SSL/TLS survey of 551637 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 484308 87.7947 3DES Only 592 0.1073 3DES Preferred 1803 0.3268 3DES forced in TLS1.1+ 945 0.1713 AES 546565 99.0806 AES Only 43629 7.909 AES-CBC 546039 98.9852 AES-CBC Only 8757 1.5875 AES-GCM 442034 80.1313 AES-GCM Only 490 0.0888 CAMELLIA 235037 42.6072 CAMELLIA Only 3 0.0005 CHACHA20 74906 13.5789 CHACHA20 Only 1 0.0002 Insecure 53675 9.7301 RC4 165105 29.93 RC4 Only 189 0.0343 RC4 Preferred 16635 3.0156 RC4 forced in TLS1.1+ 8955 1.6234 x:FF 29 3DES Only 637 0.1155 x:FF 29 3DES Preferred 2172 0.3937 x:FF 29 RC4 Only 263 0.0477 x:FF 29 RC4 Preferred 18392 3.3341 x:FF 29 incompatible 389 0.0705 x:FF 35 3DES Only 644 0.1167 x:FF 35 3DES Preferred 2079 0.3769 x:FF 35 RC4 Only 313 0.0567 x:FF 35 RC4 Preferred 18423 3.3397 x:FF 35 incompatible 393 0.0712 x:FF 44 3DES Only 4780 0.8665 x:FF 44 3DES Preferred 8693 1.5759 x:FF 44 incompatible 706 0.128 y:DHE-RSA-SEED-SHA 69733 12.6411 y:IDEA-CBC-SHA 66812 12.1116 y:SEED-SHA 80215 14.5413 z:ADH-AES128-GCM-SHA256 415 0.0752 z:ADH-AES128-SHA 692 0.1254 z:ADH-AES128-SHA256 283 0.0513 z:ADH-AES256-GCM-SHA384 428 0.0776 z:ADH-AES256-SHA 704 0.1276 z:ADH-AES256-SHA256 283 0.0513 z:ADH-CAMELLIA128-SHA 365 0.0662 z:ADH-CAMELLIA256-SHA 368 0.0667 z:ADH-DES-CBC-SHA 279 0.0506 z:ADH-DES-CBC3-SHA 707 0.1282 z:ADH-RC4-MD5 522 0.0946 z:ADH-SEED-SHA 294 0.0533 z:AECDH-AES128-SHA 8357 1.5149 z:AECDH-AES256-SHA 8387 1.5204 z:AECDH-DES-CBC3-SHA 8323 1.5088 z:AECDH-NULL-SHA 56 0.0102 z:AECDH-RC4-SHA 7767 1.408 z:DES-CBC-MD5 7631 1.3833 z:DES-CBC-SHA 34001 6.1637 z:DES-CBC3-MD5 18130 3.2866 z:ECDHE-RSA-NULL-SHA 63 0.0114 z:EDH-RSA-DES-CBC-SHA 28894 5.2379 z:EXP-ADH-DES-CBC-SHA 182 0.033 z:EXP-ADH-RC4-MD5 181 0.0328 z:EXP-DES-CBC-SHA 11397 2.066 z:EXP-EDH-RSA-DES-CBC-SHA 8988 1.6293 z:EXP-RC2-CBC-MD5 13770 2.4962 z:EXP-RC4-MD5 14407 2.6117 z:EXP1024-DES-CBC-SHA 3787 0.6865 z:EXP1024-RC4-SHA 3834 0.695 z:IDEA-CBC-MD5 1577 0.2859 z:NULL-MD5 182 0.033 z:NULL-SHA 189 0.0343 z:NULL-SHA256 43 0.0078 z:RC2-CBC-MD5 7791 1.4123 z:RC4-64-MD5 776 0.1407 Cipher ordering Count Percent -------------------------+---------+------- Client side 133547 24.2092 Server side 418090 75.7908 Supported Handshakes Count Percent -------------------------+---------+------- ADH 857 0.1554 AECDH 8405 1.5236 DHE 295868 53.6345 ECDH 2 0.0004 ECDHE 469045 85.0278 ECDHE and DHE 247197 44.8115 RSA 474406 85.9997 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 118316 21.4482 39.9895 DH,1536bits 1 0.0002 0.0003 DH,2048bits 166870 30.25 56.4002 DH,2236bits 65 0.0118 0.022 DH,2432bits 3 0.0005 0.001 DH,3072bits 115 0.0208 0.0389 DH,3092bits 1 0.0002 0.0003 DH,4046bits 1 0.0002 0.0003 DH,4094bits 1 0.0002 0.0003 DH,4096bits 10250 1.8581 3.4644 DH,512bits 57 0.0103 0.0193 DH,768bits 352 0.0638 0.119 DH,8192bits 10 0.0018 0.0034 ECDH,B-571,570bits 2139 0.3878 0.456 ECDH,K-163,163bits 1 0.0002 0.0002 ECDH,P-192,192bits 20 0.0036 0.0043 ECDH,P-224,224bits 90 0.0163 0.0192 ECDH,P-256,256bits 450911 81.7405 96.1338 ECDH,P-384,384bits 5288 0.9586 1.1274 ECDH,P-521,521bits 12472 2.2609 2.659 Prefer DH,1024bits 46513 8.4318 15.7209 Prefer DH,1536bits 1 0.0002 0.0003 Prefer DH,2048bits 5993 1.0864 2.0256 Prefer DH,3072bits 10 0.0018 0.0034 Prefer DH,4096bits 386 0.07 0.1305 Prefer DH,768bits 37 0.0067 0.0125 Prefer ECDH,B-571,570bits 1925 0.349 0.4104 Prefer ECDH,K-163,163bits 1 0.0002 0.0002 Prefer ECDH,P-224,224bits 87 0.0158 0.0185 Prefer ECDH,P-256,256bits 414883 75.2094 88.4527 Prefer ECDH,P-384,384bits 3903 0.7075 0.8321 Prefer ECDH,P-521,521bits 11412 2.0688 2.433 Prefer PFS 485151 87.9475 0 Support PFS 517716 93.8508 0 Supported ECC curves Count Percent -------------------------+---------+-------- brainpoolP256r1 7010 1.2708 brainpoolP384r1 7016 1.2719 brainpoolP512r1 7016 1.2719 prime192v1 1542 0.2795 prime192v1 Only 1 0.0002 prime256v1 465478 84.3812 prime256v1 Only 399795 72.4743 secp160k1 1479 0.2681 secp160r1 1485 0.2692 secp160r2 1478 0.2679 secp192k1 1492 0.2705 secp224k1 1571 0.2848 secp224r1 4963 0.8997 secp256k1 8958 1.6239 secp384r1 66416 12.0398 secp384r1 Only 776 0.1407 secp521r1 33828 6.1323 secp521r1 Only 143 0.0259 sect163k1 1480 0.2683 sect163k1 Only 2 0.0004 sect163r1 1478 0.2679 sect163r2 1478 0.2679 sect193r1 1478 0.2679 sect193r2 1478 0.2679 sect233k1 1563 0.2833 sect233r1 1563 0.2833 sect239k1 1563 0.2833 sect283k1 8428 1.5278 sect283r1 8425 1.5273 sect409k1 8431 1.5284 sect409r1 8429 1.528 sect571k1 8434 1.5289 sect571r1 8434 1.5289 Unsupported curve fallback Count Percent ------------------------------+---------+-------- False 48103 8.72 True 357854 64.8713 order-specific 74 0.0134 unknown 145606 26.3953 ECC curve ordering Count Percent -------------------------+---------+-------- client 8089 1.4664 inconclusive-noecc 7 0.0013 server 458334 83.0862 unknown 85207 15.4462 TLSv1.2 PFS supported sigalgs Count Percent ------------------------------+---------+-------- ECDSA-SHA1 48616 8.813 ECDSA-SHA1 Only 5 0.0009 ECDSA-SHA224 48602 8.8105 ECDSA-SHA256 64365 11.668 ECDSA-SHA384 64360 11.6671 ECDSA-SHA512 64365 11.668 ECDSA-SHA512 Only 6 0.0011 RSA-MD5 46119 8.3604 RSA-SHA1 404339 73.298 RSA-SHA1 Only 37023 6.7115 RSA-SHA224 339349 61.5167 RSA-SHA256 375560 68.081 RSA-SHA256 Only 7280 1.3197 RSA-SHA384 341601 61.925 RSA-SHA384 Only 3 0.0005 RSA-SHA512 341567 61.9188 RSA-SHA512 Only 84 0.0152 TLSv1.2 PFS ordering Count Percent ------------------------------+---------+-------- client 252624 45.7953 indeterminate 57 0.0103 intolerant 5553 1.0066 order-fallback 7 0.0013 server 199982 36.2525 unsupported 18801 3.4082 TLSv1.2 PFS sigalg fallback Count Percent ------------------------------+---------+-------- ECDSA SHA1 48595 8.8092 ECDSA intolerant 74 0.0134 ECDSA pfs-rsa-SHA512 15721 2.8499 RSA False 45736 8.291 RSA SHA1 328060 59.4703 RSA intolerant 39590 7.1768 RSA pfs-ecdsa-SHA512 1 0.0002 RSA soft-nopfs 500 0.0906 Renegotiation Count Percent -------------------------+---------+-------- False 5768 1.0456 insecure 16732 3.0332 secure 529137 95.9212 Compression Count Percent -------------------------+---------+-------- 1 (zlib compression) 7977 1.4461 False 5768 1.0456 NONE 537892 97.5083 TLS session ticket hint Count Percent -------------------------+---------+-------- 1 4 0.0007 1 only 4 0.0007 2 2 0.0004 2 only 2 0.0004 5 3 0.0005 5 only 3 0.0005 10 6 0.0011 10 only 6 0.0011 15 5 0.0009 15 only 5 0.0009 30 18 0.0033 30 only 17 0.0031 60 170 0.0308 60 only 166 0.0301 65 1 0.0002 65 only 1 0.0002 70 6 0.0011 75 1 0.0002 75 only 1 0.0002 100 13 0.0024 100 only 13 0.0024 120 23 0.0042 120 only 23 0.0042 128 2 0.0004 128 only 2 0.0004 150 2 0.0004 180 72 0.0131 180 only 70 0.0127 240 14 0.0025 240 only 14 0.0025 244 1 0.0002 244 only 1 0.0002 300 268504 48.674 300 only 264860 48.0135 302 3 0.0005 302 only 3 0.0005 360 2 0.0004 360 only 1 0.0002 400 5 0.0009 400 only 5 0.0009 420 124 0.0225 420 only 105 0.019 450 1 0.0002 450 only 1 0.0002 480 10 0.0018 480 only 10 0.0018 500 4 0.0007 500 only 4 0.0007 540 3 0.0005 540 only 3 0.0005 600 27697 5.0209 600 only 27547 4.9937 660 3 0.0005 660 only 3 0.0005 720 1 0.0002 720 only 1 0.0002 840 1 0.0002 840 only 1 0.0002 900 1254 0.2273 900 only 1233 0.2235 960 2 0.0004 960 only 2 0.0004 1000 1 0.0002 1000 only 1 0.0002 1200 3011 0.5458 1200 only 3007 0.5451 1210 1 0.0002 1210 only 1 0.0002 1300 1 0.0002 1300 only 1 0.0002 1320 1 0.0002 1320 only 1 0.0002 1380 1 0.0002 1380 only 1 0.0002 1500 5 0.0009 1500 only 4 0.0007 1800 570 0.1033 1800 only 559 0.1013 1980 2 0.0004 1980 only 2 0.0004 2100 2 0.0004 2100 only 1 0.0002 2400 8 0.0015 2400 only 8 0.0015 2700 9 0.0016 2700 only 9 0.0016 3000 28 0.0051 3000 only 28 0.0051 3600 802 0.1454 3600 only 792 0.1436 3900 1 0.0002 3900 only 1 0.0002 5160 1 0.0002 5160 only 1 0.0002 5400 15 0.0027 5400 only 8 0.0015 6000 288 0.0522 6000 only 287 0.052 7200 16170 2.9313 7200 only 16152 2.928 10800 3928 0.7121 10800 only 3918 0.7102 14400 85 0.0154 14400 only 84 0.0152 18000 9 0.0016 18000 only 9 0.0016 21600 4289 0.7775 21600 only 4289 0.7775 25200 1 0.0002 25200 only 1 0.0002 28800 3301 0.5984 28800 only 3301 0.5984 36000 1118 0.2027 36000 only 1107 0.2007 43200 46 0.0083 43200 only 46 0.0083 60000 2 0.0004 60000 only 2 0.0004 64800 63048 11.4293 64800 only 63047 11.4291 72000 8 0.0015 72000 only 8 0.0015 79200 1 0.0002 79200 only 1 0.0002 84000 1 0.0002 84000 only 1 0.0002 86000 51 0.0092 86000 only 51 0.0092 86400 2862 0.5188 86400 only 2858 0.5181 100800 10169 1.8434 100800 only 10144 1.8389 108000 1 0.0002 108000 only 1 0.0002 115200 1 0.0002 115200 only 1 0.0002 129600 8 0.0015 129600 only 8 0.0015 172800 9 0.0016 172800 only 9 0.0016 216000 5 0.0009 216000 only 5 0.0009 259200 2 0.0004 259200 only 2 0.0004 432000 1 0.0002 432000 only 1 0.0002 604800 2 0.0004 604800 only 1 0.0002 864000 4 0.0007 864000 only 4 0.0007 7776000 2 0.0004 7776000 only 2 0.0004 None 147762 26.7861 None only 143812 26.07 Certificate sig alg Count Percent -------------------------+---------+-------- None 9012 1.6337 ecdsa-with-SHA256 61035 11.0643 sha1WithRSAEncryption 33972 6.1584 sha256WithRSAEncryption 472384 85.6331 sha384WithRSAEncryption 5 0.0009 sha512WithRSAEncryption 59 0.0107 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 64371 11.6691 ECDSA 384 20 0.0036 ECDSA 521 1 0.0002 RSA 1024 29 0.0053 RSA 2048 480108 87.0333 RSA 2049 2 0.0004 RSA 2056 2 0.0004 RSA 2058 3 0.0005 RSA 2084 4 0.0007 RSA 2086 1 0.0002 RSA 2096 2 0.0004 RSA 2432 2 0.0004 RSA 3071 1 0.0002 RSA 3072 141 0.0256 RSA 3073 1 0.0002 RSA 3076 6 0.0011 RSA 3096 2 0.0004 RSA 3248 4 0.0007 RSA 4048 4 0.0007 RSA 4056 15 0.0027 RSA 4092 2 0.0004 RSA 4094 2 0.0004 RSA 4095 1 0.0002 RSA 4096 25981 4.7098 RSA 8192 8 0.0015 RSA 8392 1 0.0002 RSA/ECDSA Dual Stack 19066 3.4563 OCSP stapling Count Percent -------------------------+---------+-------- Supported 128880 23.3632 Unsupported 422757 76.6368 Supported Protocols Count Percent -------------------------+---------+------- SSL2 18283 3.3143 SSL2 Only 14 0.0025 SSL3 101196 18.3447 SSL3 Only 1158 0.2099 SSL3 or TLS1 Only 54616 9.9007 SSL3 or lower Only 1168 0.2117 TLS1 542011 98.255 TLS1 Only 34339 6.2249 TLS1 or lower Only 70962 12.8639 TLS1.1 467843 84.8099 TLS1.1 Only 333 0.0604 TLS1.1 or up Only 8279 1.5008 TLS1.2 477009 86.4715 TLS1.2 Only 2566 0.4652 TLS1.2, 1.0 but not 1.1 9002 1.6319 Statistics from 587252 chains provided by 715935 hosts Server provided chains Count Percent -------------------------+---------+------- complete 525344 73.3787 incomplete 23228 3.2444 untrusted 167363 23.3768 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 13 0.0022 3 585030 99.6216 4 2197 0.3741 5 12 0.002 CA key size in chains Count -------------------------+--------- ECDSA 256 61011 ECDSA 384 61009 RSA 1024 26 RSA 2045 2 RSA 2048 885900 RSA 4096 168764 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 61011 10.3892 ECDSA 384 61009 10.3889 RSA 1024 24 0.0041 RSA 2045 2 0.0003 RSA 2048 525829 89.5406 RSA 4096 168152 28.6337 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 61004 sha1WithRSAEncryption 38564 sha256WithRSAEncryption 338536 sha384WithRSAEncryption 151286 sha512WithRSAEncryption 70 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 38602 6.5733 112 487624 83.0349 128.0 61026 10.3918 Most popular root CAs Count Percent ---------------------------------------------+---------+------- (d6325660) COMODO RSA Certification Authority 135263 23.0332 (2c543cd1) GeoTrust Global CA 101180 17.2294 (eed8c118) COMODO ECC Certification Authority 60996 10.3867 (5ad8a5d6) GlobalSign Root CA 56051 9.5446 (cbf06781) Go Daddy Root Certificate Authorit 49631 8.4514 (b204d74a) VeriSign Class 3 Public Primary Ce 31013 5.281 (244b5494) DigiCert High Assurance EV Root CA 20318 3.4598 (2e4eed3c) thawte Primary Root CA 18889 3.2165 (fc5a8f99) USERTrust RSA Certification Author 15885 2.705 (653b494a) Baltimore CyberTrust Root 13245 2.2554 (4bfab552) Starfield Root Certificate Authori 10600 1.805 (3513523f) DigiCert Global Root CA 9653 1.6438 (ae8153b9) StartCom Certification Authority 8863 1.5092 (2e5ac55d) DST Root CA X3 7351 1.2518 Test ran between 17th of March and 5th of April 2016 -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx
