raw statistics only, sorry SSL/TLS survey of 541489 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 477135 88.1154 3DES Only 523 0.0966 3DES Preferred 1744 0.3221 3DES forced in TLS1.1+ 945 0.1745 AES 535585 98.9097 AES Only 34994 6.4626 AES-CBC 534935 98.7896 AES-CBC Only 9110 1.6824 AES-GCM 422759 78.0734 AES-GCM Only 589 0.1088 CAMELLIA 228296 42.1608 CAMELLIA Only 2 0.0004 CHACHA20 72561 13.4003 CHACHA20 Only 1 0.0002 Insecure 56630 10.4582 RC4 178913 33.0409 RC4 Only 577 0.1066 RC4 Preferred 18219 3.3646 RC4 forced in TLS1.1+ 9446 1.7444 x:FF 29 3DES Only 574 0.106 x:FF 29 3DES Preferred 2103 0.3884 x:FF 29 RC4 Only 771 0.1424 x:FF 29 RC4 Preferred 20172 3.7253 x:FF 29 incompatible 395 0.0729 x:FF 35 3DES Only 582 0.1075 x:FF 35 3DES Preferred 2009 0.371 x:FF 35 RC4 Only 937 0.173 x:FF 35 RC4 Preferred 20230 3.736 x:FF 35 incompatible 398 0.0735 y:DHE-RSA-SEED-SHA 66504 12.2817 y:IDEA-CBC-SHA 63061 11.6459 y:SEED-SHA 78410 14.4804 z:ADH-AES128-GCM-SHA256 397 0.0733 z:ADH-AES128-SHA 714 0.1319 z:ADH-AES128-SHA256 269 0.0497 z:ADH-AES256-GCM-SHA384 413 0.0763 z:ADH-AES256-SHA 723 0.1335 z:ADH-AES256-SHA256 271 0.05 z:ADH-CAMELLIA128-SHA 358 0.0661 z:ADH-CAMELLIA256-SHA 366 0.0676 z:ADH-DES-CBC-SHA 298 0.055 z:ADH-DES-CBC3-SHA 722 0.1333 z:ADH-RC4-MD5 560 0.1034 z:ADH-SEED-SHA 286 0.0528 z:AECDH-AES128-SHA 9282 1.7142 z:AECDH-AES256-SHA 9332 1.7234 z:AECDH-DES-CBC3-SHA 9248 1.7079 z:AECDH-NULL-SHA 61 0.0113 z:AECDH-RC4-SHA 8710 1.6085 z:DES-CBC-MD5 10050 1.856 z:DES-CBC-SHA 35379 6.5337 z:DES-CBC3-MD5 21189 3.9131 z:ECDHE-RSA-NULL-SHA 67 0.0124 z:EDH-RSA-DES-CBC-SHA 30295 5.5948 z:EXP-ADH-DES-CBC-SHA 192 0.0355 z:EXP-ADH-RC4-MD5 189 0.0349 z:EXP-DES-CBC-SHA 13046 2.4093 z:EXP-EDH-RSA-DES-CBC-SHA 10364 1.914 z:EXP-RC2-CBC-MD5 15781 2.9144 z:EXP-RC4-MD5 16506 3.0483 z:EXP1024-DES-CBC-SHA 4104 0.7579 z:EXP1024-RC4-SHA 4194 0.7745 z:IDEA-CBC-MD5 2095 0.3869 z:NULL-MD5 211 0.039 z:NULL-SHA 210 0.0388 z:NULL-SHA256 30 0.0055 z:RC2-CBC-MD5 10224 1.8881 z:RC4-64-MD5 892 0.1647 Cipher ordering Count Percent -------------------------+---------+------- Client side 133145 24.5887 Server side 408344 75.4113 Supported Handshakes Count Percent -------------------------+---------+------- ADH 874 0.1614 AECDH 9353 1.7273 DHE 292291 53.9791 ECDH 2 0.0004 ECDHE 448914 82.9036 ECDHE and DHE 235557 43.5017 RSA 475602 87.8323 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 152465 28.1566 52.1621 DH,1338bits 1 0.0002 0.0003 DH,1536bits 1 0.0002 0.0003 DH,2048bits 131006 24.1937 44.8204 DH,2236bits 13 0.0024 0.0044 DH,2432bits 2 0.0004 0.0007 DH,2560bits 1 0.0002 0.0003 DH,3072bits 93 0.0172 0.0318 DH,3092bits 1 0.0002 0.0003 DH,4096bits 8605 1.5891 2.944 DH,4098bits 1 0.0002 0.0003 DH,512bits 50 0.0092 0.0171 DH,768bits 395 0.0729 0.1351 DH,8192bits 2 0.0004 0.0007 ECDH,B-571,570bits 1771 0.3271 0.3945 ECDH,K-163,163bits 1 0.0002 0.0002 ECDH,P-192,192bits 15 0.0028 0.0033 ECDH,P-224,224bits 84 0.0155 0.0187 ECDH,P-256,256bits 433613 80.0779 96.5916 ECDH,P-384,384bits 4499 0.8309 1.0022 ECDH,P-521,521bits 10705 1.977 2.3846 Prefer DH,1024bits 53883 9.9509 18.4347 Prefer DH,1536bits 1 0.0002 0.0003 Prefer DH,2048bits 6107 1.1278 2.0894 Prefer DH,3072bits 9 0.0017 0.0031 Prefer DH,4096bits 375 0.0693 0.1283 Prefer DH,768bits 52 0.0096 0.0178 Prefer ECDH,B-571,570bits 1556 0.2874 0.3466 Prefer ECDH,K-163,163bits 1 0.0002 0.0002 Prefer ECDH,P-224,224bits 81 0.015 0.018 Prefer ECDH,P-256,256bits 396887 73.2955 88.4105 Prefer ECDH,P-384,384bits 3290 0.6076 0.7329 Prefer ECDH,P-521,521bits 9642 1.7806 2.1479 Prefer PFS 471884 87.1456 0 Support PFS 505648 93.381 0 Supported ECC curves Count Percent -------------------------+---------+-------- brainpoolP256r1 2578 0.4761 brainpoolP384r1 2579 0.4763 brainpoolP512r1 2580 0.4765 prime192v1 1446 0.267 prime256v1 445477 82.2689 prime256v1 Only 388604 71.7658 secp160k1 1397 0.258 secp160r1 1402 0.2589 secp160r2 1396 0.2578 secp192k1 1410 0.2604 secp224k1 1487 0.2746 secp224r1 4270 0.7886 secp224r1 Only 1 0.0002 secp256k1 4033 0.7448 secp384r1 57392 10.5989 secp384r1 Only 554 0.1023 secp521r1 26343 4.8649 secp521r1 Only 142 0.0262 sect163k1 1402 0.2589 sect163k1 Only 2 0.0004 sect163r1 1400 0.2585 sect163r2 1400 0.2585 sect193r1 1399 0.2584 sect193r2 1399 0.2584 sect233k1 1480 0.2733 sect233r1 1480 0.2733 sect239k1 1480 0.2733 sect283k1 3926 0.725 sect283k1 Only 1 0.0002 sect283r1 3925 0.7249 sect409k1 3924 0.7247 sect409r1 3923 0.7245 sect571k1 3928 0.7254 sect571r1 3929 0.7256 Unsupported curve fallback Count Percent ------------------------------+---------+-------- False 55946 10.3319 True 332237 61.3562 order-specific 60 0.0111 unknown 153246 28.3009 ECC curve ordering Count Percent -------------------------+---------+-------- client 6546 1.2089 inconclusive-noecc 10 0.0018 server 439646 81.192 unknown 95287 17.5972 TLSv1.2 PFS supported sigalgs Count Percent ------------------------------+---------+-------- ECDSA-SHA1 43763 8.082 ECDSA-SHA1 Only 3 0.0006 ECDSA-SHA224 43755 8.0805 ECDSA-SHA256 58463 10.7967 ECDSA-SHA384 58458 10.7958 ECDSA-SHA512 58458 10.7958 RSA-MD5 93307 17.2316 RSA-SHA1 386583 71.3926 RSA-SHA1 Only 41287 7.6247 RSA-SHA224 320766 59.2378 RSA-SHA256 353383 65.2613 RSA-SHA256 Only 6919 1.2778 RSA-SHA384 322845 59.6217 RSA-SHA384 Only 1 0.0002 RSA-SHA512 322938 59.6389 RSA-SHA512 Only 199 0.0368 TLSv1.2 PFS ordering Count Percent ------------------------------+---------+-------- client 245811 45.3954 indeterminate 42 0.0078 intolerant 5114 0.9444 order-fallback 9 0.0017 server 187931 34.7063 unsupported 19787 3.6542 TLSv1.2 PFS sigalg fallback Count Percent ------------------------------+---------+-------- ECDSA SHA1 43750 8.0796 ECDSA intolerant 30 0.0055 ECDSA pfs-rsa-SHA512 14685 2.712 ECDSA soft-nopfs 1 0.0002 RSA False 92525 17.0871 RSA SHA1 265644 49.0581 RSA intolerant 37307 6.8897 RSA pfs-ecdsa-SHA512 1 0.0002 RSA soft-nopfs 863 0.1594 Renegotiation Count Percent -------------------------+---------+-------- False 6052 1.1177 insecure 17380 3.2097 secure 518057 95.6727 Compression Count Percent -------------------------+---------+-------- 1 (zlib compression) 8694 1.6056 False 6052 1.1177 NONE 526743 97.2768 TLS session ticket hint Count Percent -------------------------+---------+-------- 1 5 0.0009 1 only 5 0.0009 2 1 0.0002 2 only 1 0.0002 5 1 0.0002 5 only 1 0.0002 10 11 0.002 10 only 11 0.002 15 9 0.0017 15 only 9 0.0017 30 14 0.0026 30 only 12 0.0022 60 158 0.0292 60 only 152 0.0281 65 1 0.0002 65 only 1 0.0002 70 7 0.0013 75 1 0.0002 75 only 1 0.0002 100 13 0.0024 100 only 13 0.0024 120 25 0.0046 120 only 25 0.0046 128 3 0.0006 128 only 3 0.0006 150 2 0.0004 180 59 0.0109 180 only 56 0.0103 240 6 0.0011 240 only 6 0.0011 244 1 0.0002 244 only 1 0.0002 300 257671 47.5856 300 only 253451 46.8063 302 3 0.0006 302 only 3 0.0006 360 2 0.0004 360 only 1 0.0002 400 6 0.0011 400 only 6 0.0011 420 114 0.0211 420 only 91 0.0168 450 1 0.0002 450 only 1 0.0002 480 13 0.0024 480 only 13 0.0024 500 4 0.0007 500 only 4 0.0007 540 1 0.0002 540 only 1 0.0002 600 27406 5.0612 600 only 27252 5.0328 720 2 0.0004 720 only 2 0.0004 840 2 0.0004 840 only 2 0.0004 900 989 0.1826 900 only 972 0.1795 960 3 0.0006 960 only 3 0.0006 1200 2741 0.5062 1200 only 2735 0.5051 1500 6 0.0011 1500 only 5 0.0009 1800 555 0.1025 1800 only 545 0.1006 1980 2 0.0004 1980 only 2 0.0004 2100 2 0.0004 2100 only 1 0.0002 2400 9 0.0017 2400 only 9 0.0017 2700 11 0.002 2700 only 11 0.002 3000 29 0.0054 3000 only 29 0.0054 3300 1 0.0002 3300 only 1 0.0002 3600 688 0.1271 3600 only 679 0.1254 3900 1 0.0002 3900 only 1 0.0002 5160 1 0.0002 5160 only 1 0.0002 5400 13 0.0024 5400 only 7 0.0013 6000 235 0.0434 6000 only 235 0.0434 7200 15880 2.9327 7200 only 15854 2.9279 10800 3309 0.6111 10800 only 3300 0.6094 14400 100 0.0185 14400 only 100 0.0185 18000 8 0.0015 18000 only 8 0.0015 21600 4676 0.8635 21600 only 4676 0.8635 25200 1 0.0002 25200 only 1 0.0002 28800 2453 0.453 28800 only 2450 0.4525 36000 1094 0.202 36000 only 1083 0.2 43200 41 0.0076 43200 only 41 0.0076 60000 2 0.0004 60000 only 2 0.0004 64800 4295 0.7932 64800 only 4295 0.7932 72000 28 0.0052 72000 only 28 0.0052 79200 1 0.0002 79200 only 1 0.0002 86000 48 0.0089 86000 only 48 0.0089 86400 3671 0.6779 86400 only 3666 0.677 100800 10910 2.0148 100800 only 10897 2.0124 115200 1 0.0002 115200 only 1 0.0002 129600 8 0.0015 129600 only 8 0.0015 172800 10 0.0018 172800 only 10 0.0018 216000 2 0.0004 216000 only 2 0.0004 259200 2 0.0004 259200 only 2 0.0004 432000 1 0.0002 432000 only 1 0.0002 604800 1 0.0002 864000 3 0.0006 864000 only 3 0.0006 None 208648 38.5323 None only 204120 37.6961 Certificate sig alg Count Percent -------------------------+---------+-------- None 9968 1.8408 ecdsa-with-SHA256 58398 10.7847 sha1WithRSAEncryption 51637 9.5361 sha256WithRSAEncryption 446192 82.4009 sha384WithRSAEncryption 5 0.0009 sha512WithRSAEncryption 43 0.0079 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 58449 10.7941 ECDSA 384 17 0.0031 ECDSA 521 1 0.0002 RSA 1024 20 0.0037 RSA 2047 1 0.0002 RSA 2048 473537 87.4509 RSA 2049 2 0.0004 RSA 2056 1 0.0002 RSA 2058 2 0.0004 RSA 2064 2 0.0004 RSA 2084 5 0.0009 RSA 2096 2 0.0004 RSA 2408 1 0.0002 RSA 2432 1 0.0002 RSA 2480 1 0.0002 RSA 3071 1 0.0002 RSA 3072 119 0.022 RSA 3073 1 0.0002 RSA 3096 2 0.0004 RSA 3248 2 0.0004 RSA 4048 1 0.0002 RSA 4056 18 0.0033 RSA 4092 6 0.0011 RSA 4094 1 0.0002 RSA 4095 1 0.0002 RSA 4096 24063 4.4439 RSA 4098 1 0.0002 RSA 8192 3 0.0006 RSA/ECDSA Dual Stack 14756 2.7251 OCSP stapling Count Percent -------------------------+---------+-------- Supported 125414 23.161 Unsupported 416075 76.839 Supported Protocols Count Percent -------------------------+---------+------- SSL2 21373 3.9471 SSL2 Only 15 0.0028 SSL3 111129 20.5229 SSL3 Only 1140 0.2105 SSL3 or TLS1 Only 59881 11.0586 SSL3 or lower Only 1155 0.2133 TLS1 534137 98.6423 TLS1 Only 37819 6.9843 TLS1 or lower Only 79028 14.5946 TLS1.1 449426 82.9982 TLS1.1 Only 331 0.0611 TLS1.1 or up Only 5997 1.1075 TLS1.2 458682 84.7075 TLS1.2 Only 2265 0.4183 TLS1.2, 1.0 but not 1.1 9518 1.7577 Statistics from 575515 chains provided by 712157 hosts Server provided chains Count Percent -------------------------+---------+------- complete 510961 71.7484 incomplete 28667 4.0254 untrusted 172529 24.2263 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 26 0.0045 3 573525 99.6542 4 1952 0.3392 5 12 0.0021 CA key size in chains Count -------------------------+--------- ECDSA 256 58397 ECDSA 384 58400 RSA 1024 25 RSA 2045 2 RSA 2048 878262 RSA 4096 157894 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 58397 10.1469 ECDSA 384 58400 10.1474 RSA 1024 23 0.004 RSA 2045 2 0.0003 RSA 2048 516745 89.7883 RSA 4096 157333 27.3378 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 58394 sha1WithRSAEncryption 58209 sha256WithRSAEncryption 319412 sha384WithRSAEncryption 141372 sha512WithRSAEncryption 78 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 58271 10.125 112 458828 79.7248 128.0 58416 10.1502 Most Popular Root CAs Count Percent ---------------------------------------------+---------+------- (d6325660) COMODO RSA Certification Authority 126106 21.9119 (2c543cd1) GeoTrust Global CA 102943 17.8871 (eed8c118) COMODO ECC Certification Authority 58387 10.1452 (5ad8a5d6) GlobalSign Root CA 50714 8.8119 (cbf06781) Go Daddy Root Certificate Authorit 50524 8.7789 (b204d74a) VeriSign Class 3 Public Primary Ce 32049 5.5688 (244b5494) DigiCert High Assurance EV Root CA 21377 3.7144 (2e4eed3c) thawte Primary Root CA 20668 3.5912 (fc5a8f99) USERTrust RSA Certification Author 15152 2.6328 (157753a5) AddTrust External CA Root 14593 2.5356 (653b494a) Baltimore CyberTrust Root 11373 1.9761 (ae8153b9) StartCom Certification Authority 9025 1.5682 (3513523f) DigiCert Global Root CA 8982 1.5607 (4bfab552) Starfield Root Certificate Authori 8553 1.4861 Scan performed between 18th of January and 3rd of February 2016 -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx
