SSL/TLS survey of 554044 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 488020 88.0833 3DES Only 590 0.1065 3DES Preferred 1772 0.3198 3DES forced in TLS1.1+ 936 0.1689 AES 549187 99.1234 AES Only 42441 7.6602 AES-CBC 548762 99.0466 AES-CBC Only 8334 1.5042 AES-GCM 448629 80.9735 AES-GCM Only 378 0.0682 CAMELLIA 241430 43.576 CAMELLIA Only 1 0.0002 CHACHA20 75592 13.6437 Insecure 54139 9.7716 RC4 160923 29.0452 RC4 Only 183 0.033 RC4 Preferred 15628 2.8207 RC4 forced in TLS1.1+ 8360 1.5089 x:FF 29 3DES Only 639 0.1153 x:FF 29 3DES Preferred 2130 0.3844 x:FF 29 RC4 Only 254 0.0458 x:FF 29 RC4 Preferred 17323 3.1266 x:FF 29 incompatible 272 0.0491 x:FF 35 3DES Only 645 0.1164 x:FF 35 3DES Preferred 2044 0.3689 x:FF 35 RC4 Only 301 0.0543 x:FF 35 RC4 Preferred 17346 3.1308 x:FF 35 incompatible 276 0.0498 x:FF 44 3DES Only 4576 0.8259 x:FF 44 3DES Preferred 8336 1.5046 x:FF 44 incompatible 577 0.1041 y:DHE-RSA-SEED-SHA 71951 12.9865 y:IDEA-CBC-SHA 67468 12.1774 y:SEED-SHA 82250 14.8454 z:ADH-AES128-GCM-SHA256 401 0.0724 z:ADH-AES128-SHA 730 0.1318 z:ADH-AES128-SHA256 275 0.0496 z:ADH-AES256-GCM-SHA384 411 0.0742 z:ADH-AES256-SHA 748 0.135 z:ADH-AES256-SHA256 274 0.0495 z:ADH-CAMELLIA128-SHA 390 0.0704 z:ADH-CAMELLIA256-SHA 400 0.0722 z:ADH-DES-CBC-SHA 321 0.0579 z:ADH-DES-CBC3-SHA 738 0.1332 z:ADH-RC4-MD5 539 0.0973 z:ADH-SEED-SHA 312 0.0563 z:AECDH-AES128-SHA 9716 1.7537 z:AECDH-AES256-SHA 9763 1.7621 z:AECDH-DES-CBC3-SHA 9685 1.7481 z:AECDH-NULL-SHA 85 0.0153 z:AECDH-RC4-SHA 9132 1.6482 z:DES-CBC-MD5 7224 1.3039 z:DES-CBC-SHA 33578 6.0605 z:DES-CBC3-MD5 17444 3.1485 z:ECDHE-RSA-NULL-SHA 95 0.0171 z:EDH-RSA-DES-CBC-SHA 28962 5.2274 z:EXP-ADH-DES-CBC-SHA 173 0.0312 z:EXP-ADH-RC4-MD5 171 0.0309 z:EXP-DES-CBC-SHA 11121 2.0072 z:EXP-EDH-RSA-DES-CBC-SHA 8776 1.584 z:EXP-RC2-CBC-MD5 13375 2.4141 z:EXP-RC4-MD5 14006 2.528 z:EXP1024-DES-CBC-SHA 3639 0.6568 z:EXP1024-RC4-SHA 3688 0.6657 z:IDEA-CBC-MD5 1523 0.2749 z:NULL-MD5 214 0.0386 z:NULL-SHA 218 0.0393 z:NULL-SHA256 32 0.0058 z:RC2-CBC-MD5 7396 1.3349 z:RC4-64-MD5 767 0.1384 Cipher ordering Count Percent -------------------------+---------+------- Client side 134999 24.3661 Server side 419045 75.6339 Supported Handshakes Count Percent -------------------------+---------+------- ADH 885 0.1597 AECDH 9773 1.7639 DHE 298929 53.954 ECDH 2 0.0004 ECDHE 476485 86.0013 ECDHE and DHE 253657 45.7828 RSA 475653 85.8511 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 116515 21.0299 38.9775 DH,1536bits 1 0.0002 0.0003 DH,2048bits 170990 30.8622 57.2009 DH,2236bits 69 0.0125 0.0231 DH,2432bits 3 0.0005 0.001 DH,2560bits 1 0.0002 0.0003 DH,3072bits 111 0.02 0.0371 DH,3092bits 1 0.0002 0.0003 DH,4094bits 1 0.0002 0.0003 DH,4096bits 10885 1.9646 3.6413 DH,4098bits 1 0.0002 0.0003 DH,512bits 64 0.0116 0.0214 DH,6144bits 1 0.0002 0.0003 DH,768bits 377 0.068 0.1261 DH,8192bits 9 0.0016 0.003 ECDH,B-571,570bits 2314 0.4177 0.4856 ECDH,K-163,163bits 1 0.0002 0.0002 ECDH,P-192,192bits 23 0.0042 0.0048 ECDH,P-224,224bits 84 0.0152 0.0176 ECDH,P-256,256bits 456709 82.4319 95.8496 ECDH,P-384,384bits 5908 1.0663 1.2399 ECDH,P-521,521bits 13327 2.4054 2.7969 Prefer DH,1024bits 43925 7.9281 14.6941 Prefer DH,1536bits 1 0.0002 0.0003 Prefer DH,2048bits 5768 1.0411 1.9296 Prefer DH,3072bits 6 0.0011 0.002 Prefer DH,4096bits 423 0.0763 0.1415 Prefer DH,768bits 54 0.0097 0.0181 Prefer ECDH,B-571,570bits 2090 0.3772 0.4386 Prefer ECDH,K-163,163bits 1 0.0002 0.0002 Prefer ECDH,P-224,224bits 81 0.0146 0.017 Prefer ECDH,P-256,256bits 419866 75.7821 88.1174 Prefer ECDH,P-384,384bits 4218 0.7613 0.8852 Prefer ECDH,P-521,521bits 12182 2.1987 2.5566 Prefer PFS 488615 88.1906 0 Support PFS 521757 94.1725 0 Supported ECC curves Count Percent -------------------------+---------+-------- brainpoolP256r1 7632 1.3775 brainpoolP384r1 7634 1.3779 brainpoolP512r1 7637 1.3784 prime192v1 1557 0.281 prime256v1 473202 85.4087 prime256v1 Only 404241 72.9619 secp160k1 1490 0.2689 secp160r1 1497 0.2702 secp160r2 1488 0.2686 secp192k1 1502 0.2711 secp224k1 1576 0.2845 secp224r1 4971 0.8972 secp256k1 10618 1.9165 secp384r1 70010 12.6362 secp384r1 Only 1082 0.1953 secp521r1 36615 6.6087 secp521r1 Only 140 0.0253 sect163k1 1492 0.2693 sect163k1 Only 1 0.0002 sect163r1 1490 0.2689 sect163r2 1490 0.2689 sect193r1 1490 0.2689 sect193r2 1489 0.2688 sect233k1 1566 0.2826 sect233r1 1566 0.2826 sect239k1 1565 0.2825 sect283k1 9047 1.6329 sect283k1 Only 1 0.0002 sect283r1 9044 1.6324 sect409k1 9041 1.6318 sect409r1 9038 1.6313 sect571k1 9044 1.6324 sect571r1 9045 1.6325 Unsupported curve fallback Count Percent ------------------------------+---------+-------- False 46285 8.354 True 365389 65.9495 order-specific 61 0.011 unknown 142309 25.6855 ECC curve ordering Count Percent -------------------------+---------+-------- client 9132 1.6482 inconclusive-noecc 4 0.0007 server 465324 83.9868 unknown 79584 14.3642 TLSv1.2 PFS supported sigalgs Count Percent ------------------------------+---------+-------- ECDSA-SHA1 50518 9.118 ECDSA-SHA1 Only 3 0.0005 ECDSA-SHA224 50534 9.1209 ECDSA-SHA256 66231 11.9541 ECDSA-SHA384 66277 11.9624 ECDSA-SHA512 66334 11.9727 ECDSA-SHA512 Only 61 0.011 RSA-MD5 41528 7.4954 RSA-SHA1 408670 73.7613 RSA-SHA1 Only 36069 6.5101 RSA-SHA224 340011 61.369 RSA-SHA256 380914 68.7516 RSA-SHA256 Only 7319 1.321 RSA-SHA384 345799 62.4136 RSA-SHA384 Only 4 0.0007 RSA-SHA512 345776 62.4095 RSA-SHA512 Only 118 0.0213 TLSv1.2 PFS ordering Count Percent ------------------------------+---------+-------- client 255972 46.2007 indeterminate 42 0.0076 intolerant 5716 1.0317 order-fallback 9 0.0016 server 203222 36.6798 unsupported 17516 3.1615 TLSv1.2 PFS sigalg fallback Count Percent ------------------------------+---------+-------- ECDSA SHA1 50464 9.1083 ECDSA intolerant 381 0.0688 ECDSA pfs-rsa-SHA512 15610 2.8175 ECDSA soft-nopfs 2 0.0004 RSA False 41178 7.4323 RSA SHA1 336118 60.6663 RSA intolerant 40148 7.2464 RSA pfs-ecdsa-SHA512 45 0.0081 RSA soft-nopfs 512 0.0924 Renegotiation Count Percent -------------------------+---------+-------- False 5199 0.9384 insecure 15950 2.8788 secure 532895 96.1828 Compression Count Percent -------------------------+---------+-------- 1 (zlib compression) 7539 1.3607 False 5199 0.9384 NONE 541306 97.7009 TLS session ticket hint Count Percent -------------------------+---------+-------- 1 4 0.0007 1 only 4 0.0007 2 2 0.0004 2 only 2 0.0004 5 8 0.0014 5 only 8 0.0014 10 8 0.0014 10 only 8 0.0014 15 6 0.0011 15 only 6 0.0011 30 19 0.0034 30 only 18 0.0032 60 167 0.0301 60 only 164 0.0296 65 2 0.0004 65 only 2 0.0004 70 6 0.0011 70 only 4 0.0007 75 1 0.0002 75 only 1 0.0002 100 16 0.0029 100 only 16 0.0029 120 28 0.0051 120 only 28 0.0051 128 3 0.0005 128 only 3 0.0005 150 2 0.0004 180 66 0.0119 180 only 64 0.0116 240 11 0.002 240 only 11 0.002 244 2 0.0004 244 only 2 0.0004 300 272999 49.2739 300 only 269600 48.6604 302 3 0.0005 302 only 3 0.0005 360 3 0.0005 360 only 2 0.0004 400 5 0.0009 400 only 5 0.0009 420 122 0.022 420 only 105 0.019 480 10 0.0018 480 only 10 0.0018 500 4 0.0007 500 only 4 0.0007 540 3 0.0005 540 only 3 0.0005 600 28373 5.1211 600 only 28233 5.0958 660 1 0.0002 660 only 1 0.0002 700 3 0.0005 700 only 3 0.0005 840 2 0.0004 840 only 2 0.0004 900 1388 0.2505 900 only 1366 0.2466 960 2 0.0004 960 only 2 0.0004 1000 1 0.0002 1000 only 1 0.0002 1200 2912 0.5256 1200 only 2907 0.5247 1210 2 0.0004 1210 only 2 0.0004 1320 1 0.0002 1320 only 1 0.0002 1380 1 0.0002 1380 only 1 0.0002 1440 1 0.0002 1440 only 1 0.0002 1500 6 0.0011 1500 only 5 0.0009 1800 579 0.1045 1800 only 568 0.1025 1980 2 0.0004 1980 only 2 0.0004 2100 2 0.0004 2100 only 1 0.0002 2160 1 0.0002 2160 only 1 0.0002 2400 8 0.0014 2400 only 8 0.0014 2700 9 0.0016 2700 only 9 0.0016 3000 25 0.0045 3000 only 25 0.0045 3300 1 0.0002 3300 only 1 0.0002 3600 865 0.1561 3600 only 850 0.1534 3900 1 0.0002 3900 only 1 0.0002 4200 1 0.0002 5160 1 0.0002 5160 only 1 0.0002 5400 15 0.0027 5400 only 9 0.0016 5940 1 0.0002 5940 only 1 0.0002 6000 297 0.0536 6000 only 297 0.0536 7200 15195 2.7426 7200 only 15175 2.739 7500 1 0.0002 7500 only 1 0.0002 10800 4136 0.7465 10800 only 4122 0.744 14400 95 0.0171 14400 only 95 0.0171 18000 10 0.0018 18000 only 10 0.0018 21600 4179 0.7543 21600 only 4179 0.7543 25200 1 0.0002 25200 only 1 0.0002 28800 3321 0.5994 28800 only 3321 0.5994 30000 1 0.0002 30000 only 1 0.0002 36000 1080 0.1949 36000 only 1071 0.1933 38854 1 0.0002 38866 1 0.0002 38879 1 0.0002 38893 1 0.0002 38908 1 0.0002 38925 1 0.0002 38940 1 0.0002 38953 1 0.0002 43200 55 0.0099 43200 only 55 0.0099 60000 2 0.0004 60000 only 2 0.0004 64800 65043 11.7397 64800 only 65041 11.7393 72000 9 0.0016 72000 only 9 0.0016 79200 1 0.0002 79200 only 1 0.0002 86400 2805 0.5063 86400 only 2801 0.5056 100800 9140 1.6497 100800 only 9137 1.6491 108000 1 0.0002 108000 only 1 0.0002 115200 1 0.0002 115200 only 1 0.0002 129600 6 0.0011 129600 only 6 0.0011 172800 49 0.0088 172800 only 49 0.0088 216000 4 0.0007 216000 only 4 0.0007 432000 1 0.0002 432000 only 1 0.0002 604800 2 0.0004 864000 2 0.0004 864000 only 2 0.0004 7776000 2 0.0004 7776000 only 2 0.0004 None 144581 26.0956 None only 140902 25.4316 Certificate sig alg Count Percent -------------------------+---------+-------- None 10359 1.8697 ecdsa-with-SHA256 63100 11.389 sha1WithRSAEncryption 29544 5.3324 sha256WithRSAEncryption 477256 86.1405 sha384WithRSAEncryption 5 0.0009 sha512WithRSAEncryption 60 0.0108 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 66442 11.9922 ECDSA 384 21 0.0038 ECDSA 521 1 0.0002 RSA 1024 21 0.0038 RSA 2048 479886 86.6151 RSA 2049 2 0.0004 RSA 2056 3 0.0005 RSA 2058 3 0.0005 RSA 2084 3 0.0005 RSA 2086 1 0.0002 RSA 2096 2 0.0004 RSA 2432 2 0.0004 RSA 3072 150 0.0271 RSA 3073 1 0.0002 RSA 3076 3 0.0005 RSA 3096 2 0.0004 RSA 3248 3 0.0005 RSA 4048 3 0.0005 RSA 4056 15 0.0027 RSA 4069 1 0.0002 RSA 4086 4 0.0007 RSA 4092 2 0.0004 RSA 4094 1 0.0002 RSA 4095 1 0.0002 RSA 4096 26364 4.7585 RSA 4196 1 0.0002 RSA 8192 9 0.0016 RSA 8392 1 0.0002 RSA/ECDSA Dual Stack 18891 3.4097 OCSP stapling Count Percent -------------------------+---------+-------- Supported 128586 23.2086 Unsupported 425458 76.7914 Supported Protocols Count Percent -------------------------+---------+------- SSL2 17623 3.1808 SSL2 Only 17 0.0031 SSL3 98238 17.7311 SSL3 Only 1159 0.2092 SSL3 or TLS1 Only 52628 9.4989 SSL3 or lower Only 1168 0.2108 TLS1 543101 98.0249 TLS1 Only 32939 5.9452 TLS1 or lower Only 68307 12.3288 TLS1.1 473247 85.4169 TLS1.1 Only 208 0.0375 TLS1.1 or up Only 9606 1.7338 TLS1.2 482460 87.0797 TLS1.2 Only 2594 0.4682 TLS1.2, 1.0 but not 1.1 8635 1.5585 Statistics from 589898 chains provided by 709652 hosts Server provided chains Count Percent -------------------------+---------+------- complete 529449 74.6068 incomplete 22333 3.147 untrusted 157870 22.2461 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 8 0.0014 3 587212 99.5447 4 2665 0.4518 5 13 0.0022 CA key size in chains Count -------------------------+--------- ECDSA 256 63091 ECDSA 384 63090 RSA 1024 21 RSA 2045 2 RSA 2048 881842 RSA 4096 174433 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 63091 10.6952 ECDSA 384 63090 10.6951 RSA 1024 19 0.0032 RSA 2045 2 0.0003 RSA 2048 526385 89.2332 RSA 4096 173801 29.4629 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 63084 sha1WithRSAEncryption 33756 sha256WithRSAEncryption 339826 sha384WithRSAEncryption 155860 sha512WithRSAEncryption 55 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 33778 5.7261 112 493007 83.575 128 63113 10.699 Root CAs Count Percent ---------------------------------------------+---------+------- (d6325660) COMODO RSA Certification Authority 138204 23.4285 (2c543cd1) GeoTrust Global CA 95310 16.157 (eed8c118) COMODO ECC Certification Authority 63077 10.6929 (5ad8a5d6) GlobalSign Root CA 56226 9.5315 (cbf06781) Go Daddy Root Certificate Authorit 49413 8.3765 (b204d74a) VeriSign Class 3 Public Primary Ce 30520 5.1738 (244b5494) DigiCert High Assurance EV Root CA 19387 3.2865 (2e4eed3c) thawte Primary Root CA 18858 3.1968 (653b494a) Baltimore CyberTrust Root 12557 2.1287 (2e5ac55d) DST Root CA X3 12525 2.1232 (fc5a8f99) USERTrust RSA Certification Author 17514 2.969 (ae8153b9) StartCom Certification Authority 9654 1.6366 (3513523f) DigiCert Global Root CA 9633 1.633 (4bfab552) Starfield Root Certificate Authori 8780 1.4884 Scan performed between 18th of April and 1st of May 2016 -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx
