SSL/TLS survey of 593851 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 525961 88.5678 3DES Only 605 0.1019 3DES Preferred 1797 0.3026 3DES forced in TLS1.1+ 978 0.1647 AES 589255 99.2261 AES Only 43606 7.3429 AES-CBC 588687 99.1304 AES-CBC Only 5565 0.9371 AES-GCM 490658 82.6231 AES-GCM Only 520 0.0876 CAMELLIA 261701 44.0685 CAMELLIA Only 2 0.0003 CHACHA20 81256 13.6829 Insecure 56141 9.4537 RC4 166167 27.9813 RC4 Only 158 0.0266 RC4 Preferred 13843 2.3311 RC4 forced in TLS1.1+ 7176 1.2084 x:FF 29 3DES Only 654 0.1101 x:FF 29 3DES Preferred 2164 0.3644 x:FF 29 RC4 Only 233 0.0392 x:FF 29 RC4 Preferred 16139 2.7177 x:FF 29 incompatible 518 0.0872 x:FF 35 3DES Only 662 0.1115 x:FF 35 3DES Preferred 2094 0.3526 x:FF 35 RC4 Only 273 0.046 x:FF 35 RC4 Preferred 16162 2.7216 x:FF 35 incompatible 522 0.0879 x:FF 44 3DES Only 4368 0.7355 x:FF 44 3DES Preferred 8162 1.3744 x:FF 44 incompatible 795 0.1339 y:DHE-RSA-SEED-SHA 79533 13.3928 y:IDEA-CBC-SHA 76113 12.8169 y:SEED-SHA 90128 15.1769 z:ADH-AES128-GCM-SHA256 430 0.0724 z:ADH-AES128-SHA 771 0.1298 z:ADH-AES128-SHA256 268 0.0451 z:ADH-AES256-GCM-SHA384 444 0.0748 z:ADH-AES256-SHA 809 0.1362 z:ADH-AES256-SHA256 269 0.0453 z:ADH-CAMELLIA128-SHA 401 0.0675 z:ADH-CAMELLIA128-SHA256 1 0.0002 z:ADH-CAMELLIA256-SHA 424 0.0714 z:ADH-CAMELLIA256-SHA256 1 0.0002 z:ADH-DES-CBC-SHA 326 0.0549 z:ADH-DES-CBC3-SHA 781 0.1315 z:ADH-RC4-MD5 571 0.0962 z:ADH-SEED-SHA 322 0.0542 z:AECDH-AES128-SHA 10202 1.7179 z:AECDH-AES256-SHA 10261 1.7279 z:AECDH-DES-CBC3-SHA 10168 1.7122 z:AECDH-NULL-SHA 94 0.0158 z:AECDH-RC4-SHA 9605 1.6174 z:DES-CBC-MD5 6658 1.1212 z:DES-CBC-SHA 35044 5.9011 z:DES-CBC3-MD5 17074 2.8751 z:ECDHE-RSA-NULL-SHA 100 0.0168 z:EDH-RSA-DES-CBC-SHA 29995 5.0509 z:EXP-ADH-DES-CBC-SHA 181 0.0305 z:EXP-ADH-RC4-MD5 180 0.0303 z:EXP-DES-CBC-SHA 10901 1.8356 z:EXP-EDH-RSA-DES-CBC-SHA 8667 1.4595 z:EXP-RC2-CBC-MD5 13108 2.2073 z:EXP-RC4-MD5 13716 2.3097 z:EXP1024-DES-CBC-SHA 3463 0.5831 z:EXP1024-RC4-SHA 3524 0.5934 z:IDEA-CBC-MD5 1453 0.2447 z:NULL-MD5 233 0.0392 z:NULL-SHA 238 0.0401 z:NULL-SHA256 36 0.0061 z:RC2-CBC-MD5 6966 1.173 z:RC4-64-MD5 757 0.1275 Cipher ordering Count Percent -------------------------+---------+------- Client side 152565 25.6908 Server side 441286 74.3092 Supported Handshakes Count Percent -------------------------+---------+------- ADH 979 0.1649 AECDH 10271 1.7296 DHE 320930 54.0422 ECDH 2 0.0003 ECDHE 517887 87.2082 ECDHE and DHE 274945 46.2987 RSA 509769 85.8412 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 119481 20.1197 37.2296 DH,1028bits 1 0.0002 0.0003 DH,2048bits 188192 31.6901 58.6396 DH,2236bits 78 0.0131 0.0243 DH,2430bits 1 0.0002 0.0003 DH,2432bits 3 0.0005 0.0009 DH,2560bits 1 0.0002 0.0003 DH,3072bits 132 0.0222 0.0411 DH,3092bits 2 0.0003 0.0006 DH,3196bits 1 0.0002 0.0003 DH,4046bits 1 0.0002 0.0003 DH,4094bits 1 0.0002 0.0003 DH,4096bits 12637 2.128 3.9376 DH,512bits 108 0.0182 0.0337 DH,6144bits 1 0.0002 0.0003 DH,768bits 385 0.0648 0.12 DH,8192bits 8 0.0013 0.0025 ECDH,B-571,570bits 3072 0.5173 0.5932 ECDH,K-163,163bits 1 0.0002 0.0002 ECDH,P-192,192bits 60 0.0101 0.0116 ECDH,P-224,224bits 94 0.0158 0.0182 ECDH,P-256,256bits 490672 82.6254 94.745 ECDH,P-384,384bits 9474 1.5953 1.8294 ECDH,P-521,521bits 16461 2.7719 3.1785 ECDH,brainpoolP512r1,512bits 1 0.0002 0.0002 ECDH,secp256k1,256bits 1 0.0002 0.0002 Prefer DH,1024bits 45380 7.6416 14.1402 Prefer DH,2048bits 5635 0.9489 1.7558 Prefer DH,3072bits 8 0.0013 0.0025 Prefer DH,3092bits 2 0.0003 0.0006 Prefer DH,4096bits 398 0.067 0.124 Prefer DH,768bits 44 0.0074 0.0137 Prefer ECDH,B-571,570bits 2840 0.4782 0.5484 Prefer ECDH,K-163,163bits 1 0.0002 0.0002 Prefer ECDH,P-192,192bits 1 0.0002 0.0002 Prefer ECDH,P-224,224bits 92 0.0155 0.0178 Prefer ECDH,P-256,256bits 453139 76.3052 87.4977 Prefer ECDH,P-384,384bits 7350 1.2377 1.4192 Prefer ECDH,P-521,521bits 15215 2.5621 2.9379 Prefer ECDH,brainpoolP512r1,512bits 1 0.0002 0.0002 Prefer ECDH,secp256k1,256bits 1 0.0002 0.0002 Prefer PFS 530107 89.266 0 Support PFS 563872 94.9518 0 Supported ECC curves Count Percent -------------------------+---------+-------- brainpoolP256r1 17814 2.9997 brainpoolP384r1 17827 3.0019 brainpoolP512r1 17836 3.0034 prime192v1 1799 0.3029 prime256v1 513258 86.4288 prime256v1 Only 427959 72.065 secp160k1 1678 0.2826 secp160r1 1688 0.2842 secp160r2 1678 0.2826 secp192k1 1693 0.2851 secp224k1 1780 0.2997 secp224r1 5748 0.9679 secp256k1 20085 3.3822 secp384r1 88954 14.9792 secp384r1 Only 3672 0.6183 secp521r1 50953 8.5801 secp521r1 Only 140 0.0236 sect163k1 1684 0.2836 sect163k1 Only 2 0.0003 sect163r1 1682 0.2832 sect163r2 1681 0.2831 sect193r1 1681 0.2831 sect193r2 1681 0.2831 sect233k1 1770 0.2981 sect233r1 1768 0.2977 sect239k1 1768 0.2977 sect283k1 19394 3.2658 sect283r1 19392 3.2655 sect409k1 19395 3.266 sect409r1 19391 3.2653 sect571k1 19395 3.266 sect571r1 19395 3.266 Unsupported curve fallback Count Percent ------------------------------+---------+-------- False 56371 9.4924 True 391090 65.8566 order-specific 45 0.0076 unknown 146345 24.6434 ECC curve ordering Count Percent -------------------------+---------+-------- client 13249 2.231 inconclusive-noecc 8 0.0013 server 503853 84.845 unknown 76741 12.9226 TLSv1.2 PFS supported sigalgs Count Percent ------------------------------+---------+-------- ECDSA-SHA1 53286 8.973 ECDSA-SHA1 Only 8 0.0013 ECDSA-SHA224 53248 8.9666 ECDSA-SHA256 71063 11.9665 ECDSA-SHA384 71064 11.9666 ECDSA-SHA512 71074 11.9683 ECDSA-SHA512 Only 16 0.0027 RSA-MD5 27142 4.5705 RSA-SHA1 447072 75.2835 RSA-SHA1 Only 34046 5.7331 RSA-SHA224 371135 62.4963 RSA-SHA256 422358 71.1219 RSA-SHA256 Only 8044 1.3545 RSA-SHA384 383992 64.6613 RSA-SHA384 Only 4 0.0007 RSA-SHA512 384022 64.6664 RSA-SHA512 Only 209 0.0352 TLSv1.2 PFS ordering Count Percent ------------------------------+---------+-------- client 280809 47.2861 indeterminate 54 0.0091 intolerant 6465 1.0887 order-fallback 8 0.0013 server 220388 37.1117 unsupported 15018 2.5289 TLSv1.2 PFS sigalg fallback Count Percent ------------------------------+---------+-------- ECDSA SHA1 53230 8.9635 ECDSA intolerant 189 0.0318 ECDSA pfs-rsa-SHA512 17719 2.9837 ECDSA soft-nopfs 7 0.0012 RSA False 26845 4.5205 RSA SHA1 386610 65.1022 RSA intolerant 43313 7.2936 RSA pfs-ecdsa-SHA512 27 0.0045 RSA soft-nopfs 474 0.0798 Renegotiation Count Percent -------------------------+---------+-------- False 4962 0.8356 insecure 16550 2.7869 secure 572339 96.3775 Compression Count Percent -------------------------+---------+-------- 1 (zlib compression) 7077 1.1917 False 4962 0.8356 NONE 581812 97.9727 TLS session ticket hint Count Percent -------------------------+---------+-------- 1 2 0.0003 1 only 2 0.0003 2 1 0.0002 2 only 1 0.0002 5 5 0.0008 5 only 5 0.0008 10 8 0.0013 10 only 8 0.0013 15 8 0.0013 15 only 8 0.0013 30 25 0.0042 30 only 25 0.0042 60 166 0.028 60 only 161 0.0271 65 2 0.0003 65 only 2 0.0003 70 8 0.0013 70 only 8 0.0013 75 1 0.0002 75 only 1 0.0002 90 1 0.0002 90 only 1 0.0002 100 16 0.0027 100 only 16 0.0027 120 27 0.0045 120 only 27 0.0045 128 6 0.001 128 only 6 0.001 150 2 0.0003 180 78 0.0131 180 only 74 0.0125 240 14 0.0024 240 only 14 0.0024 244 2 0.0003 244 only 2 0.0003 300 298609 50.2835 300 only 295255 49.7187 302 2 0.0003 302 only 2 0.0003 360 3 0.0005 360 only 2 0.0003 400 6 0.001 400 only 6 0.001 420 129 0.0217 420 only 111 0.0187 450 1 0.0002 450 only 1 0.0002 480 11 0.0019 480 only 11 0.0019 500 3 0.0005 500 only 3 0.0005 540 4 0.0007 540 only 4 0.0007 600 28678 4.8292 600 only 28547 4.8071 660 1 0.0002 660 only 1 0.0002 700 1 0.0002 700 only 1 0.0002 720 3 0.0005 720 only 3 0.0005 840 2 0.0003 840 only 2 0.0003 900 1532 0.258 900 only 1515 0.2551 960 3 0.0005 960 only 3 0.0005 1000 1 0.0002 1000 only 1 0.0002 1200 3512 0.5914 1200 only 3508 0.5907 1210 2 0.0003 1210 only 2 0.0003 1320 1 0.0002 1320 only 1 0.0002 1380 1 0.0002 1380 only 1 0.0002 1440 1 0.0002 1440 only 1 0.0002 1500 6 0.001 1500 only 5 0.0008 1800 751 0.1265 1800 only 734 0.1236 1980 2 0.0003 1980 only 2 0.0003 2100 2 0.0003 2100 only 1 0.0002 2400 10 0.0017 2400 only 10 0.0017 2700 11 0.0019 2700 only 11 0.0019 3000 42 0.0071 3000 only 42 0.0071 3300 1 0.0002 3300 only 1 0.0002 3600 1079 0.1817 3600 only 1070 0.1802 3900 1 0.0002 3900 only 1 0.0002 4200 1 0.0002 4500 1 0.0002 4500 only 1 0.0002 5160 1 0.0002 5160 only 1 0.0002 5400 19 0.0032 5400 only 6 0.001 6000 352 0.0593 6000 only 352 0.0593 7200 15154 2.5518 7200 only 15130 2.5478 9000 2 0.0003 9000 only 2 0.0003 10800 5334 0.8982 10800 only 5324 0.8965 14400 116 0.0195 14400 only 116 0.0195 18000 9 0.0015 18000 only 9 0.0015 21600 4287 0.7219 21600 only 4286 0.7217 25200 1 0.0002 25200 only 1 0.0002 28800 2555 0.4302 28800 only 2555 0.4302 30000 3 0.0005 30000 only 1 0.0002 36000 1220 0.2054 36000 only 1209 0.2036 43200 65 0.0109 43200 only 65 0.0109 54000 1 0.0002 54000 only 1 0.0002 54647 1 0.0002 54660 1 0.0002 54674 1 0.0002 54690 1 0.0002 54703 1 0.0002 54722 1 0.0002 54737 1 0.0002 54751 1 0.0002 60000 2 0.0003 60000 only 2 0.0003 64800 70759 11.9153 64800 only 70736 11.9114 72000 12 0.002 72000 only 12 0.002 79200 1 0.0002 79200 only 1 0.0002 86400 2990 0.5035 86400 only 2984 0.5025 100800 9026 1.5199 100800 only 9015 1.5181 108000 1 0.0002 108000 only 1 0.0002 115200 1 0.0002 115200 only 1 0.0002 129600 6 0.001 129600 only 6 0.001 172800 47 0.0079 172800 only 47 0.0079 216000 4 0.0007 216000 only 3 0.0005 259200 2 0.0003 259200 only 2 0.0003 432000 1 0.0002 432000 only 1 0.0002 604800 1 0.0002 604800 only 1 0.0002 864000 2 0.0003 864000 only 2 0.0003 7776000 1 0.0002 7776000 only 1 0.0002 None 150742 25.3838 None only 147105 24.7714 Certificate sig alg Count Percent -------------------------+---------+-------- None 10920 1.8388 ecdsa-with-SHA256 68463 11.5286 sha1WithRSAEncryption 21372 3.5989 sha256WithRSAEncryption 521742 87.8574 sha384WithRSAEncryption 8 0.0013 sha512WithRSAEncryption 69 0.0116 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 71108 11.974 ECDSA 384 38 0.0064 ECDSA 521 1 0.0002 RSA 1024 15 0.0025 RSA 2048 511834 86.189 RSA 2049 3 0.0005 RSA 2056 1 0.0002 RSA 2058 3 0.0005 RSA 2059 1 0.0002 RSA 2080 6 0.001 RSA 2084 2 0.0003 RSA 2086 1 0.0002 RSA 2096 3 0.0005 RSA 2408 1 0.0002 RSA 2432 3 0.0005 RSA 2560 1 0.0002 RSA 2948 1 0.0002 RSA 3072 163 0.0274 RSA 3073 1 0.0002 RSA 3096 2 0.0003 RSA 3248 3 0.0005 RSA 4048 4 0.0007 RSA 4056 18 0.003 RSA 4069 1 0.0002 RSA 4086 4 0.0007 RSA 4092 2 0.0003 RSA 4094 1 0.0002 RSA 4095 1 0.0002 RSA 4096 30991 5.2186 RSA 4196 1 0.0002 RSA 8192 10 0.0017 RSA 8392 1 0.0002 RSA/ECDSA Dual Stack 20358 3.4281 OCSP stapling Count Percent -------------------------+---------+-------- Supported 126688 21.3333 Unsupported 467163 78.6667 Supported Protocols Count Percent -------------------------+---------+------- SSL2 17236 2.9024 SSL2 Only 12 0.002 SSL3 99629 16.7768 SSL3 Only 497 0.0837 SSL3 or TLS1 Only 52946 8.9157 SSL3 or lower Only 505 0.085 TLS1 582034 98.0101 TLS1 Only 32797 5.5228 TLS1 or lower Only 68913 11.6044 TLS1.1 515189 86.7539 TLS1.1 Only 42 0.0071 TLS1.1 or up Only 11134 1.8749 TLS1.2 522729 88.0236 TLS1.2 Only 3290 0.554 TLS1.2, 1.0 but not 1.1 5865 0.9876 Statistics from 628845 chains provided by 728648 hosts Server provided chains Count Percent -------------------------+---------+------- complete 570337 78.2733 incomplete 21286 2.9213 untrusted 137025 18.8054 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 1 0.0002 3 625155 99.4132 4 3676 0.5846 5 13 0.0021 CA key size in chains Count -------------------------+--------- ECDSA 256 68458 ECDSA 384 68457 RSA 1024 8 RSA 2045 2 RSA 2048 927971 RSA 4096 196495 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 68458 10.8863 ECDSA 384 68456 10.886 RSA 1024 6 0.001 RSA 2045 2 0.0003 RSA 2048 559959 89.0456 RSA 4096 195838 31.1425 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 68447 sha1WithRSAEncryption 24541 sha256WithRSAEncryption 363378 sha384WithRSAEncryption 176120 sha512WithRSAEncryption 60 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 24524 3.8998 112 535845 85.211 128 68476 10.8892 Most popular root CAs Count Percent ---------------------------------------------+---------+------- (d6325660) COMODO RSA Certification Authority 158376 25.1852 (2c543cd1) GeoTrust Global CA 95542 15.1933 (eed8c118) COMODO ECC Certification Authority 68438 10.8831 (cbf06781) Go Daddy Root Certificate Authorit 49514 7.8738 (5ad8a5d6) GlobalSign Root CA 48382 7.6938 (b204d74a) VeriSign Class 3 Public Primary Ce 32086 5.1024 (2e5ac55d) DST Root CA X3 26043 4.1414 (244b5494) DigiCert High Assurance EV Root CA 20408 3.2453 (2e4eed3c) thawte Primary Root CA 19033 3.0267 (fc5a8f99) USERTrust RSA Certification Author 17598 2.7985 (653b494a) Baltimore CyberTrust Root 11671 1.8559 (3513523f) DigiCert Global Root CA 10585 1.6832 (ae8153b9) StartCom Certification Authority 9453 1.5032 (4bfab552) Starfield Root Certificate Authori 8502 1.352 Scan performed between 19th of June and 6th of July 2016 -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx
