80.2674 unknown 100407 18.713 TLSv1.2 PFS supported sigalgs Count Percent ------------------------------+---------+-------- ECDSA-SHA1 41280 7.6934 ECDSA-SHA1 Only 2 0.0004 ECDSA-SHA224 41274 7.6923 ECDSA-SHA256 55318 10.3097 ECDSA-SHA384 55314 10.3089 ECDSA-SHA512 55315 10.3091 ECDSA-SHA512 Only 1 0.0002 RSA-MD5 156847 29.2318 RSA-SHA1 379786 70.7813 RSA-SHA1 Only 42067 7.8401 RSA-SHA224 314857 58.6803 RSA-SHA256 345177 64.3311 RSA-SHA256 Only 6253 1.1654 RSA-SHA384 316545 58.9949 RSA-SHA384 Only 1 0.0002 RSA-SHA512 316760 59.035 RSA-SHA512 Only 293 0.0546 TLSv1.2 PFS ordering Count Percent ------------------------------+---------+-------- client 241325 44.9761 indeterminate 115 0.0214 intolerant 4940 0.9207 order-fallback 4 0.0007 server 182715 34.0529 unsupported 21177 3.9468 TLSv1.2 PFS sigalg fallback Count Percent ------------------------------+---------+-------- ECDSA SHA1 41260 7.6897 ECDSA intolerant 48 0.0089 ECDSA pfs-rsa-SHA512 14029 2.6146 ECDSA soft-nopfs 2 0.0004 RSA False 155749 29.0272 RSA SHA1 196182 36.5627 RSA intolerant 36096 6.7273 RSA pfs-ecdsa-SHA512 8 0.0015 RSA soft-nopfs 1168 0.2177 Renegotiation Count Percent -------------------------+---------+-------- False 6429 1.1982 insecure 17943 3.3441 secure 512191 95.4578 Compression Count Percent -------------------------+---------+-------- 1 (zlib compression) 9264 1.7265 False 6429 1.1982 NONE 520870 97.0753 TLS session ticket hint Count Percent -------------------------+---------+-------- 1 5 0.0009 1 only 5 0.0009 2 2 0.0004 2 only 2 0.0004 5 1 0.0002 5 only 1 0.0002 10 12 0.0022 10 only 12 0.0022 15 8 0.0015 15 only 8 0.0015 30 17 0.0032 30 only 15 0.0028 60 98 0.0183 60 only 93 0.0173 65 2 0.0004 65 only 2 0.0004 70 6 0.0011 100 16 0.003 100 only 16 0.003 120 29 0.0054 120 only 29 0.0054 128 3 0.0006 128 only 3 0.0006 150 2 0.0004 180 48 0.0089 180 only 45 0.0084 240 8 0.0015 240 only 8 0.0015 300 254800 47.4874 300 only 250537 46.6929 302 3 0.0006 302 only 3 0.0006 360 2 0.0004 360 only 1 0.0002 400 6 0.0011 400 only 6 0.0011 420 133 0.0248 420 only 105 0.0196 480 15 0.0028 480 only 15 0.0028 500 4 0.0007 500 only 4 0.0007 540 1 0.0002 540 only 1 0.0002 600 27913 5.2022 600 only 27746 5.1711 700 1 0.0002 700 only 1 0.0002 840 1 0.0002 840 only 1 0.0002 900 923 0.172 900 only 896 0.167 960 1 0.0002 960 only 1 0.0002 1200 2345 0.437 1200 only 2339 0.4359 1320 1 0.0002 1320 only 1 0.0002 1500 11 0.0021 1500 only 10 0.0019 1800 536 0.0999 1800 only 528 0.0984 1980 1 0.0002 1980 only 1 0.0002 2100 1 0.0002 2100 only 1 0.0002 2400 8 0.0015 2400 only 8 0.0015 2700 10 0.0019 2700 only 10 0.0019 3000 26 0.0048 3000 only 26 0.0048 3300 1 0.0002 3300 only 1 0.0002 3600 614 0.1144 3600 only 602 0.1122 3900 1 0.0002 3900 only 1 0.0002 4100 1 0.0002 4100 only 1 0.0002 5160 1 0.0002 5160 only 1 0.0002 5400 14 0.0026 5400 only 7 0.0013 6000 200 0.0373 6000 only 200 0.0373 7200 15561 2.9001 7200 only 15539 2.896 10800 3493 0.651 10800 only 3481 0.6488 14400 98 0.0183 14400 only 98 0.0183 18000 8 0.0015 18000 only 8 0.0015 21600 4783 0.8914 21600 only 4783 0.8914 25200 1 0.0002 25200 only 1 0.0002 28800 2385 0.4445 28800 only 2380 0.4436 36000 1170 0.2181 36000 only 1163 0.2167 43200 39 0.0073 43200 only 39 0.0073 60000 1 0.0002 60000 only 1 0.0002 64800 4661 0.8687 64800 only 4660 0.8685 72000 31 0.0058 72000 only 31 0.0058 79200 1 0.0002 79200 only 1 0.0002 86000 46 0.0086 86000 only 46 0.0086 86400 3553 0.6622 86400 only 3545 0.6607 100800 10783 2.0096 100800 only 10771 2.0074 115200 1 0.0002 115200 only 1 0.0002 129600 8 0.0015 129600 only 8 0.0015 172800 9 0.0017 172800 only 9 0.0017 216000 1 0.0002 216000 only 1 0.0002 432000 2 0.0004 432000 only 2 0.0004 604800 2 0.0004 604800 only 1 0.0002 None 206697 38.5224 None only 202099 37.6655 Certificate sig alg Count Percent -------------------------+---------+-------- None 10673 1.9891 ecdsa-with-SHA256 55263 10.2994 sha1WithRSAEncryption 66180 12.3341 sha256WithRSAEncryption 429902 80.1214 sha384WithRSAEncryption 5 0.0009 sha512WithRSAEncryption 37 0.0069 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 55328 10.3116 ECDSA 384 15 0.0028 RSA 1024 33 0.0062 RSA 2048 474602 88.4522 RSA 2049 2 0.0004 RSA 2058 3 0.0006 RSA 2064 1 0.0002 RSA 2084 4 0.0007 RSA 2096 2 0.0004 RSA 2408 1 0.0002 RSA 2480 1 0.0002 RSA 3071 1 0.0002 RSA 3072 127 0.0237 RSA 3096 2 0.0004 RSA 3248 3 0.0006 RSA 4042 1 0.0002 RSA 4048 1 0.0002 RSA 4056 24 0.0045 RSA 4069 1 0.0002 RSA 4092 6 0.0011 RSA 4094 2 0.0004 RSA 4095 1 0.0002 RSA 4096 20517 3.8238 RSA 4098 1 0.0002 RSA 4196 2 0.0004 RSA 8192 6 0.0011 RSA/ECDSA Dual Stack 14112 2.6301 OCSP stapling Count Percent -------------------------+---------+-------- Supported 122156 22.7664 Unsupported 414407 77.2336 Supported Protocols Count Percent -------------------------+---------+------- SSL2 22019 4.1037 SSL2 Only 16 0.003 SSL3 114551 21.349 SSL3 Only 451 0.0841 SSL3 or TLS1 Only 62546 11.6568 SSL3 or lower Only 465 0.0867 TLS1 530535 98.8766 TLS1 Only 38783 7.228 TLS1 or lower Only 83051 15.4783 TLS1.1 440269 82.0536 TLS1.1 Only 341 0.0636 TLS1.1 or up Only 5269 0.982 TLS1.2 450259 83.9154 TLS1.2 Only 2150 0.4007 TLS1.2, 1.0 but not 1.1 10510 1.9588 Statistics from 571668 chains provided by 706831 hosts Server provided chains Count Percent -------------------------+---------+------- complete 509502 72.0826 incomplete 25925 3.6678 untrusted 171404 24.2496 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 33 0.0058 3 569492 99.6194 4 2129 0.3724 5 14 0.0024 CA key size in chains Count -------------------------+--------- ECDSA 256 55261 ECDSA 384 55264 RSA 1024 33 RSA 2045 3 RSA 2048 886633 RSA 4096 148266 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 55261 9.6666 ECDSA 384 55264 9.6671 RSA 1024 31 0.0054 RSA 2045 3 0.0005 RSA 2048 516046 90.2702 RSA 4096 147728 25.8416 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 55257 sha1WithRSAEncryption 74114 sha256WithRSAEncryption 311465 sha384WithRSAEncryption 132882 sha512WithRSAEncryption 74 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 74154 12.9715 112 442237 77.3591 128 55277 9.6694 Most common root CAs Count Percent ---------------------------------------------+---------+------- (157753a5) AddTrust External CA Root 21173 3.7037 (244b5494) DigiCert High Assurance EV Root CA 22796 3.9876 (2c543cd1) GeoTrust Global CA 103983 18.1894 (2e4eed3c) thawte Primary Root CA 22155 3.8755 (3513523f) DigiCert Global Root CA 8921 1.5605 (4bfab552) Starfield Root Certificate Authori 7786 1.362 (5ad8a5d6) GlobalSign Root CA 49934 8.7348 (653b494a) Baltimore CyberTrust Root 11652 2.0382 (ae8153b9) StartCom Certification Authority 9075 1.5875 (b204d74a) VeriSign Class 3 Public Primary Ce 33097 5.7895 (cbf06781) Go Daddy Root Certificate Authorit 50135 8.77 (d6325660) COMODO RSA Certification Authority 118944 20.8065 (eed8c118) COMODO ECC Certification Authority 55250 9.6647 (fc5a8f99) USERTrust RSA Certification Author 13826 2.4185 Scan performed between 15th of December and 26 of December 2015. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx
