TLS 1.2 adoption half way mark reached! May 2014 cipher scan results

Update: previous version of results counted “broken” cipher suites (export, ADH, AECDH) even if server didn’t have a trusted certificate.

I’ve scanned Alexa Top 1 million sites again and this month’s results results are both depressing and encouraging.

The bad

Number of sites that force RC4 in TLS 1.1 and TLS 1.2 connections has grown (by nearly 1.5%). The percent of sites that accept export grade cryptography or plain broken cryptography hasn’t changed significantly.

The good

Fraction of servers that support only RC4 ciphers has fallen by 0.4% to 1.38%. More and more certificates are using the SHA-256 based signatures (now over 10%, an increase by nearly 5%).

Interestingly, there are first sites that use only ECDSA certificates (at the moment 2).

Also, we’ve finally reached the half way mark for TLS 1.2 adoption on the servers. Over 54% of servers support TLS1.2 and over 51% support TLS1.1.

Results

SSL/TLS survey of 318366 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)

Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      276742    86.9257
3DES Only                 137       0.043
AES                       296225    93.0454
AES Only                  930       0.2921
AES-CBC Only              588       0.1847
AES-GCM                   121699    38.2261
AES-GCM Only              4         0.0013
CAMELLIA                  127345    39.9996
CAMELLIA Only             1         0.0003
CHACHA20                  19834     6.2299
RC4                       283641    89.0927
RC4 Only                  4388      1.3783
RC4 Preferred             59422     18.6647
RC4 forced in TLS1.1+     37507     11.7811
z:ADH-AES128-GCM-SHA256   290       0.0911
z:ADH-AES128-SHA          1431      0.4495
z:ADH-AES128-SHA256       279       0.0876
z:ADH-AES256-GCM-SHA384   285       0.0895
z:ADH-AES256-SHA          1430      0.4492
z:ADH-AES256-SHA256       283       0.0889
z:ADH-CAMELLIA128-SHA     794       0.2494
z:ADH-CAMELLIA256-SHA     799       0.251
z:ADH-DES-CBC-SHA         845       0.2654
z:ADH-DES-CBC3-SHA        1482      0.4655
z:ADH-RC4-MD5             1345      0.4225
z:ADH-SEED-SHA            689       0.2164
z:AECDH-AES128-SHA        8482      2.6642
z:AECDH-AES256-SHA        8485      2.6652
z:AECDH-DES-CBC3-SHA      8457      2.6564
z:AECDH-NULL-SHA          4         0.0013
z:AECDH-RC4-SHA           8091      2.5414
z:DES-CBC-MD5             254       0.0798
z:DES-CBC-SHA             60478     18.9964
z:DHE-RSA-SEED-SHA        51890     16.2989
z:ECDHE-RSA-NULL-SHA      7         0.0022
z:EDH-RSA-DES-CBC-SHA     49291     15.4825
z:EXP-ADH-DES-CBC-SHA     461       0.1448
z:EXP-ADH-RC4-MD5         467       0.1467
z:EXP-DES-CBC-SHA         49466     15.5375
z:EXP-EDH-RSA-DES-CBC-SHA 35342     11.1011
z:EXP-RC2-CBC-MD5         46932     14.7415
z:IDEA-CBC-MD5            27        0.0085
z:IDEA-CBC-SHA            51847     16.2853
z:NULL-MD5                319       0.1002
z:NULL-SHA                313       0.0983
z:NULL-SHA256             10        0.0031
z:RC2-CBC-MD5             281       0.0883
z:SEED-SHA                65444     20.5562

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1525      0.479
AECDH                     8502      2.6705
DHE                       154179    48.4282
ECDHE                     134412    42.2193
RSA                       318109    99.9193

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               145407    45.6729  94.3105
DH,2048bits               7568      2.3771   4.9086
DH,3072bits               2         0.0006   0.0013
DH,3248bits               2         0.0006   0.0013
DH,4096bits               428       0.1344   0.2776
DH,4097bits               2         0.0006   0.0013
DH,512bits                35433     11.1296  22.9817
DH,768bits                683       0.2145   0.443
ECDH,B-163,163bits        1         0.0003   0.0007
ECDH,B-571,570bits        294       0.0923   0.2187
ECDH,P-224,224bits        3         0.0009   0.0022
ECDH,P-256,256bits        133565    41.9533  99.3698
ECDH,P-384,384bits        165       0.0518   0.1228
ECDH,P-521,521bits        450       0.1413   0.3348
Prefer DH,1024bits        98865     31.0539  64.1235
Prefer DH,2048bits        2143      0.6731   1.3899
Prefer DH,4096bits        34        0.0107   0.0221
Prefer DH,512bits         1         0.0003   0.0006
Prefer DH,768bits         74        0.0232   0.048
Prefer ECDH,B-163,163bits 1         0.0003   0.0007
Prefer ECDH,B-571,570bits 236       0.0741   0.1756
Prefer ECDH,P-256,256bits 94747     29.7604  70.49
Prefer ECDH,P-384,384bits 115       0.0361   0.0856
Prefer ECDH,P-521,521bits 409       0.1285   0.3043
Prefer PFS                196625    61.7607  0
Support PFS               245584    77.1389  0

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      9994      3.1392   
ecdsa-with-SHA256         2         0.0006   
sha1WithRSAEncryption     286277    89.9207  
sha256WithRSAEncryption   32146     10.0972  

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 384                 2         0.0006   
RSA 1024                  1935      0.6078   
RSA 2028                  1         0.0003   
RSA 2047                  2         0.0006   
RSA 2048                  304898    95.7696  
RSA 2049                  2         0.0006   
RSA 2056                  3         0.0009   
RSA 2058                  1         0.0003
RSA 2060                  1         0.0003
RSA 2064                  1         0.0003
RSA 2080                  3         0.0009
RSA 2084                  4         0.0013
RSA 2345                  1         0.0003
RSA 2408                  1         0.0003
RSA 2432                  60        0.0188
RSA 2536                  1         0.0003
RSA 2612                  1         0.0003
RSA 3000                  1         0.0003
RSA 3050                  1         0.0003
RSA 3072                  19        0.006
RSA 3248                  3         0.0009
RSA 3600                  1         0.0003
RSA 4042                  1         0.0003
RSA 4046                  1         0.0003
RSA 4048                  1         0.0003
RSA 4069                  1         0.0003
RSA 4086                  1         0.0003
RSA 4092                  2         0.0006
RSA 4096                  11427     3.5893
RSA 4098                  1         0.0003
RSA 4192                  2         0.0006
RSA 8192                  3         0.0009
RSA/ECDSA Dual Stack      0         0.0

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      621       0.1951
SSL2 Only                 73        0.0229
SSL3                      314763    98.8683
SSL3 Only                 3524      1.1069
SSL3 or TLS1 Only         140708    44.1969
TLS1                      314191    98.6886
TLS1 Only                 1117      0.3509
TLS1.1                    164225    51.5837
TLS1.1 Only               8         0.0025
TLS1.1 or up Only         68        0.0214
TLS1.2                    173049    54.3554
TLS1.2 Only               48        0.0151
TLS1.2, 1.0 but not 1.1   12720     3.9954

Scan performed between 7th and 15th of May 2014.
Advertisements

2 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s