SSL/TLS survey of 588324 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 521557 88.6513 3DES Only 618 0.105 3DES Preferred 1789 0.3041 3DES forced in TLS1.1+ 964 0.1639 AES 583623 99.201 AES Only 42928 7.2967 AES-CBC 583065 99.1061 AES-CBC Only 6504 1.1055 AES-GCM 482505 82.0135 AES-GCM Only 514 0.0874 CAMELLIA 258710 43.9741 CAMELLIA Only 3 0.0005 CHACHA20 80738 13.7234 CHACHA20 Only 4 0.0007 Insecure 56788 9.6525 RC4 168525 28.6449 RC4 Only 166 0.0282 RC4 Preferred 14971 2.5447 RC4 forced in TLS1.1+ 8083 1.3739 x:FF 29 3DES Only 661 0.1124 x:FF 29 3DES Preferred 2145 0.3646 x:FF 29 RC4 Only 245 0.0416 x:FF 29 RC4 Preferred 16797 2.8551 x:FF 29 incompatible 506 0.086 x:FF 35 3DES Only 669 0.1137 x:FF 35 3DES Preferred 2073 0.3524 x:FF 35 RC4 Only 285 0.0484 x:FF 35 RC4 Preferred 16818 2.8586 x:FF 35 incompatible 510 0.0867 x:FF 44 3DES Only 4449 0.7562 x:FF 44 3DES Preferred 8286 1.4084 x:FF 44 incompatible 795 0.1351 y:DHE-RSA-SEED-SHA 79291 13.4774 y:IDEA-CBC-SHA 75311 12.8009 y:SEED-SHA 89316 15.1814 z:ADH-AES128-GCM-SHA256 414 0.0704 z:ADH-AES128-SHA 763 0.1297 z:ADH-AES128-SHA256 275 0.0467 z:ADH-AES256-GCM-SHA384 425 0.0722 z:ADH-AES256-SHA 792 0.1346 z:ADH-AES256-SHA256 275 0.0467 z:ADH-CAMELLIA128-SHA 406 0.069 z:ADH-CAMELLIA128-SHA256 1 0.0002 z:ADH-CAMELLIA256-SHA 423 0.0719 z:ADH-CAMELLIA256-SHA256 1 0.0002 z:ADH-DES-CBC-SHA 338 0.0575 z:ADH-DES-CBC3-SHA 773 0.1314 z:ADH-RC4-MD5 578 0.0982 z:ADH-SEED-SHA 332 0.0564 z:AECDH-AES128-SHA 10505 1.7856 z:AECDH-AES256-SHA 10564 1.7956 z:AECDH-DES-CBC3-SHA 10475 1.7805 z:AECDH-NULL-SHA 91 0.0155 z:AECDH-RC4-SHA 9925 1.687 z:DES-CBC-MD5 6864 1.1667 z:DES-CBC-SHA 35454 6.0263 z:DES-CBC3-MD5 17200 2.9236 z:ECDHE-RSA-NULL-SHA 98 0.0167 z:EDH-RSA-DES-CBC-SHA 30414 5.1696 z:EXP-ADH-DES-CBC-SHA 188 0.032 z:EXP-ADH-RC4-MD5 186 0.0316 z:EXP-DES-CBC-SHA 11293 1.9195 z:EXP-EDH-RSA-DES-CBC-SHA 8983 1.5269 z:EXP-RC2-CBC-MD5 13517 2.2975 z:EXP-RC4-MD5 14150 2.4051 z:EXP1024-DES-CBC-SHA 3580 0.6085 z:EXP1024-RC4-SHA 3641 0.6189 z:IDEA-CBC-MD5 1486 0.2526 z:NULL-MD5 239 0.0406 z:NULL-SHA 242 0.0411 z:NULL-SHA256 33 0.0056 z:RC2-CBC-MD5 7118 1.2099 z:RC4-64-MD5 762 0.1295 Cipher ordering Count Percent -------------------------+---------+------- Client side 151229 25.7051 Server side 437095 74.2949 Supported Handshakes Count Percent -------------------------+---------+------- ADH 941 0.1599 AECDH 10576 1.7976 DHE 319231 54.2611 ECDH 2 0.0003 ECDHE 509684 86.6332 ECDHE and DHE 272378 46.2973 RSA 505946 85.9979 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 122627 20.8434 38.4132 DH,2048bits 183782 31.2382 57.5702 DH,2236bits 92 0.0156 0.0288 DH,2430bits 1 0.0002 0.0003 DH,2432bits 3 0.0005 0.0009 DH,2560bits 1 0.0002 0.0003 DH,3072bits 122 0.0207 0.0382 DH,3092bits 2 0.0003 0.0006 DH,3196bits 1 0.0002 0.0003 DH,4094bits 1 0.0002 0.0003 DH,4096bits 12216 2.0764 3.8267 DH,512bits 91 0.0155 0.0285 DH,6144bits 1 0.0002 0.0003 DH,768bits 384 0.0653 0.1203 DH,8192bits 9 0.0015 0.0028 ECDH,B-571,570bits 2788 0.4739 0.547 ECDH,K-163,163bits 1 0.0002 0.0002 ECDH,P-192,192bits 39 0.0066 0.0077 ECDH,P-224,224bits 92 0.0156 0.0181 ECDH,P-256,256bits 484945 82.4282 95.1462 ECDH,P-384,384bits 8059 1.3698 1.5812 ECDH,P-521,521bits 15676 2.6645 3.0756 ECDH,brainpoolP512r1,512bits 1 0.0002 0.0002 Prefer DH,1024bits 46364 7.8807 14.5237 Prefer DH,2048bits 5558 0.9447 1.7411 Prefer DH,3072bits 11 0.0019 0.0034 Prefer DH,4096bits 389 0.0661 0.1219 Prefer DH,768bits 45 0.0076 0.0141 Prefer ECDH,B-571,570bits 2562 0.4355 0.5027 Prefer ECDH,K-163,163bits 1 0.0002 0.0002 Prefer ECDH,P-192,192bits 1 0.0002 0.0002 Prefer ECDH,P-224,224bits 89 0.0151 0.0175 Prefer ECDH,P-256,256bits 446551 75.9022 87.6133 Prefer ECDH,P-384,384bits 6159 1.0469 1.2084 Prefer ECDH,P-521,521bits 14444 2.4551 2.8339 Prefer ECDH,brainpoolP512r1,512bits 1 0.0002 0.0002 Prefer PFS 522175 88.7564 0 Support PFS 556537 94.597 0 Supported ECC curves Count Percent -------------------------+---------+-------- brainpoolP256r1 15666 2.6628 brainpoolP384r1 15673 2.664 brainpoolP512r1 15677 2.6647 prime192v1 1721 0.2925 prime256v1 505771 85.9681 prime256v1 Only 424806 72.2061 secp160k1 1634 0.2777 secp160r1 1641 0.2789 secp160r2 1633 0.2776 secp192k1 1647 0.2799 secp224k1 1732 0.2944 secp224r1 5585 0.9493 secp256k1 17871 3.0376 secp384r1 83624 14.2139 secp384r1 Only 2663 0.4526 secp521r1 47374 8.0524 secp521r1 Only 142 0.0241 sect163k1 1637 0.2782 sect163r1 1636 0.2781 sect163r2 1637 0.2782 sect193r1 1636 0.2781 sect193r2 1636 0.2781 sect233k1 1728 0.2937 sect233r1 1725 0.2932 sect239k1 1721 0.2925 sect283k1 17205 2.9244 sect283r1 17203 2.9241 sect409k1 17203 2.9241 sect409r1 17200 2.9236 sect571k1 17204 2.9242 sect571r1 17205 2.9244 Unsupported curve fallback Count Percent ------------------------------+---------+-------- False 56188 9.5505 True 384116 65.2899 order-specific 30 0.0051 unknown 147990 25.1545 ECC curve ordering Count Percent -------------------------+---------+-------- client 12072 2.0519 inconclusive-noecc 8 0.0014 server 496534 84.3981 unknown 79710 13.5487 TLSv1.2 PFS supported sigalgs Count Percent ------------------------------+---------+-------- ECDSA-SHA1 53235 9.0486 ECDSA-SHA1 Only 7 0.0012 ECDSA-SHA224 53208 9.044 ECDSA-SHA256 70734 12.023 ECDSA-SHA384 70725 12.0214 ECDSA-SHA512 70735 12.0231 ECDSA-SHA512 Only 16 0.0027 RSA-MD5 32419 5.5104 RSA-SHA1 439804 74.7554 RSA-SHA1 Only 34182 5.8101 RSA-SHA224 364514 61.958 RSA-SHA256 414576 70.4673 RSA-SHA256 Only 7888 1.3408 RSA-SHA384 377143 64.1046 RSA-SHA384 Only 4 0.0007 RSA-SHA512 377071 64.0924 RSA-SHA512 Only 85 0.0144 TLSv1.2 PFS ordering Count Percent ------------------------------+---------+-------- client 276407 46.9821 indeterminate 52 0.0088 intolerant 6076 1.0328 order-fallback 9 0.0015 server 217108 36.9028 unsupported 15976 2.7155 TLSv1.2 PFS sigalg fallback Count Percent ------------------------------+---------+-------- ECDSA SHA1 53190 9.0409 ECDSA intolerant 134 0.0228 ECDSA pfs-rsa-SHA512 17450 2.9661 ECDSA soft-nopfs 9 0.0015 RSA False 32115 5.4587 RSA SHA1 374923 63.7273 RSA intolerant 41684 7.0852 RSA pfs-ecdsa-SHA512 26 0.0044 RSA soft-nopfs 481 0.0818 Renegotiation Count Percent -------------------------+---------+-------- False 5021 0.8534 insecure 16740 2.8454 secure 566563 96.3012 Compression Count Percent -------------------------+---------+-------- 1 (zlib compression) 7345 1.2485 False 5021 0.8534 NONE 575958 97.8981 TLS session ticket hint Count Percent -------------------------+---------+-------- 1 2 0.0003 1 only 2 0.0003 2 1 0.0002 2 only 1 0.0002 5 9 0.0015 5 only 9 0.0015 10 8 0.0014 10 only 8 0.0014 15 7 0.0012 15 only 7 0.0012 30 24 0.0041 30 only 24 0.0041 60 159 0.027 60 only 151 0.0257 65 2 0.0003 65 only 2 0.0003 70 8 0.0014 70 only 7 0.0012 75 1 0.0002 75 only 1 0.0002 90 1 0.0002 90 only 1 0.0002 100 15 0.0025 100 only 15 0.0025 120 24 0.0041 120 only 24 0.0041 128 6 0.001 128 only 5 0.0008 150 2 0.0003 180 72 0.0122 180 only 70 0.0119 240 13 0.0022 240 only 13 0.0022 244 2 0.0003 244 only 2 0.0003 300 294538 50.0639 300 only 291166 49.4908 302 2 0.0003 302 only 2 0.0003 360 3 0.0005 360 only 2 0.0003 400 4 0.0007 400 only 4 0.0007 420 133 0.0226 420 only 113 0.0192 480 11 0.0019 480 only 10 0.0017 500 3 0.0005 500 only 3 0.0005 540 4 0.0007 540 only 4 0.0007 600 28048 4.7674 600 only 27923 4.7462 700 3 0.0005 700 only 3 0.0005 840 2 0.0003 840 only 2 0.0003 900 1508 0.2563 900 only 1487 0.2528 960 4 0.0007 960 only 4 0.0007 1000 1 0.0002 1000 only 1 0.0002 1200 3403 0.5784 1200 only 3400 0.5779 1210 2 0.0003 1210 only 2 0.0003 1320 1 0.0002 1320 only 1 0.0002 1380 1 0.0002 1380 only 1 0.0002 1440 1 0.0002 1440 only 1 0.0002 1500 7 0.0012 1500 only 6 0.001 1800 698 0.1186 1800 only 680 0.1156 1980 2 0.0003 1980 only 2 0.0003 2100 2 0.0003 2100 only 1 0.0002 2160 1 0.0002 2160 only 1 0.0002 2400 9 0.0015 2400 only 9 0.0015 2700 10 0.0017 2700 only 10 0.0017 3000 38 0.0065 3000 only 38 0.0065 3300 1 0.0002 3300 only 1 0.0002 3600 1035 0.1759 3600 only 1024 0.1741 3900 2 0.0003 3900 only 2 0.0003 4200 1 0.0002 4500 1 0.0002 4500 only 1 0.0002 5160 1 0.0002 5160 only 1 0.0002 5400 22 0.0037 5400 only 6 0.001 6000 345 0.0586 6000 only 345 0.0586 7200 15012 2.5517 7200 only 14995 2.5488 8100 1 0.0002 8100 only 1 0.0002 9000 2 0.0003 9000 only 2 0.0003 10800 5061 0.8602 10800 only 5045 0.8575 14400 106 0.018 14400 only 106 0.018 18000 11 0.0019 18000 only 11 0.0019 21600 4326 0.7353 21600 only 4324 0.735 25200 1 0.0002 25200 only 1 0.0002 28800 2688 0.4569 28800 only 2688 0.4569 30000 3 0.0005 30000 only 1 0.0002 36000 1246 0.2118 36000 only 1240 0.2108 43200 61 0.0104 43200 only 61 0.0104 54000 1 0.0002 54000 only 1 0.0002 60000 2 0.0003 60000 only 2 0.0003 64800 70216 11.9349 64800 only 70188 11.9302 72000 12 0.002 72000 only 12 0.002 79200 1 0.0002 79200 only 1 0.0002 86400 2835 0.4819 86400 only 2826 0.4803 100800 9392 1.5964 100800 only 9375 1.5935 108000 1 0.0002 108000 only 1 0.0002 115200 1 0.0002 115200 only 1 0.0002 129600 7 0.0012 129600 only 7 0.0012 172800 55 0.0093 172800 only 55 0.0093 216000 4 0.0007 216000 only 4 0.0007 259200 3 0.0005 259200 only 3 0.0005 432000 1 0.0002 432000 only 1 0.0002 604800 1 0.0002 864000 3 0.0005 864000 only 3 0.0005 7776000 1 0.0002 7776000 only 1 0.0002 None 150759 25.6252 None only 147078 24.9995 Certificate sig alg Count Percent -------------------------+---------+-------- None 11191 1.9022 ecdsa-with-SHA256 67977 11.5543 sha1WithRSAEncryption 23775 4.0411 sha256WithRSAEncryption 514022 87.3706 sha384WithRSAEncryption 8 0.0014 sha512WithRSAEncryption 67 0.0114 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 70749 12.0255 ECDSA 384 34 0.0058 ECDSA 521 1 0.0002 RSA 1024 17 0.0029 RSA 2048 507589 86.2771 RSA 2049 2 0.0003 RSA 2056 1 0.0002 RSA 2058 3 0.0005 RSA 2059 1 0.0002 RSA 2084 1 0.0002 RSA 2086 1 0.0002 RSA 2096 3 0.0005 RSA 2408 1 0.0002 RSA 2432 2 0.0003 RSA 2560 1 0.0002 RSA 2948 1 0.0002 RSA 3072 156 0.0265 RSA 3073 1 0.0002 RSA 3096 2 0.0003 RSA 3248 2 0.0003 RSA 4048 4 0.0007 RSA 4056 16 0.0027 RSA 4069 1 0.0002 RSA 4086 3 0.0005 RSA 4092 2 0.0003 RSA 4094 1 0.0002 RSA 4095 1 0.0002 RSA 4096 29945 5.0899 RSA 4196 1 0.0002 RSA 8192 11 0.0019 RSA 8392 1 0.0002 RSA/ECDSA Dual Stack 20215 3.436 OCSP stapling Count Percent -------------------------+---------+-------- Supported 127611 21.6906 Unsupported 460713 78.3094 Supported Protocols Count Percent -------------------------+---------+------- SSL2 17372 2.9528 SSL2 Only 13 0.0022 SSL3 102349 17.3967 SSL3 Only 1020 0.1734 SSL3 or TLS1 Only 54445 9.2543 SSL3 or lower Only 1028 0.1747 TLS1 576797 98.0407 TLS1 Only 33030 5.6143 TLS1 or lower Only 70001 11.8984 TLS1.1 507108 86.1954 TLS1.1 Only 42 0.0071 TLS1.1 or up Only 10330 1.7558 TLS1.2 515617 87.6417 TLS1.2 Only 3098 0.5266 TLS1.2, 1.0 but not 1.1 7000 1.1898 Statistics from 622291 chains provided by 724741 hosts Server provided chains Count Percent -------------------------+---------+------- complete 563959 77.8152 incomplete 21088 2.9097 untrusted 139694 19.275 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 2 0.0003 3 618971 99.4665 4 3305 0.5311 5 13 0.0021 CA key size in chains Count -------------------------+--------- ECDSA 256 67969 ECDSA 384 67967 RSA 1024 10 RSA 2045 2 RSA 2048 918447 RSA 4096 193516 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 67969 10.9224 ECDSA 384 67967 10.9221 RSA 1024 8 0.0013 RSA 2045 2 0.0003 RSA 2048 553908 89.0111 RSA 4096 192863 30.9924 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 67958 sha1WithRSAEncryption 27126 sha256WithRSAEncryption 356410 sha384WithRSAEncryption 174062 sha512WithRSAEncryption 64 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 27123 4.3586 112 527185 84.7168 128 67983 10.9246 Most common root CAs Count Percent ---------------------------------------------+---------+------- (d6325660) COMODO RSA Certification Authority 156327 25.1212 (2c543cd1) GeoTrust Global CA 97389 15.6501 (eed8c118) COMODO ECC Certification Authority 67950 10.9193 (5ad8a5d6) GlobalSign Root CA 54936 8.828 (cbf06781) Go Daddy Root Certificate Authorit 48751 7.8341 (b204d74a) VeriSign Class 3 Public Primary Ce 32016 5.1449 (244b5494) DigiCert High Assurance EV Root CA 19865 3.1922 (2e4eed3c) thawte Primary Root CA 18906 3.0381 (fc5a8f99) USERTrust RSA Certification Author 17597 2.8278 (2e5ac55d) DST Root CA X3 17594 2.8273 (653b494a) Baltimore CyberTrust Root 11729 1.8848 (3513523f) DigiCert Global Root CA 10305 1.656 (ae8153b9) StartCom Certification Authority 9737 1.5647 (4bfab552) Starfield Root Certificate Authori 8211 1.3195 Scan performed between 30th of May and 18th of June 2016 -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx
