Month: September 2014

Scan results for September 2014

Ciphers

This time the results are not really different from past month’s ones. About two percent of servers more use SHA-256 signed certificates and 1% more has configuration that allows negotiation of PFS suites.

Small change to reported results: I’ve added “Insecure” entry which counts the number of servers that will use completely insecure cipher suite like single DES, RC2 or export grade ciphers. It doesn’t include the “controversial but not broken” IDEA and SEED ciphers.

SSL/TLS survey of 402742 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      349454    86.7687
3DES Only                 164       0.0407
AES                       374868    93.0789
AES Only                  1017      0.2525
AES-CBC Only              553       0.1373
AES-GCM                   172322    42.7872
AES-GCM Only              7         0.0017
CAMELLIA                  170577    42.3539
CHACHA20                  15137     3.7585
Insecure                  79666     22.9405
RC4                       355750    88.332
RC4 Only                  3845      0.9547
RC4 Preferred             71713     17.8062
RC4 forced in TLS1.1+     50461     12.5294
x:FF 29 RC4 Only          5961      1.4801
x:FF 29 RC4 Preferred     15338     3.8084
x:FF 29 incompatible      165       0.041
y:DHE-RSA-SEED-SHA        75372     18.7147
y:IDEA-CBC-MD5            4020      0.9982
y:IDEA-CBC-SHA            67863     16.8502
y:SEED-SHA                87504     21.7271
z:ADH-AES128-GCM-SHA256   358       0.0889
z:ADH-AES128-SHA          1346      0.3342
z:ADH-AES128-SHA256       333       0.0827
z:ADH-AES256-GCM-SHA384   344       0.0854
z:ADH-AES256-SHA          1349      0.335
z:ADH-AES256-SHA256       336       0.0834
z:ADH-CAMELLIA128-SHA     697       0.1731
z:ADH-CAMELLIA256-SHA     705       0.1751
z:ADH-DES-CBC-SHA         666       0.1654
z:ADH-DES-CBC3-SHA        1395      0.3464
z:ADH-RC4-MD5             1196      0.297
z:ADH-SEED-SHA            433       0.1075
z:AECDH-AES128-SHA        15360     3.8139
z:AECDH-AES256-SHA        15366     3.8153
z:AECDH-DES-CBC3-SHA      15329     3.8062
z:AECDH-NULL-SHA          20        0.005
z:AECDH-RC4-SHA           14410     3.578
z:DES-CBC-MD5             26107     6.4823
z:DES-CBC-SHA             69455     17.2455
z:ECDHE-RSA-NULL-SHA      25        0.0062
z:EDH-RSA-DES-CBC-SHA     61413     15.2487
z:EXP-ADH-DES-CBC-SHA     474       0.1177
z:EXP-ADH-RC4-MD5         476       0.1182
z:EXP-DES-CBC-SHA         54674     13.5754
z:EXP-EDH-RSA-DES-CBC-SHA 42941     10.6622
z:EXP-RC2-CBC-MD5         59213     14.7025
z:NULL-MD5                331       0.0822
z:NULL-SHA                334       0.0829
z:NULL-SHA256             10        0.0025
z:RC2-CBC-MD5             30259     7.5132

Cipher ordering           Count     Percent
-------------------------+---------+-------
Client side               178562    44.3366
Server side               224180    55.6634

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1459      0.3623
AECDH                     15393     3.822
DHE                       206612    51.3013
ECDHE                     196029    48.6736
ECDHE and DHE             80995     20.1109
RSA                       402219    99.8701

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               189005    46.9295  91.4782
DH,2048bits               15870     3.9405   7.6811
DH,2226bits               2         0.0005   0.001
DH,2430bits               1         0.0002   0.0005
DH,3072bits               5         0.0012   0.0024
DH,3246bits               2         0.0005   0.001
DH,3248bits               1         0.0002   0.0005
DH,4096bits               803       0.1994   0.3887
DH,512bits                43127     10.7083  20.8734
DH,768bits                731       0.1815   0.3538
DH,8192bits               1         0.0002   0.0005
ECDH,B-163,163bits        13        0.0032   0.0066
ECDH,B-571,570bits        405       0.1006   0.2066
ECDH,P-224,224bits        6         0.0015   0.0031
ECDH,P-256,256bits        194476    48.288   99.2078
ECDH,P-384,384bits        453       0.1125   0.2311
ECDH,P-521,521bits        988       0.2453   0.504
Prefer DH,1024bits        113032    28.0656  54.7074
Prefer DH,2048bits        1222      0.3034   0.5914
Prefer DH,3072bits        1         0.0002   0.0005
Prefer DH,4096bits        53        0.0132   0.0257
Prefer DH,512bits         1         0.0002   0.0005
Prefer DH,768bits         92        0.0228   0.0445
Prefer ECDH,B-163,163bits 13        0.0032   0.0066
Prefer ECDH,B-571,570bits 332       0.0824   0.1694
Prefer ECDH,P-224,224bits 4         0.001    0.002
Prefer ECDH,P-256,256bits 144871    35.9712  73.9028
Prefer ECDH,P-384,384bits 379       0.0941   0.1933
Prefer ECDH,P-521,521bits 933       0.2317   0.4759
Prefer PFS                260933    64.7891  0
Support PFS               321646    79.864   0

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
5                         2         0.0005   
5 only                    2         0.0005   
30                        8         0.002    
30 only                   2         0.0005   
60                        44        0.0109   
60 only                   38        0.0094   
100                       6         0.0015   
100 only                  6         0.0015   
120                       12        0.003    
120 only                  12        0.003    
128                       3         0.0007   
128 only                  2         0.0005   
180                       26        0.0065   
180 only                  26        0.0065   
240                       1         0.0002   
240 only                  1         0.0002   
300                       162695    40.3968  
300 only                  143072    35.5245  
420                       20        0.005    
420 only                  11        0.0027   
480                       8         0.002    
480 only                  8         0.002    
600                       7769      1.929    
600 only                  7515      1.866    
900                       243       0.0603   
900 only                  223       0.0554   
960                       3         0.0007   
960 only                  3         0.0007   
1000                      1         0.0002   
1000 only                 1         0.0002   
1200                      57        0.0142   
1200 only                 55        0.0137   
1500                      8         0.002    
1500 only                 7         0.0017   
1800                      171       0.0425   
1800 only                 158       0.0392   
2100                      1         0.0002   
2100 only                 1         0.0002   
2400                      1         0.0002   
2400 only                 1         0.0002   
2700                      5         0.0012   
2700 only                 5         0.0012   
3000                      4         0.001    
3000 only                 3         0.0007   
3600                      234       0.0581   
3600 only                 221       0.0549   
4500                      1         0.0002   
4500 only                 1         0.0002   
5400                      1         0.0002   
6000                      2         0.0005   
6000 only                 2         0.0005   
7200                      10762     2.6722   
7200 only                 8269      2.0532   
10800                     11        0.0027   
10800 only                6         0.0015   
14400                     813       0.2019   
14400 only                809       0.2009   
21600                     580       0.144    
21600 only                580       0.144    
28800                     14        0.0035   
28800 only                14        0.0035   
36000                     399       0.0991   
36000 only                397       0.0986   
43200                     5617      1.3947   
43200 only                5615      1.3942   
64800                     10296     2.5565   
64800 only                10285     2.5537   
72000                     7         0.0017   
72000 only                7         0.0017   
86000                     29        0.0072   
86000 only                27        0.0067   
86400                     105       0.0261   
86400 only                104       0.0258   
100800                    14914     3.7031   
100800 only               16        0.004    
129600                    5         0.0012   
129600 only               5         0.0012   
604800                    1         0.0002   
604800 only               1         0.0002   
864000                    6         0.0015   
864000 only               6         0.0015   
None                      225221    55.9219  
None only                 187861    46.6455  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      16643     4.1324   
ecdsa-with-SHA256         4         0.001    
sha1WithRSAEncryption     335932    83.4112  
sha256WithRSAEncryption   66851     16.599   

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 8237      2.0452   
ECDSA 384                 1         0.0002   
RSA 1024                  1763      0.4377   
RSA 2028                  1         0.0002   
RSA 2047                  2         0.0005   
RSA 2048                  386945    96.0776  
RSA 2049                  1         0.0002   
RSA 2056                  6         0.0015   
RSA 2058                  2         0.0005   
RSA 2060                  1         0.0002   
RSA 2064                  2         0.0005   
RSA 2080                  2         0.0005   
RSA 2084                  7         0.0017
RSA 2345                  1         0.0002
RSA 2408                  3         0.0007
RSA 2432                  12        0.003
RSA 2536                  1         0.0002
RSA 2612                  1         0.0002
RSA 3072                  38        0.0094
RSA 3096                  1         0.0002
RSA 3248                  2         0.0005
RSA 3600                  1         0.0002
RSA 4042                  1         0.0002
RSA 4046                  2         0.0005
RSA 4048                  2         0.0005
RSA 4086                  1         0.0002
RSA 4092                  2         0.0005
RSA 4096                  13950     3.4638
RSA 4098                  3         0.0007
RSA 4192                  1         0.0002
RSA 8192                  3         0.0007
RSA/ECDSA Dual Stack      8234      2.0445

OCSP stapling             Count     Percent
-------------------------+---------+--------
Supported                 44490     11.0468
Unsupported               358252    88.9532

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      47267     11.7363
SSL2 Only                 5715      1.419
SSL3                      385853    95.8065
SSL3 Only                 3108      0.7717
SSL3 or TLS1 Only         113041    28.0678
TLS1                      393018    97.5856
TLS1 Only                 2663      0.6612
TLS1.1                    229677    57.0283
TLS1.1 Only               4         0.001
TLS1.1 or up Only         101       0.0251
TLS1.2                    239781    59.5371
TLS1.2 Only               46        0.0114
TLS1.2, 1.0 but not 1.1   14607     3.6269

Scan performed between 10th and 18th of September 2014.

Certificates

Number of servers that use 1024 bit RSA have fallen by 200. At the same time about 2% servers more have 112 bit security level of their certificate chain.

Statistics from 447622 chains provided by 593860 hosts

Server provided chains    Count     Percent
-------------------------+---------+-------
complete                  369705    62.2546
incomplete                29348     4.9419
untrusted                 194807    32.8035

Trusted chain statistics
========================

Chain length              Count     Percent
-------------------------+---------+-------
2                         2255      0.5038
3                         433123    96.7609
4                         12223     2.7307
5                         21        0.0047

CA key size in chains     Count
-------------------------+---------
ECDSA 256                 4         
ECDSA 384                 4         
RSA 1024                  1516      
RSA 2045                  1         
RSA 2048                  883076    
RSA 4096                  20653     

Chains with CA key        Count     Percent
-------------------------+---------+-------
ECDSA 256                 4         0.0009
ECDSA 384                 4         0.0009
RSA 1024                  1506      0.3364
RSA 2045                  1         0.0002
RSA 2048                  446153    99.6718
RSA 4096                  20317     4.5389

Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384              4         
sha1WithRSAEncryption          383519    
sha256WithRSAEncryption        55325     
sha384WithRSAEncryption        18784     

Eff. host cert chain LoS  Count     Percent
-------------------------+---------+-------
80                        384294    85.8523
112                       63324     14.1468
128.0                     4         0.0009

Most common root CAs                          Count     Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA                 118018    26.3655
(157753a5) AddTrust External CA Root          71841     16.0495
(5ad8a5d6) GlobalSign Root CA                 45383     10.1387
(cbf06781) Go Daddy Root Certificate Authorit 31016     6.9291
(2e4eed3c) thawte Primary Root CA             27902     6.2334
(b204d74a) VeriSign Class 3 Public Primary Ce 26452     5.9095
(f081611a) The Go Daddy Group, Inc.           24930     5.5694
(244b5494) DigiCert High Assurance EV Root CA 22937     5.1242
(b13cc6df) UTN-USERFirst-Hardware             12647     2.8254
(40547a79) COMODO Certification Authority     11095     2.4787
(653b494a) Baltimore CyberTrust Root          10622     2.373
(ae8153b9) StartCom Certification Authority   9143      2.0426
(f387163d) Starfield Technologies, Inc.       8283      1.8504
(480720ec) GeoTrust Primary Certification Aut 4545      1.0154

Cloudflare SSL

In a recent blog post CloudFlare announced that they will deploy Universal SSL. What it means, in short, is that even the free tier of their clients will receive redirect to TLS servers configured with ECDSA certificates if the CDN detects a modern browser.

You can expect next month’s results to feature more TLS servers.

TLS landscape

(This article was originally published on securityblog.redhat.com on 2014/09/10)

Transport Layer Security (TLS) or, as it was known in the beginnings of the Internet, Secure Sockets Layer (SSL) is the technology responsible for securing communications between different devices. It is used everyday by nearly everyone using the globe-spanning network.

Let’s take a closer look at how TLS is used by servers that underpin the World Wide Web and how the promise of security is actually executed.

Adoption

Hyper Text Transfer Protocol (HTTP) in versions 1.1 and older make encryption (thus use of TLS) optional. Given that the upcoming HTTP 2.0 will require use of TLS and that Google now uses the HTTPS in its ranking algorithm, it is expected that many sites will become TLS-enabled.

Surveying the Alexa top 1 million sites, most domains still don’t provide secure communication channel for their users.

tls-adoption

Just under 40% of HTTP servers support TLS or SSL and present valid certificates.

Additionally, if we look at the version of the protocol supported by the servers most don’t support the newest (and most secure) version of the protocol TLSv1.2. Of more concern is the number of sites that support the completely insecure SSLv2 protocol.

Only half of HTTPS servers support TLS 1.2

Only half of HTTPS servers support TLS 1.2

(There are no results for SSLv2 for first 3 months because of error in software that was collecting data.)

One of the newest and most secure ciphers available in TLS is Advanced Encryption Standard (AES) in Galois/Counter Mode (AES-GCM). Those ciphers provide good security, resiliency against known attacks (BEAST and Lucky13), and very good performance for machines with hardware accelerators for them (modern Intel and AMD CPUs, upcoming ARM).

Unfortunately, it is growing a bit slower than TLS adoption in general, which means that some of the newly deployed servers aren’t using new cryptographic libraries or are configured to not use all of their functions.

Only 40% of TLS web servers support AES-GCM ciphersuites.

Only 40% of TLS web servers support AES-GCM ciphersuites.

 

Bad recommendations

A few years back, a weakness in TLS 1.0 and SSL 3 was shown to be exploitable in the BEAST attack. The recommended workaround for it was to use RC4-based ciphers. Unfortunately, we later learned that the RC4 cipher is much weaker than it was previously estimated. As the vulnerability that allowed BEAST was fixed in TLSv1.1, using RC4 ciphers with new protocol versions was always unnecessary. Additionally, now all major clients have implemented workarounds for this attack, which currently makes using RC4 a bad idea.

Unfortunately, many servers prefer RC4 and some (~1%) actually support only RC4. This makes it impossible to disable this weak cipher on client side to force the rest of servers (nearly 19%) to use different cipher suite.

RC4 is still used with more than 18% of HTTPS servers.

RC4 is still used with more than 18% of HTTPS servers.

The other common issue, is that many certificates are still signed using the obsolete SHA-1. This is mostly caused by backwards compatibility with clients like Windows XP pre SP2 and old phones.

SHA-256 certificates only recently started growing in numbers

SHA-256 certificates only recently started growing in numbers

The sudden increase in the SHA-256 between April and May was caused by re-issuance of certificates in the wake of Heartbleed.

Bad configuration

Many servers also support insecure cipher suites. In the latest scan over 3.5% of servers support some cipher suites that uses AECDH key exchange, which is completely insecure against man in the middle attacks. Many servers also support single DES (around 15%) and export grade cipher suites (around 15%). In total, around 20% of servers support some kind of broken cipher suite.

While correctly implemented SSLv3 and later shouldn’t allow negotiation of those weak ciphers if stronger ones are supported by both client and server, at least one commonly used implementation had a vulnerability that did allow for changing the cipher suite to arbitrary one commonly supported by both client and server. That’s why it is important to occasionally clean up list of supported ciphers, both on server and client side.

Forward secrecy

Forward secrecy, also known as perfect forward secrecy (PFS), is a property of a cipher suite that makes it impossible to decrypt communication between client and server when the attacker knows the server’s private key. It also protects old communication in case the private key is leaked or stolen. That’s why it is such a desirable property.

The good news is that most servers (over 60%) not only support, but will actually negotiate cipher suites that provide forward secrecy with clients that support it. The used types are split essentially between 1024 bit DHE and 256 bit ECDHE, scoring respectively 29% and 33% of all servers in latest scan. The amount of servers that do negotiate PFS enabled cipher suites is also steadily growing.

PFS support among TLS-enabled HTTP servers

PFS support among TLS-enabled HTTP servers

Summary

Most Internet facing servers are badly configured, sometimes it is caused by lack of functionality in software, like in case of old Apache 2.2.x releases that don’t support ECDHE key exchange, and sometimes because of side effects of using new software with old configuration (many configuration tutorials suggested using !ADH in cipher string to disable anonymous cipher suites, that unfortunately doesn’t disable anonymous Elliptic Curve version of DH – AECDH, for that, use of !aNULL is necessary).

Thankfully, the situation seems to be improving, unfortunately rather slowly.

If you’re an administrator of a server, consider enabling TLS. Performance issues when encryption was slow and taxing on servers are long gone. If you already use TLS, double check your configuration preferably using the Mozilla guide to server configuration as it is regularly updated. Make sure you enable PFS cipher suites and put them above non-PFS ciphers and that you as well as the Certificate Authority you’ve chosen, use modern crypto (SHA-2) and large key sizes (at least 2048 bit RSA).

If you’re a user of a server and you’ve noticed that the server doesn’t use correct configuration, try contacting the administrator – he may have just forgotten about it.