Month: June 2014

Is RC4-less browsing possible?

As some of you know, YouTube now supports one other cipher except the venerable RC4. Unfortunately this other cipher suite is not supported by currently released Firefox (but is supported by the underlying cryptographic library – NSS).

So I went and implemented a patch that allows the user to enable this other cipher suite (among others).

Side note: while compiling Firefox requires quite a few dependencies and lots of patience (not to mention few gigabytes of disk space), the process itself is really easy with all the guides available on the Mozilla developer’s network. Props to all the people responsible for this documentation and scripts!

The patch I wrote unfortunately was shot down by Brian Smith because the current goal is to push server operators to implement support for ECDHE and AES-GCM. While this is a noble goal, I’m a bit more pragmatic (or impatient if you will) and want the cipher suite selection to represent what servers do not what we want them to do.

(While I write below about Firefox 29, the same is true about current development master branch.)

Current state of Firefox 29

I took this month’s scan results and checked them against Firefox offered ciphers.

The good news: Firefox 29 cipher selection is incompatible with less than 0.01% of sites (assuming that all Internet servers are supporting at least one cipher suite that OpenSSL supports).

The bad news: its cipher selection makes the number of servers that prefer RC4 over other cipher suites larger by another 2.68% (for a total of 21.3%).

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 RC4 Only          301       0.0858
x:FF 29 RC4 Preferred     9421      2.6844
x:FF 29 incompatible      31        0.0088

Lets look closer at the ciphers that cause some servers to be elevated to the RC4 Only state (excluding the obviously bad anonymous cipher suites or export grade):

FF 29 RC4 Only other ciphers  Count    Percent
-----------------------------+---------+------
AES128-GCM-SHA256              49        0.014
AES128-SHA256                  98        0.0279
AES256-GCM-SHA384              26        0.0074
AES256-SHA256                  98        0.0279
DHE-RSA-AES128-GCM-SHA256      7         0.002
DHE-RSA-AES128-SHA256          4         0.0011
DHE-RSA-AES256-GCM-SHA384      9         0.0026
DHE-RSA-AES256-SHA256          7         0.002
DHE-RSA-SEED-SHA               31        0.0088
ECDHE-RSA-AES128-SHA256        82        0.0234
ECDHE-RSA-AES256-GCM-SHA384    2         0.0006
ECDHE-RSA-AES256-SHA384        43        0.0123
IDEA-CBC-SHA                   32        0.0091
SEED-SHA                       32        0.0091

We can see that most of those servers support the non ephemeral AES128-SHA256 cipher or ECDHE-RSA-AES128-SHA256. In other words, secure ciphers but slower that the AES128-SHA or ECDHE-RSA-AES128-SHA ciphers (though not necessarily less secure than them).

Now, lets take a look at the set of ciphers that cause Firefox to prefer RC4 while it’s not actually the first cipher selected by server (again, excluding the obviously bad cipher suites):

FF 29 RC4 pref other ciphers  Count    Percent
-----------------------------+---------+------
AES128-GCM-SHA256              7935      2.261
AES128-SHA256                  9212      2.6249
AES256-GCM-SHA384              7887      2.2473
AES256-SHA256                  9212      2.6249
DHE-RSA-AES128-GCM-SHA256      110       0.0313
DHE-RSA-AES128-SHA256          110       0.0313
DHE-RSA-AES256-GCM-SHA384      112       0.0319
DHE-RSA-AES256-SHA256          113       0.0322
DHE-RSA-SEED-SHA               68        0.0194
ECDHE-RSA-AES128-SHA256        7050      2.0088
ECDHE-RSA-AES256-GCM-SHA384    6344      1.8077
ECDHE-RSA-AES256-SHA384        6698      1.9085
IDEA-CBC-SHA                   1770      0.5043
SEED-SHA                       1792      0.5106

We again see AES128-SHA256 and ECDHE-RSA-AES128-SHA256 high, additionally AES128-GCM-SHA256 and AES256-SHA256 is common and supported by NSS cryptographic library. AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384 and ECDHE-RSA-AES256-SHA384 are also common, but unsupported by NSS.

Interestingly, the sites that are unsupported by Firefox, are unsupported for a good reason:

FF 29 incompatible ciphers    Count    Percent
-----------------------------+---------+------
ADH-AES128-SHA                 8         0.0023
ADH-AES256-SHA                 8         0.0023
ADH-DES-CBC3-SHA               8         0.0023
ADH-RC4-MD5                    8         0.0023
AECDH-AES128-SHA               1         0.0003
AECDH-AES256-SHA               1         0.0003
AECDH-DES-CBC3-SHA             1         0.0003
AECDH-RC4-SHA                  1         0.0003
DES-CBC-SHA                    16        0.0046
DHE-RSA-AES128-GCM-SHA256      1         0.0003
DHE-RSA-AES256-GCM-SHA384      2         0.0006
DHE-RSA-AES256-SHA256          1         0.0003
ECDHE-RSA-AES256-GCM-SHA384    3         0.0009
EDH-RSA-DES-CBC-SHA            15        0.0043
EXP-DES-CBC-SHA                11        0.0031
EXP-EDH-RSA-DES-CBC-SHA        12        0.0034
EXP-RC2-CBC-MD5                11        0.0031
EXP-RC4-MD5                    11        0.0031
NULL-MD5                       4         0.0011
NULL-SHA                       4         0.0011
NULL-SHA256                    3         0.0009

That gives us at most 7 servers (but no less than 3 servers) that could be supported if NSS supported SHA384 as the TLSv1.2 PRF without adding any insecure cipher suites.

Firefox 29 with RC4 disabled

OK, so current cipher selection provides very good compatibility, but not security for over 20% of sites on the Internet. How this picture changes if we remove support for RC4 ciphers?

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 incompatible      3790      1.0799

We become incompatible with just a bit over 1% of servers. Lets take a look at ciphers we can enable then to become more compatible (excluding the obvious bad choices):

FF 29 incompatible ciphers    Count    Percent
-----------------------------+---------+------
AES128-GCM-SHA256              49        0.014
AES128-SHA256                  98        0.0279
AES256-GCM-SHA384              26        0.0074
AES256-SHA256                  98        0.0279
DHE-RSA-AES128-GCM-SHA256      8         0.0023
DHE-RSA-AES128-SHA256          4         0.0011
DHE-RSA-AES256-GCM-SHA384      11        0.0031
DHE-RSA-AES256-SHA256          8         0.0023
DHE-RSA-SEED-SHA               31        0.0088
ECDHE-RSA-AES128-SHA256        82        0.0234
ECDHE-RSA-AES256-GCM-SHA384    5         0.0014
ECDHE-RSA-AES256-SHA384        43        0.0123
ECDHE-RSA-RC4-SHA              104       0.0296
IDEA-CBC-SHA                   32        0.0091
RC4-MD5                        2136      0.6086
RC4-SHA                        3518      1.0024
SEED-SHA                       32        0.0091

The obvious solution would be to enable RC4, but as we’ve established, this is not a good idea.

Firefox 29 and one more cipher

If we could enable one more cipher, it would probably be ECDHE-RSA-AES128-SHA256. Result of such change would look like this:

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 RC4 Only          219       0.0624
x:FF 29 RC4 Preferred     2705      0.7708
x:FF 29 incompatible      31        0.0088

2% change by adding just a single cipher suite!

Firefox 29 with more cipher suites

We know that when we disable RC4 we loose access to about 1% of sites. Lets see if we can decrease the number of sites that select RC4 but don’t prefer it over all other ciphers.

When we enable ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256 and DHE-RSA-AES256-SHA256 the statistics look like this:

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 RC4 Only          209       0.0596
x:FF 29 RC4 Preferred     2631      0.7497
x:FF 29 incompatible      29        0.0083

In other words, this decreases the number of sites that prefer RC4 by nearly 2%!.

Adding AES128-GCM-SHA256, AES128-SHA256 and AES256-SHA256 to the mix causes the percentage to drop further to less than 0.1%:

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 RC4 Only          161       0.0459
x:FF 29 RC4 Preferred     251       0.0715
x:FF 29 incompatible      29        0.0083

Firefox 29 with more ciphers but no RC4

Removing RC4 ciphers in Firefox with this extended cipher set causes it to be incompatible with 1.04% of sites, compared to 1.08% in default configuration:

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 incompatible      3648      1.0395

The cipher suites that cause this lack of compatibility:

FF 29 incompatible ciphers    Count    Percent
-----------------------------+---------+------
ADH-AES128-GCM-SHA256          1         0.0003
ADH-AES128-SHA                 10        0.0028
ADH-AES128-SHA256              1         0.0003
ADH-AES256-GCM-SHA384          1         0.0003
ADH-AES256-SHA                 10        0.0028
ADH-AES256-SHA256              1         0.0003
ADH-CAMELLIA128-SHA            1         0.0003
ADH-CAMELLIA256-SHA            1         0.0003
ADH-DES-CBC-SHA                2         0.0006
ADH-DES-CBC3-SHA               10        0.0028
ADH-RC4-MD5                    25        0.0071
ADH-SEED-SHA                   1         0.0003
AECDH-AES128-SHA               6         0.0017
AECDH-AES256-SHA               6         0.0017
AECDH-DES-CBC3-SHA             6         0.0017
AECDH-RC4-SHA                  8         0.0023
AES128-SHA256                  3         0.0009
DES-CBC-SHA                    59        0.0168
DHE-RSA-AES256-GCM-SHA384      1         0.0003
DHE-RSA-SEED-SHA               31        0.0088
ECDHE-RSA-AES256-GCM-SHA384    4         0.0011
ECDHE-RSA-RC4-SHA              94        0.0268
EDH-RSA-DES-CBC-SHA            44        0.0125
EXP-ADH-DES-CBC-SHA            1         0.0003
EXP-ADH-RC4-MD5                4         0.0011
EXP-DES-CBC-SHA                38        0.0108
EXP-EDH-RSA-DES-CBC-SHA        30        0.0085
EXP-RC2-CBC-MD5                128       0.0365
EXP-RC4-MD5                    228       0.065
IDEA-CBC-SHA                   32        0.0091
NULL-MD5                       16        0.0046
NULL-SHA                       14        0.004
NULL-SHA256                    3         0.0009
RC4-MD5                        2038      0.5807
RC4-SHA                        3398      0.9682
SEED-SHA                       32        0.0091

Summary

Enabling additional cipher suites already supported by NSS makes connections to more than 2% of sites more secure. While enabling support for them is statistically insignificant for configuration with RC4 disabled, the sites affected by it are not exactly small.

Most likely the reason for the 2% discrepancy between sites that prefer RC4 in general and that negotiate RC4 with Firefox are the servers that run old (2.2.x) versions of Apache which do not support ECDHE key exchange but do support TLSv1.2. Administrators of those servers that still consider BEAST a threat, may want to select different ciphers in TLSv1.1 and later (which makes all ciphers BEAST invulnerable) than in TLSv1.0. Unfortunately, Apache doesn’t really facilitate that, and so they are left with just putting all ciphers that require TLSv1.2 right before RC4 ciphers. Combined with the fact that Firefox supports only two cipher suites that require TLSv1.2 (ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-GCM-SHA256), makes the connections in the end use RC4.

Thankfully Apache 2.2 will gain support for ECDHE so this number should fall in the future.

Advertisements

RC4 Only servers fall below 1% – June 2014 scan results

Another month, another set of results. This month’s big news is the percent of servers that support only RC4 ciphers has fallen below the 1% mark!

Note that this set is compared to the just now published results of SNI-enabled scan from last month not the results published a month ago!

The general choice of block ciphers haven’t changed much, AES-GCM has grown a bit (by 1.2%), the cipher of choice for the Internet is still AES (at over 93%).

Percent of servers with misconfigured cipher suites haven’t changed much, AECDH have grown by little bit (by 0.19%).

Number of servers that support PFS is steadily growing, with DHE gaining nearly 0.5% and ECDHE gaining 1.2%. Number of servers that prefer the weak 1024 bit DH parameters has also fallen by over 0.5%. So not only we’re getting new properly configured servers but also older ones are updated to support the more secure and faster ECDHE with 256bit curves!

Unfortunately, it looks like the sudden increase of SHA-256 signed certificates is over and we’re back to the steady, slow increase. This month it has grown by 0.9%.

The kind of keys that are being signed haven’t changed significantly. 2048bit RSA is still the key size of choice for over 95% of server admins.

Also, the number of servers that support only SSLv3 has fallen below 1% mark, it’s at 0.993% now. Unfortunately, the number of servers that support TLSv1.2 has increased only by 1.65%.

SSL/TLS survey of 350949 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      305304    86.9938
3DES Only                 137       0.039
AES                       329405    93.8612
AES Only                  923       0.263
AES-CBC Only              616       0.1755
AES-GCM                   137654    39.2234
AES-GCM Only              3         0.0009
CAMELLIA                  141331    40.2711
CHACHA20                  16443     4.6853
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
z:ADH-AES128-GCM-SHA256   320       0.0912
z:ADH-AES128-SHA          1336      0.3807
z:ADH-AES128-SHA256       299       0.0852
z:ADH-AES256-GCM-SHA384   305       0.0869
z:ADH-AES256-SHA          1338      0.3813
z:ADH-AES256-SHA256       302       0.0861
z:ADH-CAMELLIA128-SHA     706       0.2012 
z:ADH-CAMELLIA256-SHA     713       0.2032
z:ADH-DES-CBC-SHA         740       0.2109 
z:ADH-DES-CBC3-SHA        1405      0.4003
z:ADH-RC4-MD5             1268      0.3613
z:ADH-SEED-SHA            392       0.1117
z:AECDH-AES128-SHA        10114     2.8819
z:AECDH-AES256-SHA        10117     2.8828
z:AECDH-DES-CBC3-SHA      10087     2.8742
z:AECDH-NULL-SHA          16        0.0046
z:AECDH-RC4-SHA           9668      2.7548
z:DES-CBC-SHA             67043     19.1033
z:DHE-RSA-SEED-SHA        58392     16.6383
z:ECDHE-RSA-NULL-SHA      19        0.0054
z:EDH-RSA-DES-CBC-SHA     52382     14.9258
z:EXP-ADH-DES-CBC-SHA     453       0.1291
z:EXP-ADH-RC4-MD5         456       0.1299
z:EXP-DES-CBC-SHA         55024     15.6786
z:EXP-EDH-RSA-DES-CBC-SHA 37222     10.6061
z:EXP-RC2-CBC-MD5         52973     15.0942
z:IDEA-CBC-SHA            62257     17.7396
z:NULL-MD5                333       0.0949
z:NULL-SHA                330       0.094
z:NULL-SHA256             18        0.0051
z:SEED-SHA                72273     20.5936

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1461      0.4163
AECDH                     10145     2.8907
DHE                       170916    48.7011
ECDH                      1         0.0003
ECDHE                     158213    45.0815
ECDHE and DHE             54584     15.5533
RSA                       350676    99.9222

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               158684    45.2157  92.8433
DH,2048bits               10821     3.0834   6.3312
DH,2226bits               2         0.0006   0.0012
DH,3072bits               5         0.0014   0.0029
DH,3246bits               2         0.0006   0.0012
DH,3248bits               2         0.0006   0.0012
DH,4096bits               538       0.1533   0.3148
DH,512bits                37361     10.6457  21.8593
DH,768bits                720       0.2052   0.4213
ECDH,B-163,163bits        18        0.0051   0.0114
ECDH,B-571,570bits        347       0.0989   0.2193
ECDH,P-224,224bits        5         0.0014   0.0032
ECDH,P-256,256bits        157058    44.7524  99.27
ECDH,P-384,384bits        184       0.0524   0.1163
ECDH,P-521,521bits        683       0.1946   0.4317
Prefer DH,1024bits        103305    29.4359  60.442
Prefer DH,2048bits        2429      0.6921   1.4212
Prefer DH,4096bits        36        0.0103   0.0211
Prefer DH,512bits         2         0.0006   0.0012
Prefer DH,768bits         83        0.0237   0.0486
Prefer ECDH,B-163,163bits 18        0.0051   0.0114
Prefer ECDH,B-571,570bits 270       0.0769   0.1707
Prefer ECDH,P-224,224bits 3         0.0009   0.0019
Prefer ECDH,P-256,256bits 114187    32.5366  72.173
Prefer ECDH,P-384,384bits 120       0.0342   0.0758
Prefer ECDH,P-521,521bits 636       0.1812   0.402
Prefer PFS                221089    62.9975  0
Support PFS               274545    78.2293  0

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
5                         1         0.0003   
5 only                    1         0.0003   
10                        2         0.0006   
10 only                   2         0.0006   
30                        1         0.0003   
30 only                   1         0.0003   
42                        1         0.0003   
42 only                   1         0.0003   
60                        12        0.0034   
60 only                   7         0.002    
120                       2         0.0006   
120 only                  2         0.0006   
128                       1         0.0003   
128 only                  1         0.0003   
180                       21        0.006    
180 only                  21        0.006    
300                       125932    35.8833  
300 only                  110959    31.6168  
420                       8         0.0023   
420 only                  7         0.002    
480                       5         0.0014   
480 only                  5         0.0014   
600                       4723      1.3458   
600 only                  4590      1.3079   
900                       151       0.043    
900 only                  125       0.0356   
960                       1         0.0003   
960 only                  1         0.0003   
1200                      52        0.0148   
1200 only                 51        0.0145   
1500                      7         0.002    
1500 only                 7         0.002    
1800                      97        0.0276   
1800 only                 93        0.0265   
2400                      1         0.0003   
2400 only                 1         0.0003   
3000                      3         0.0009   
3000 only                 2         0.0006   
3600                      162       0.0462   
3600 only                 158       0.045    
5400                      1         0.0003   
6000                      1         0.0003   
6000 only                 1         0.0003   
7200                      10307     2.9369   
7200 only                 1565      0.4459   
10800                     5         0.0014   
10800 only                2         0.0006   
14400                     675       0.1923   
14400 only                675       0.1923   
18000                     3         0.0009   
18000 only                1         0.0003   
21600                     23        0.0066   
21600 only                23        0.0066   
28800                     5         0.0014   
28800 only                5         0.0014   
30720                     1         0.0003   
30720 only                1         0.0003   
36000                     521       0.1485   
36000 only                519       0.1479   
43200                     6485      1.8478   
43200 only                6481      1.8467   
64800                     8656      2.4665   
64800 only                8651      2.465    
86000                     30        0.0085   
86000 only                30        0.0085   
86400                     4061      1.1571   
86400 only                4060      1.1569   
100800                    16457     4.6893   
100800 only               13        0.0037   
115200                    1         0.0003   
115200 only               1         0.0003   
129600                    6         0.0017   
129600 only               6         0.0017   
864000                    6         0.0017   
864000 only               6         0.0017   
None                      212871    60.6558  
None only                 172526    49.1598  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      11549     3.2908   
ecdsa-with-SHA256         1         0.0003   
sha1WithRSAEncryption     308984    88.0424  
sha256WithRSAEncryption   41971     11.9593  

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 9203      2.6223   
ECDSA 384                 2         0.0006   
RSA 1024                  1881      0.536    
RSA 2028                  1         0.0003   
RSA 2047                  2         0.0006   
RSA 2048                  336774    95.961   
RSA 2056                  3         0.0009   
RSA 2058                  1         0.0003   
RSA 2060                  1         0.0003   
RSA 2064                  1         0.0003   
RSA 2080                  2         0.0006   
RSA 2084                  4         0.0011   
RSA 2408                  1         0.0003   
RSA 2432                  58        0.0165   
RSA 2536                  1         0.0003   
RSA 2612                  1         0.0003   
RSA 3050                  1         0.0003   
RSA 3072                  31        0.0088   
RSA 3073                  1         0.0003   
RSA 3248                  4         0.0011   
RSA 3600                  1         0.0003   
RSA 4042                  1         0.0003   
RSA 4046                  2         0.0006   
RSA 4048                  2         0.0006   
RSA 4086                  1         0.0003   
RSA 4092                  2         0.0006   
RSA 4096                  12167     3.4669   
RSA 4098                  2         0.0006   
RSA 4192                  1         0.0003   
RSA 8192                  1         0.0003   
RSA/ECDSA Dual Stack      9197      2.6206

OCSP stapling             Count     Percent 
-------------------------+---------+--------
Supported                 52153     14.8606  
Unsupported               298796    85.1394  

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      1         0.0003
SSL3                      346615    98.7651
SSL3 Only                 3485      0.993
SSL3 or TLS1 Only         145785    41.5402
TLS1                      346981    98.8694
TLS1 Only                 1030      0.2935
TLS1.1                    190351    54.2389
TLS1.1 Only               5         0.0014
TLS1.1 or up Only         29        0.0083
TLS1.2                    201166    57.3206
TLS1.2 Only               14        0.004
TLS1.2, 1.0 but not 1.1   14702     4.1892

Scan performed between 10th and 24th June 2014.

May 2014 scan results – SNI enabled

I have extended the cipherscan tool I use for scanning to use SNI for communicating to the servers, tweaked the order of cipher suites so that google servers negotiate ECDSA cipher suites and also collect additional data like OCSP stapling support or TLS session ticket hints.

This makes this results a bit different from the previously published results for May.

SSL/TLS survey of 349511 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      304525    87.1289
3DES Only                 132       0.0378
AES                       327024    93.5662
AES Only                  896       0.2564
AES-CBC Only              610       0.1745
AES-GCM                   132866    38.0148
AES-GCM Only              5         0.0014
CAMELLIA                  139004    39.771
CAMELLIA Only             2         0.0006
CHACHA20                  16551     4.7355
CHACHA20 Only             1         0.0003
RC4                       310624    88.8739
RC4 Only                  4173      1.194
RC4 Preferred             66086     18.9081
RC4 forced in TLS1.1+     42640     12.1999
z:ADH-AES128-GCM-SHA256   312       0.0893
z:ADH-AES128-SHA          1380      0.3948
z:ADH-AES128-SHA256       293       0.0838
z:ADH-AES256-GCM-SHA384   297       0.085
z:ADH-AES256-SHA          1382      0.3954
z:ADH-AES256-SHA256       296       0.0847
z:ADH-CAMELLIA128-SHA     725       0.2074
z:ADH-CAMELLIA256-SHA     731       0.2091
z:ADH-DES-CBC-SHA         766       0.2192
z:ADH-DES-CBC3-SHA        1446      0.4137
z:ADH-RC4-MD5             1303      0.3728
z:ADH-SEED-SHA            622       0.178
z:AECDH-AES128-SHA        9402      2.69
z:AECDH-AES256-SHA        9405      2.6909
z:AECDH-DES-CBC3-SHA      9378      2.6832
z:AECDH-NULL-SHA          19        0.0054
z:AECDH-RC4-SHA           8953      2.5616
z:DES-CBC-SHA             68469     19.5899
z:DHE-RSA-SEED-SHA        57227     16.3734
z:ECDHE-RSA-NULL-SHA      22        0.0063
z:EDH-RSA-DES-CBC-SHA     52676     15.0713
z:EXP-ADH-DES-CBC-SHA     470       0.1345
z:EXP-ADH-RC4-MD5         473       0.1353
z:EXP-DES-CBC-SHA         56608     16.1963
z:EXP-EDH-RSA-DES-CBC-SHA 37766     10.8054
z:EXP-RC2-CBC-MD5         53602     15.3363
z:IDEA-CBC-SHA            60579     17.3325
z:NULL-MD5                350       0.1001
z:NULL-SHA                345       0.0987
z:NULL-SHA256             18        0.0052
z:SEED-SHA                71590     20.4829

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1502      0.4297
AECDH                     9435      2.6995
DHE                       168752    48.2823
ECDHE                     153342    43.8733
ECDHE and DHE             50336     14.4018
RSA                       349257    99.9273

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               157223    44.9837  93.1681
DH,2048bits               10153     2.9049   6.0165
DH,3072bits               5         0.0014   0.003
DH,3248bits               4         0.0011   0.0024
DH,4096bits               513       0.1468   0.304
DH,512bits                37886     10.8397  22.4507
DH,768bits                733       0.2097   0.4344
DH,8192bits               2         0.0006   0.0012
ECDH,B-163,163bits        3         0.0009   0.002
ECDH,B-571,570bits        328       0.0938   0.2139
ECDH,P-224,224bits        4         0.0011   0.0026
ECDH,P-256,256bits        152376    43.5969  99.37
ECDH,P-384,384bits        165       0.0472   0.1076
ECDH,P-521,521bits        532       0.1522   0.3469
Prefer DH,1024bits        105105    30.072   62.2837
Prefer DH,2048bits        2396      0.6855   1.4198
Prefer DH,4096bits        36        0.0103   0.0213
Prefer DH,512bits         1         0.0003   0.0006
Prefer DH,768bits         82        0.0235   0.0486
Prefer ECDH,B-163,163bits 3         0.0009   0.002
Prefer ECDH,B-571,570bits 259       0.0741   0.1689
Prefer ECDH,P-224,224bits 2         0.0006   0.0013
Prefer ECDH,P-256,256bits 109734    31.3964  71.5616
Prefer ECDH,P-384,384bits 105       0.03     0.0685
Prefer ECDH,P-521,521bits 479       0.137    0.3124
Prefer PFS                218202    62.4307  0
Support PFS               271758    77.7538  0

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
5                         1         0.0003   
5 only                    1         0.0003   
10                        2         0.0006   
10 only                   2         0.0006   
30                        1         0.0003   
30 only                   1         0.0003   
42                        1         0.0003   
60                        11        0.0031   
60 only                   6         0.0017   
120                       3         0.0009   
120 only                  3         0.0009   
128                       1         0.0003   
128 only                  1         0.0003   
180                       20        0.0057   
180 only                  20        0.0057   
300                       122495    35.0475  
300 only                  108193    30.9555  
420                       6         0.0017   
420 only                  6         0.0017   
480                       4         0.0011   
480 only                  4         0.0011   
600                       4448      1.2726   
600 only                  4329      1.2386   
900                       120       0.0343   
900 only                  106       0.0303   
960                       1         0.0003   
960 only                  1         0.0003   
1200                      49        0.014    
1200 only                 49        0.014    
1500                      6         0.0017   
1500 only                 6         0.0017   
1800                      82        0.0235   
1800 only                 78        0.0223   
3000                      3         0.0009   
3000 only                 2         0.0006   
3600                      157       0.0449   
3600 only                 154       0.0441   
5400                      1         0.0003   
6000                      1         0.0003   
6000 only                 1         0.0003   
7200                      10327     2.9547   
7200 only                 1603      0.4586   
10800                     5         0.0014   
10800 only                2         0.0006   
14400                     573       0.1639   
14400 only                573       0.1639   
18000                     2         0.0006   
21600                     22        0.0063   
21600 only                22        0.0063   
28800                     5         0.0014   
28800 only                5         0.0014   
36000                     545       0.1559   
36000 only                532       0.1522   
43200                     6516      1.8643   
43200 only                6511      1.8629   
64800                     8477      2.4254   
64800 only                8465      2.422    
86000                     30        0.0086   
86000 only                30        0.0086   
86400                     3573      1.0223   
86400 only                3541      1.0131   
100800                    16555     4.7366   
100800 only               7         0.002    
115200                    1         0.0003   
115200 only               1         0.0003   
129600                    6         0.0017   
129600 only               6         0.0017   
864000                    6         0.0017   
864000 only               6         0.0017   
None                      215218    61.5769  
None only                 175481    50.2076  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      10888     3.1152   
ecdsa-with-SHA256         1         0.0003   
sha1WithRSAEncryption     310881    88.9474  
sha256WithRSAEncryption   38640     11.0554  

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 9306      2.6626   
ECDSA 384                 1         0.0003   
RSA 1024                  1928      0.5516   
RSA 2028                  1         0.0003   
RSA 2047                  2         0.0006   
RSA 2048                  335355    95.9498  
RSA 2056                  3         0.0009   
RSA 2060                  1         0.0003   
RSA 2064                  1         0.0003   
RSA 2080                  2         0.0006   
RSA 2084                  4         0.0011   
RSA 2408                  2         0.0006   
RSA 2432                  70        0.02     
RSA 2536                  1         0.0003   
RSA 2612                  1         0.0003   
RSA 3050                  1         0.0003   
RSA 3072                  29        0.0083   
RSA 3073                  1         0.0003   
RSA 3248                  4         0.0011   
RSA 3600                  1         0.0003   
RSA 4042                  1         0.0003   
RSA 4046                  2         0.0006   
RSA 4048                  2         0.0006   
RSA 4069                  1         0.0003   
RSA 4086                  1         0.0003   
RSA 4092                  1         0.0003   
RSA 4096                  12095     3.4605   
RSA 4098                  1         0.0003   
RSA 4192                  1         0.0003   
RSA 8192                  3         0.0009
RSA 16384                 1         0.0003
RSA/ECDSA Dual Stack      9305      2.6623

OCSP stapling             Count     Percent
-------------------------+---------+--------
Supported                 51404     14.7074
Unsupported               298107    85.2926

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      1         0.0003
SSL3                      345529    98.8607
SSL3 Only                 4396      1.2578
SSL3 or TLS1 Only         150360    43.0201
TLS1                      344639    98.6061
TLS1 Only                 1149      0.3287
TLS1.1                    185720    53.1371
TLS1.1 Only               4         0.0011
TLS1.1 or up Only         26        0.0074
TLS1.2                    194572    55.6698
TLS1.2 Only               17        0.0049
TLS1.2, 1.0 but not 1.1   13324     3.8122 

The scan was performed between 16th and 25th of May 2014.

YouTube, now with less RC4

After everybody said not to use RC4 any more, Google finally enabled one additional cipher on Google video servers: TLS_RSA_WITH_AES_128_GCM_SHA256.Unfortunately, this cipher is not supported either by Firefox 30 nor by Internet Explorer on Windows 8.1 or earlier.

Users of Firefox will have to wait for the bug 1029179 to be fixed.

This cipher is though supported by Google Chrome and Chromium, so if you’re a user of those browsers, you can finally disable RC4 for everyday browsing. You can do it either by creating a wrapper script, or modifying the shortcut you use to run those browsers to have one additional option:

chrome --cipher-suite-blacklist=0x0003,0x0004,0x0005,0x0017,0x0018,0x0020,0x0024,0x0028,0x002B,0x0066,0x008A,0x008E,0x0092,0xC002,0xC007,0xC00C,0xC011,0xC016,0xC033

This will disable following cipher suites:

  • 0x0003 – TLS_RSA_EXPORT_WITH_RC4_40_MD5
  • 0x0004 – TLS_RSA_WITH_RC4_128_MD5
  • 0x0005 – TLS_RSA_WITH_RC4_128_SHA
  • 0x0017 – TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
  • 0x0018 – TLS_DH_anon_WITH_RC4_128_MD5
  • 0x0020 – TLS_KRB5_WITH_RC4_128_SHA
  • 0x0024 – TLS_KRB5_WITH_RC4_128_MD5
  • 0x0028 – TLS_KRB5_EXPORT_WITH_RC4_40_SHA
  • 0x002B – TLS_KRB5_EXPORT_WITH_RC4_40_MD5
  • 0x0066 – SSL_DHE_DSS_WITH_RC4_128_SHA
  • 0x008A – TLS_PSK_WITH_RC4_128_SHA
  • 0x008E – TLS_DHE_PSK_WITH_RC4_128_SHA
  • 0x0092 – TLS_RSA_PSK_WITH_RC4_128_SHA
  • 0xC002 – TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  • 0xC007 – TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • 0xC00C – TLS_ECDH_RSA_WITH_RC4_128_SHA
  • 0xC011 – TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • 0xC016 – TLS_ECDH_anon_WITH_RC4_128_SHA
  • 0xC033 – TLS_ECDHE_PSK_WITH_RC4_128_SHA

While setting all of them is not necessary, as some of them are not supported by the currently used NSS, it may change in the future, so… better safe then sorry.

After starting browser with this new settings, head over to a test site run by Leibniz University Hannover, or the other one run by Qualys and double check if no RC4 ciphers are offered by your browser.

Mozilla recommends disabling RC4

Mozilla currently recommends using 3DES ciphers instead of RC4 for backwards compatibility with very old systems like Android 2 or Internet Explorer on Windows XP.

The current recommendation comes after similar recommendations from researchers that discovered the most recent flaws in it, Cisco, Microsoft and their proposition to IETF as well as Qualys and Bruce Schneier.

The message is clear: don’t use RC4.

If you had for some reason follow the Mozilla guide, you don’t have to use this insecure, nearly 30 year old cipher any more. While you’re changing the cipher suite defaults, consider also updating to Perfect Forward Secrecy capable configuration.