August 2014 scan results

This month the changes are not significant.

The most important change is related to signatures in certificates, 2% more servers use SHA-256.

The amount of servers that require RC4 haven’t dropped as significantly as in previous months, it’s still just below 1% in general and effectively at above 1.5% for Firefox.

About 2% more servers use server side cipher ordering. Unfortunately, amount of servers that use anonymous ECDH key exchange is still growing, this month by 0.3%. Significant amount of servers still use the less than optimal 1024 bit DH – now at 29%.

While used hash algorithms for certificates have changed, the key sizes did not, the most popular key size, at 96% is 2048 bit RSA.

Supported protocol versions have seen small changes – SSLv2 support has fallen by around 2%, SSLv3 and TLSv1 haven’t changed by much, but started to drop, TLSv1.2 has grown by 1%.

SSL/TLS survey of 397695 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      345059    86.7647
3DES Only                 209       0.0526
AES                       369030    92.7922
AES Only                  1951      0.4906
AES-CBC Only              1030      0.259
AES-GCM                   162425    40.8416
AES-GCM Only              41        0.0103
CAMELLIA                  164197    41.2872
CAMELLIA Only             4         0.001
CHACHA20                  14719     3.7011
CHACHA20 Only             6         0.0015
RC4                       350479    88.1276
RC4 Only                  3807      0.9573
RC4 Preferred             74692     18.7812
RC4 forced in TLS1.1+     51533     12.9579
x:FF 29 RC4 Only          6327      1.5909
x:FF 29 RC4 Preferred     16784     4.2203
x:FF 29 incompatible      301       0.0757
z:ADH-AES128-GCM-SHA256   348       0.0875
z:ADH-AES128-SHA          1444      0.3631
z:ADH-AES128-SHA256       324       0.0815
z:ADH-AES256-GCM-SHA384   335       0.0842
z:ADH-AES256-SHA          1447      0.3638
z:ADH-AES256-SHA256       328       0.0825
z:ADH-CAMELLIA128-SHA     692       0.174
z:ADH-CAMELLIA256-SHA     699       0.1758
z:ADH-DES-CBC-SHA         699       0.1758
z:ADH-DES-CBC3-SHA        1490      0.3747
z:ADH-RC4-MD5             1297      0.3261
z:ADH-SEED-SHA            514       0.1292
z:AECDH-AES128-SHA        14496     3.645
z:AECDH-AES256-SHA        14533     3.6543
z:AECDH-DES-CBC3-SHA      14471     3.6387
z:AECDH-NULL-SHA          22        0.0055
z:AECDH-RC4-SHA           13603     3.4205
z:DES-CBC-MD5             26778     6.7333
z:DES-CBC-SHA             69202     17.4008
z:DHE-RSA-SEED-SHA        70054     17.615
z:ECDHE-RSA-NULL-SHA      25        0.0063
z:EDH-RSA-DES-CBC-SHA     60963     15.3291
z:EXP-ADH-DES-CBC-SHA     489       0.123
z:EXP-ADH-RC4-MD5         493       0.124
z:EXP-DES-CBC-SHA         54942     13.8151
z:EXP-EDH-RSA-DES-CBC-SHA 43030     10.8198
z:EXP-RC2-CBC-MD5         59737     15.0208
z:IDEA-CBC-MD5            4021      1.0111
z:IDEA-CBC-SHA            64231     16.1508
z:NULL-MD5                353       0.0888
z:NULL-SHA                351       0.0883
z:NULL-SHA256             7         0.0018
z:RC2-CBC-MD5             30955     7.7836
z:SEED-SHA                83118     20.8999

Cipher ordering           Count     Percent
-------------------------+---------+-------
Client side               177721    44.6878
Server side               219974    55.3122

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1555      0.391
AECDH                     14564     3.6621
DHE                       202555    50.9322
ECDHE                     184261    46.3322
ECDHE and DHE             73679     18.5265
RSA                       396177    99.6183

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               186744    46.9566  92.1942
DH,2048bits               14169     3.5628   6.9951
DH,2226bits               2         0.0005   0.001
DH,3072bits               4         0.001    0.002
DH,3242bits               1         0.0003   0.0005
DH,3248bits               2         0.0005   0.001
DH,4096bits               703       0.1768   0.3471
DH,512bits                43198     10.8621  21.3266
DH,768bits                759       0.1908   0.3747
DH,8192bits               2         0.0005   0.001
ECDH,B-163,163bits        13        0.0033   0.0071
ECDH,B-571,570bits        398       0.1001   0.216
ECDH,P-224,224bits        4         0.001    0.0022
ECDH,P-256,256bits        182896    45.989   99.2592
ECDH,P-384,384bits        232       0.0583   0.1259
ECDH,P-521,521bits        821       0.2064   0.4456
Prefer DH,1024bits        115759    29.1075  57.1494
Prefer DH,2048bits        1154      0.2902   0.5697
Prefer DH,4096bits        50        0.0126   0.0247
Prefer DH,512bits         2         0.0005   0.001
Prefer DH,768bits         87        0.0219   0.043
Prefer ECDH,B-163,163bits 13        0.0033   0.0071
Prefer ECDH,B-571,570bits 318       0.08     0.1726
Prefer ECDH,P-224,224bits 1         0.0003   0.0005
Prefer ECDH,P-256,256bits 134334    33.7781  72.9042
Prefer ECDH,P-384,384bits 157       0.0395   0.0852
Prefer ECDH,P-521,521bits 749       0.1883   0.4065
Prefer PFS                252624    63.522   0
Support PFS               313137    78.738   0

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
5                         1         0.0003   
5 only                    1         0.0003   
10                        3         0.0008   
10 only                   1         0.0003   
30                        2         0.0005   
30 only                   2         0.0005   
42                        1         0.0003   
60                        46        0.0116   
60 only                   41        0.0103   
100                       4         0.001    
100 only                  4         0.001    
120                       10        0.0025   
120 only                  10        0.0025   
128                       4         0.001    
128 only                  4         0.001    
180                       29        0.0073   
180 only                  29        0.0073   
240                       4         0.001    
240 only                  4         0.001    
300                       155200    39.0249  
300 only                  135627    34.1033  
420                       19        0.0048   
420 only                  10        0.0025   
480                       6         0.0015   
480 only                  6         0.0015   
600                       6888      1.732    
600 only                  6597      1.6588   
900                       216       0.0543   
900 only                  190       0.0478   
960                       2         0.0005   
960 only                  2         0.0005   
1200                      60        0.0151   
1200 only                 57        0.0143   
1500                      9         0.0023   
1500 only                 8         0.002    
1800                      123       0.0309   
1800 only                 120       0.0302   
2100                      1         0.0003   
2100 only                 1         0.0003   
2400                      1         0.0003   
2400 only                 1         0.0003   
2700                      2         0.0005   
2700 only                 2         0.0005   
3000                      5         0.0013   
3000 only                 4         0.001    
3600                      234       0.0588   
3600 only                 227       0.0571   
5400                      2         0.0005   
6000                      1         0.0003   
6000 only                 1         0.0003   
7200                      10748     2.7026   
7200 only                 8222      2.0674   
10800                     11        0.0028   
10800 only                6         0.0015   
14400                     722       0.1815   
14400 only                716       0.18     
18000                     1         0.0003   
21600                     26        0.0065   
21600 only                26        0.0065   
28800                     3         0.0008   
28800 only                3         0.0008   
30720                     1         0.0003   
30720 only                1         0.0003   
36000                     402       0.1011   
36000 only                399       0.1003   
43200                     6311      1.5869   
43200 only                6224      1.565    
64800                     9640      2.424    
64800 only                9602      2.4144   
86000                     32        0.008    
86000 only                29        0.0073   
86400                     92        0.0231   
86400 only                85        0.0214   
100800                    14758     3.7109   
100800 only               57        0.0143   
115200                    1         0.0003   
115200 only               1         0.0003   
129600                    7         0.0018   
129600 only               6         0.0015   
604800                    1         0.0003   
604800 only               1         0.0003   
864000                    6         0.0015   
864000 only               6         0.0015   
None                      229357    57.6716  
None only                 192066    48.2948  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      15912     4.0011   
ecdsa-with-SHA256         3         0.0008   
sha1WithRSAEncryption     338957    85.2304  
sha256WithRSAEncryption   58772     14.7782  

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 8235      2.0707   
ECDSA 384                 1         0.0003   
RSA 1024                  1880      0.4727   
RSA 2028                  1         0.0003   
RSA 2047                  2         0.0005   
RSA 2048                  381923    96.0341  
RSA 2056                  5         0.0013   
RSA 2058                  1         0.0003   
RSA 2060                  1         0.0003   
RSA 2064                  1         0.0003
RSA 2080                  2         0.0005
RSA 2084                  5         0.0013
RSA 2408                  3         0.0008
RSA 2432                  28        0.007
RSA 2536                  1         0.0003
RSA 2612                  1         0.0003
RSA 3050                  1         0.0003
RSA 3072                  37        0.0093
RSA 3096                  1         0.0003
RSA 3248                  4         0.001
RSA 3600                  1         0.0003
RSA 4042                  1         0.0003
RSA 4046                  2         0.0005
RSA 4048                  2         0.0005
RSA 4086                  1         0.0003
RSA 4092                  2         0.0005
RSA 4096                  13721     3.4501
RSA 4098                  3         0.0008
RSA 4192                  1         0.0003
RSA 8192                  6         0.0015
RSA 16384                 1         0.0003   
RSA/ECDSA Dual Stack      8153      2.0501

OCSP stapling             Count     Percent
-------------------------+---------+--------
Supported                 41610     10.4628
Unsupported               356085    89.5372

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      48288     12.142
SSL2 Only                 6029      1.516
SSL3                      379667    95.4669
SSL3 Only                 4125      1.0372
SSL3 or TLS1 Only         117512    29.5483
TLS1                      385363    96.8991
TLS1 Only                 3015      0.7581
TLS1.1                    218025    54.8222
TLS1.1 Only               37        0.0093
TLS1.1 or up Only         709       0.1783
TLS1.2                    229097    57.6062
TLS1.2 Only               374       0.094
TLS1.2, 1.0 but not 1.1   15264     3.8381

Scan performed between 8th and 19th of August 2014.

CA certificates

No big changes here either, about 2% of servers more now have effective security level of 112 bit.
We’ve yet to see the effects of the recent changes in Mozilla trust store.

Statistics from 443385 chains provided by 585568 hosts

Server provided chains    Count     Percent
-------------------------+---------+-------
complete                  365544    62.4255
incomplete                29700     5.072
untrusted                 190324    32.5025

Trusted chain statistics
========================

Chain length              Count     Percent
-------------------------+---------+-------
2                         2394      0.5399
3                         431592    97.3402
4                         9378      2.1151
5                         21        0.0047

CA key size in chains     Count
-------------------------+---------
ECDSA 256                 3         
ECDSA 384                 3         
RSA 1024                  1733      
RSA 2045                  1         
RSA 2048                  874329    
RSA 4096                  17727     

Chains with CA key        Count     Percent
-------------------------+---------+-------
ECDSA 256                 3         0.0007
ECDSA 384                 3         0.0007
RSA 1024                  1723      0.3886
RSA 2045                  1         0.0002
RSA 2048                  441708    99.6218
RSA 4096                  17345     3.912

Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384              3         
sha1WithRSAEncryption          387560    
sha256WithRSAEncryption        50026     
sha384WithRSAEncryption        12822     

Eff. host cert chain LoS  Count     Percent
-------------------------+---------+-------
80                        388390    87.5966
112                       54992     12.4028
128                       3         0.0007

Root CAs                                      Count     Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA                 115908    26.1416
(157753a5) AddTrust External CA Root          69723     15.7252
(5ad8a5d6) GlobalSign Root CA                 44630     10.0657
(2e4eed3c) thawte Primary Root CA             29574     6.67
(cbf06781) Go Daddy Root Certificate Authorit 28151     6.3491
(f081611a) The Go Daddy Group, Inc.           26956     6.0796
(b204d74a) VeriSign Class 3 Public Primary Ce 26596     5.9984
(244b5494) DigiCert High Assurance EV Root CA 22613     5.1001
(b13cc6df) UTN-USERFirst-Hardware             12983     2.9282
(40547a79) COMODO Certification Authority     11362     2.5626
(653b494a) Baltimore CyberTrust Root          10593     2.3891
(ae8153b9) StartCom Certification Authority   9134      2.0601
(f387163d) Starfield Technologies, Inc.       7934      1.7894
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s