July 2014 scan results

This month’s scan results are a bit later than previous ones, this was caused by me working on code to compile statistics of the certificates used by Certificate Authorities (see further below for results of this part of the scan). The state of TLS and crypto in general in python didn’t help much, but that’s a topic for another post, for now I can direct you to the very good presentation by Hynek Schlawack: The Sorry State Of SSL (the python specific part is towards the end).

Ciphersuites

All in all, the results haven’t changed much. We can see the continuation of the downward trend for RC4 Only servers, the unfortunate upwards trend of servers that prefer RC4 but support other ciphers and the very good trend of SHA256 certificate signatures.

The new addition are the “x:FF 29” lines that account for situations for which Firefox cipher selection (advertised support) causes it to negotiate different cipher suites than OpenSSL would negotiate. In other words, for Firefox, the percent of servers that are RC4 only is around 2.6% and servers which prefer RC4 but support other ciphers is at around 21.8%.

It also looks like many people that update their servers/OpenSSL, don’t update their cipher strings, which makes servers that used “!ADH” in cipher string negotiate AECDH cipher suites (to prevent it from them doing that, you should use “!aNULL” which will disable all anonymous cipher suites, present and future, head over to Mozilla guide for more details). The amount of them has grown from 2.9% to 3.3%.

Amount of servers that support PFS haven’t changed, as well as the PFS mechanisms they support.

We also see continuation of the trend of SHA256 signatures in certificates, it has grown from 11.9% to 12.7%.

Used key sizes haven’t changed much.

Surprisingly the amount of servers that support OCSP stapling has dramatically decreased, from 14.9% to 10.1%. I have no explanation for that.

The percentage of servers that support only SSL3 or TLS1 has dropped from 41.5% to 30%, but this is likely caused by the reintroduction of proper SSLv2 fingerprinting rather than changed configurations as the amount of servers that support TLS1.1 or TLS1.2 haven’t changed to match. Previous months’ low percentage of SSLv2 servers was caused by a bug in scanning script that made it impossible to correctly detect most SSLv2 sites.

SSL/TLS survey of 393337 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      344071    87.4749
3DES Only                 152       0.0386
AES                       364726    92.7261
AES Only                  879       0.2235
AES-CBC Only              510       0.1297
AES-GCM                   156262    39.7273
AES-GCM Only              6         0.0015
CAMELLIA                  161308    41.0101
CHACHA20                  15543     3.9516
RC4                       350784    89.1815
RC4 Only                  3734      0.9493
RC4 Preferred             69540     17.6795
RC4 forced in TLS1.1+     45989     11.692
x:FF 29 RC4 Only          6429      1.6345
x:FF 29 RC4 Preferred     16265     4.1351
x:FF 29 incompatible      103       0.0262
z:ADH-AES128-GCM-SHA256   351       0.0892
z:ADH-AES128-SHA          1439      0.3658
z:ADH-AES128-SHA256       325       0.0826
z:ADH-AES256-GCM-SHA384   337       0.0857
z:ADH-AES256-SHA          1445      0.3674
z:ADH-AES256-SHA256       330       0.0839
z:ADH-CAMELLIA128-SHA     722       0.1836
z:ADH-CAMELLIA256-SHA     733       0.1864
z:ADH-DES-CBC-SHA         723       0.1838
z:ADH-DES-CBC3-SHA        1496      0.3803
z:ADH-RC4-MD5             1326      0.3371
z:ADH-SEED-SHA            587       0.1492
z:AECDH-AES128-SHA        13159     3.3455
z:AECDH-AES256-SHA        13161     3.346
z:AECDH-DES-CBC3-SHA      13122     3.3361
z:AECDH-NULL-SHA          14        0.0036
z:AECDH-RC4-SHA           12264     3.1179
z:DES-CBC-MD5             27892     7.0911
z:DES-CBC-SHA             76809     19.5275
z:DHE-RSA-SEED-SHA        68828     17.4985
z:ECDHE-RSA-NULL-SHA      17        0.0043
z:EDH-RSA-DES-CBC-SHA     61870     15.7295
z:EXP-ADH-DES-CBC-SHA     469       0.1192
z:EXP-ADH-RC4-MD5         473       0.1203
z:EXP-DES-CBC-SHA         62566     15.9065
z:EXP-EDH-RSA-DES-CBC-SHA 44087     11.2085
z:EXP-RC2-CBC-MD5         67561     17.1764
z:IDEA-CBC-MD5            10575     2.6885
z:IDEA-CBC-SHA            70335     17.8816
z:NULL-MD5                339       0.0862
z:NULL-SHA                337       0.0857
z:NULL-SHA256             6         0.0015
z:RC2-CBC-MD5             38543     9.799
z:SEED-SHA                83026     21.1081

Cipher ordering           Count     Percent
-------------------------+---------+-------
Client side               183896    46.7528
Server side               209441    53.2472

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1562      0.3971
AECDH                     13188     3.3529
DHE                       198612    50.4941
ECDH                      1         0.0003
ECDHE                     175607    44.6454
ECDHE and DHE             67049     17.0462
RSA                       393014    99.9179

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               183927    46.7607  92.6062
DH,2048bits               13134     3.3391   6.6129
DH,2226bits               2         0.0005   0.001
DH,3072bits               4         0.001    0.002
DH,3248bits               4         0.001    0.002
DH,4096bits               620       0.1576   0.3122
DH,512bits                44238     11.2468  22.2736
DH,768bits                771       0.196    0.3882
DH,8192bits               1         0.0003   0.0005
ECDH,B-163,163bits        16        0.0041   0.0091
ECDH,B-571,570bits        392       0.0997   0.2232
ECDH,P-224,224bits        4         0.001    0.0023
ECDH,P-256,256bits        174312    44.3162  99.2626
ECDH,P-384,384bits        207       0.0526   0.1179
ECDH,P-521,521bits        764       0.1942   0.4351
Prefer DH,1024bits        117558    29.8873  59.1898
Prefer DH,2048bits        1721      0.4375   0.8665
Prefer DH,4096bits        54        0.0137   0.0272
Prefer DH,512bits         2         0.0005   0.001
Prefer DH,768bits         87        0.0221   0.0438
Prefer ECDH,B-163,163bits 16        0.0041   0.0091
Prefer ECDH,B-571,570bits 304       0.0773   0.1731
Prefer ECDH,P-224,224bits 1         0.0003   0.0006
Prefer ECDH,P-256,256bits 126826    32.2436  72.2215
Prefer ECDH,P-384,384bits 135       0.0343   0.0769
Prefer ECDH,P-521,521bits 699       0.1777   0.398
Prefer PFS                247403    62.8985  0
Support PFS               307170    78.0933  0

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
5                         2         0.0005   
5 only                    2         0.0005   
10                        2         0.0005   
30                        1         0.0003   
30 only                   1         0.0003   
60                        15        0.0038   
60 only                   10        0.0025   
120                       7         0.0018   
120 only                  6         0.0015   
128                       5         0.0013   
128 only                  5         0.0013   
180                       24        0.0061   
180 only                  24        0.0061   
240                       7         0.0018   
240 only                  7         0.0018   
300                       145958    37.1076  
300 only                  127245    32.3501  
420                       12        0.0031   
420 only                  10        0.0025   
480                       6         0.0015   
480 only                  6         0.0015   
600                       6491      1.6502   
600 only                  6280      1.5966   
900                       188       0.0478   
900 only                  158       0.0402   
960                       2         0.0005   
960 only                  2         0.0005   
1200                      54        0.0137   
1200 only                 52        0.0132   
1500                      12        0.0031   
1500 only                 11        0.0028   
1800                      121       0.0308   
1800 only                 116       0.0295   
2400                      1         0.0003   
2400 only                 1         0.0003   
2700                      1         0.0003   
2700 only                 1         0.0003   
3000                      5         0.0013   
3000 only                 4         0.001    
3600                      239       0.0608   
3600 only                 235       0.0597   
5400                      2         0.0005   
6000                      1         0.0003   
6000 only                 1         0.0003   
7200                      10678     2.7147   
7200 only                 1678      0.4266   
10800                     7         0.0018   
10800 only                3         0.0008   
14400                     650       0.1653   
14400 only                650       0.1653   
18000                     1         0.0003   
18000 only                1         0.0003   
21600                     27        0.0069   
21600 only                27        0.0069   
28800                     5         0.0013   
28800 only                5         0.0013   
30720                     1         0.0003   
30720 only                1         0.0003   
36000                     477       0.1213   
36000 only                477       0.1213   
43200                     6420      1.6322   
43200 only                6420      1.6322   
64800                     9211      2.3418   
64800 only                9208      2.341    
86000                     28        0.0071   
86000 only                26        0.0066   
86400                     4228      1.0749   
86400 only                4223      1.0736   
100800                    15552     3.9539   
100800 only               11        0.0028   
115200                    1         0.0003   
115200 only               1         0.0003   
129600                    7         0.0018   
129600 only               7         0.0018   
864000                    6         0.0015   
864000 only               6         0.0015   
None                      236414    60.1047  
None only                 192884    49.0378  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      14656     3.7261   
sha1WithRSAEncryption     343217    87.2577  
sha256WithRSAEncryption   50153     12.7506  

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 8717      2.2162   
RSA 1024                  1894      0.4815   
RSA 2028                  1         0.0003   
RSA 2047                  1         0.0003   
RSA 2048                  377818    96.0545  
RSA 2049                  1         0.0003   
RSA 2056                  5         0.0013   
RSA 2058                  1         0.0003   
RSA 2060                  1         0.0003   
RSA 2064                  1         0.0003
RSA 2080                  2         0.0005
RSA 2084                  5         0.0013
RSA 2408                  3         0.0008
RSA 2432                  48        0.0122
RSA 2536                  1         0.0003
RSA 2612                  1         0.0003
RSA 3050                  1         0.0003
RSA 3072                  40        0.0102
RSA 3120                  1         0.0003
RSA 3248                  3         0.0008
RSA 3600                  1         0.0003
RSA 4042                  1         0.0003
RSA 4046                  2         0.0005
RSA 4048                  2         0.0005
RSA 4086                  1         0.0003
RSA 4092                  2         0.0005
RSA 4096                  13502     3.4327
RSA 4098                  3         0.0008
RSA 4192                  1         0.0003
RSA 8192                  5         0.0013
RSA 16384                 1         0.0003   
RSA/ECDSA Dual Stack      8714      2.2154

OCSP stapling             Count     Percent
-------------------------+---------+--------
Supported                 39893     10.1422
Unsupported               353444    89.8578

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      56197     14.2872
SSL2 Only                 6140      1.561
SSL3                      377423    95.9541
SSL3 Only                 3710      0.9432
SSL3 or TLS1 Only         118014    30.0033
TLS1                      382682    97.2911
TLS1 Only                 2707      0.6882
TLS1.1                    212833    54.1096
TLS1.1 Only               7         0.0018
TLS1.1 or up Only         74        0.0188
TLS1.2                    223413    56.7994
TLS1.2 Only               34        0.0086
TLS1.2, 1.0 but not 1.1   14809     3.765

Survey was conducted between 11th and 19th of July 2014.

Certificate Authorities

The new addition to the data collected, were the certificates provided by the servers.

It looks like around 5% of Internet facing www servers have misconfigured certificate chains: they don’t provide the intermediate CA certificates that signed their certificate. Fortunately, because we now have collected them from other servers, we can try to validate them again using those additional certificates.

The bad news is that many CA certificates still use 1024 bit RSA keys (I’ve seen them in 1776 chains presented by servers, or 0.4% of all valid chains), including few root CAs in active use. The worse news is that the vast majority of chains still depend on SHA1 signatures, including the chains that use 4096 bit CA keys.

In effect, about 90% of trust chains still provide at most 80 bit level of security (SHA-1 or 1024 bit RSA key being the weakest link) and just 10% of servers present chains with 112 bit level of security (2048 bit RSA key being the weakest link). There were only 2 chains (out of 450 000) that reached the current best practice level of 128 bit level of security (SHA 256, ECDSA 256 bit or RSA 3072+ bits).

Also, the market share of CAs is quite diverse, the most dominant root CA was used in 26% of all chains collected.

Statistics from 445095 chains provided by 582719 hosts

Server provided chains    Count     Percent
-------------------------+---------+-------
complete                  359484    61.6908
incomplete                29543     5.0699
untrusted                 193692    33.2393

Trusted chain statistics
========================

Chain length              Count     Percent
-------------------------+---------+-------
2                         2414      0.5423
3                         434366    97.5895
4                         8292      1.863
5                         23        0.0052

CA key size in chains     Count
-------------------------+---------
ECDSA 256                 2
ECDSA 384                 2
RSA 1024                  1788
RSA 2045                  1
RSA 2048                  877819
RSA 4096                  16502

Chains with CA key        Count     Percent
-------------------------+---------+-------
ECDSA 256                 2         0.0004
ECDSA 384                 2         0.0004
RSA 1024                  1776      0.399
RSA 2045                  1         0.0002
RSA 2048                  443399    99.619
RSA 4096                  16134     3.6248

Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384              2
sha1WithRSAEncryption          397615
sha256WithRSAEncryption        42654
sha384WithRSAEncryption        10748

Eff. host cert chain LoS  Count     Percent
-------------------------+---------+-------
80                        398413    89.5119
112                       46680     10.4876
128                       2         0.0004

Most common root CAs                          Count     Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA                 119586    26.8675
(157753a5) AddTrust External CA Root          68556     15.4026
(5ad8a5d6) GlobalSign Root CA                 44275     9.9473
(2e4eed3c) thawte Primary Root CA             29162     6.5519
(f081611a) The Go Daddy Group, Inc.           28250     6.347
(cbf06781) Go Daddy Root Certificate Authorit 26503     5.9545
(b204d74a) VeriSign Class 3 Public Primary Ce 26474     5.9479
(244b5494) DigiCert High Assurance EV Root CA 18086     4.0634
(653b494a) Baltimore CyberTrust Root          16986     3.8163
(b13cc6df) UTN-USERFirst-Hardware             13183     2.9618
(40547a79) COMODO Certification Authority     10947     2.4595
(ae8153b9) StartCom Certification Authority   9048      2.0328
(f387163d) Starfield Technologies, Inc.       7516      1.6886
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s