This time around, I have extended the scanning script to also include tests checking whatever servers are tolerant to specific settings inside client hello messages. The scan itself also gained a fallback mode in case the regular scan (used up until now for all data collection) haven’t detected any ciphers to be supported by server or server appearing to support just SSLv2. Another additions include scan for supported curves for ECDHE key exchange, key signature algorithm for TLSv1.2 ECDHE and DHE key exchange, secure renegotiation support and compression.
Protocol versions
While I have provided some results for intolerance of specific settings in the Halloween special, scan of the full Alexa top 1 million proved to be much more complex and harder to pin down in just few lines. I’m afraid I won’t be able to tell much about the bugs the servers seem to be showing until I develop tests for specific bugs rather than current probing with very generic (and rather standard) client hello messages.
That being said, general statistics look like this: about 4.8% of servers refused connection that started with a big full featured TLSv1.2 client hello, that includes about 0.1% of servers that are strictly TLSv1.2 ClientHello intolerant (even when inside V2 Client Hello) and 0.18% that are intolerant to regular TLSv1.2 client hello, rest seem to be intolerant to just big client hello or placement of RC4-SHA and RC4-MD5 ciphers after 64th position (Windows 2003 bug).
Supported curves
Around 56.7% of servers will negotiate ECDHE cipher suites. The vast majority of servers support the NIST prime256v1 curve (55.6% of all TLS-enabled) and high part of them support only this one curve (48.2%). Second most supported curve is secp384r1, where 7.3% of servers support it (0.02% support only this one). Third most supported curve is secp521r1, at 1.77%. Other curves hover around 0.13% mark, with the exception of brainpool curves (all 3 of them), which are supported by only 19 servers.
At the same time, there are servers which support only secp521r1, sect163k1 or sect163r2 curves – those servers won’t be able to negotiate ECDHE ciphers with common web browsers. This is because secp521r1 curve is supported only by some browsers (list that doesn’t include Firefox and Internet Explorer) while the other two are unsupported by all major browsers.
Interestingly, nearly all servers dictate the selected curve (use server side ordering for curves) – only 0.13% of servers let the client select the most preferred curve.
Many servers (11.8% of total) will abort connection completely in case the client does not support the curve preferred by server.
Signature algorithms in PFS TLSv1.2 key exchange
As more eagle-eyed readers of the RFC 5246 (TLSv1.2 definition) may have noticed, the standard also allows the peers to negotiate the signature algorithm used for signing the DHE and ECDHE key exchange. In detail it allows the server to sign the key exchange with MD5, SHA1 and SHA-2 family functions.
As we all know, MD5 is far from secure when used for digital signatures.
Unfortunately, many servers (24% of TLS-enabled) will sign the message with MD5 if the client “doesn’t leave them any choice”. Few (3 in total) will sign the key exchange only using MD5! The situation with the weak-but-no-broken-yet SHA1 is not much better as 8% of servers will use only it for signing.
On many servers support for SHA2 family of functions is still lagging a bit behind after SHA1 (respectively at around 42% and 51% of all).
Majority of servers will honour the client preferred signature mechanism (38% of TLS-enabled) while minority will take only its preference of it (18%).
In case the client doesn’t advertise any signature algorithm supported by server the behaviour is rather diverse. Most common is just forcing the client to accept SHA-1 signatures (at 23.9%), close second (at 23.7%) is aborting the connection if the client doesn’t advertise any RSA based signature algorithms. Less common still is aborting as soon as the client advertises only the unsupported signature algorithms (at 3.47%). Very few servers opt out to select ciphers that don’t require negotiation of signature algorithms (at 0.3%).
For servers with ECDSA keys, the situation is more uniform, where 5.5% of all TLS enabled servers will just force the SHA-1 signature algorithm, 20 servers will abort the connection while just one will drop down to RSA based, but still PFS-enabled cipher suite.
Cipher suites
Going back to our usual programming, use of cipher suites didn’t see much changes.
3DES ciphers have decreased a bit (2%) while AES-GCM have increased by a bit (also ~2%). While servers that support RC4 have decreased slightly (~1.5%) the amount of servers that force the use of RC4 remained essentially the same.
Amount of servers that will negotiate insecure cipher suites has grown by just under 2%, but this may be caused by addition of DES-CBC3-MD5 (at 8.7%), EXP-RC4-MD5 (at 11.7%), EXP1024-DES-CBC-SHA (at 2.3%), EXP1024-RC4-SHA (at 2.3%) and RC4-64-MD5 (at 0.39%) ciphers to the list of insecure ciphers which previously either were counted towards the RC4 and 3DES numbers or not tested at all (the EXP1024 ciphers).
It’s nice to see that more servers still use server side cipher ordering, this month at 66.7% (up by just under 6%).
We’ve also seen a 1.5% growth in servers that prefer PFS capable cipher suites, caused nearly entirely by servers that prefer the P-256 NIST curve for ECDHE key exchange.
Server certificates
A slight increase in the number of servers that have certificates signed by ECDSA keys, by 0.7%.
The other good news is that SHA-1 keeps on loosing, this month by 7.6% to a level of 68%.
The key sizes haven’t seen much changes, 2048bit is still dominant at 90.7% for RSA while 256 bit is dominant at 5.5% for ECDSA.
Looks like google have once again modified their Apple clients detection, as the number of servers that report support for both RSA and ECDSA ciphersuites have gone back to nearly 0 (and the scanning script once again doesn’t report support of ECDHE-ECDSA ciphers for sites like youtube.com).
Protocols
Administrators keep on updating their configurations, SSLv2 support has gone down by 1.5% to 8.8% while SSLv3 support has gone down by 23% to a level of 46% making it the first month when SSLv3 is supported by less than half the web servers.
A bit surprisingly, TLSv1.0 has gained a bit of market, from the previous 97.7% to current 99.2% making it virtually ubiquitous.
TLSv1.1 and TLSv1.2 have gained a bit less, at around 1.5% and 2% respectively.
Vulnerabilities
Some of the servers are still vulnerable to long known attacks requiring support for compression (at 4.3%) and lack of implementation of RFC 5746 (secure renegotiation) which is missing on nearly 6.5% of servers. This facilitates the CRIME and renegotiation attacks respectively.
Trust chains
The changes for individual certificates or trust chains in general are not significant, all are below the 1% mark, but they all go in the right direction – for higher security.
Detailed cipher scan results
SSL/TLS survey of 441636 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 374355 84.7655 3DES Only 402 0.091 AES 413509 93.6312 AES Only 3628 0.8215 AES-CBC Only 2370 0.5366 AES-GCM 226553 51.2986 AES-GCM Only 11 0.0025 CAMELLIA 169951 38.4821 CAMELLIA Only 1 0.0002 CHACHA20 14060 3.1836 Insecure 97652 22.1114 RC4 370269 83.8403 RC4 Only 3694 0.8364 RC4 Preferred 72316 16.3746 RC4 forced in TLS1.1+ 44600 10.0988 x:FF 29 RC4 Only 521 0.118 x:FF 29 RC4 Preferred 77977 17.6564 x:FF 29 incompatible 152 0.0344 y:DHE-RSA-SEED-SHA 81413 18.4344 y:IDEA-CBC-MD5 3271 0.7407 y:IDEA-CBC-SHA 66611 15.0828 y:SEED-SHA 83866 18.9898 z:ADH-AES128-GCM-SHA256 297 0.0672 z:ADH-AES128-SHA 1093 0.2475 z:ADH-AES128-SHA256 258 0.0584 z:ADH-AES256-GCM-SHA384 298 0.0675 z:ADH-AES256-SHA 1105 0.2502 z:ADH-AES256-SHA256 258 0.0584 z:ADH-CAMELLIA128-SHA 461 0.1044 z:ADH-CAMELLIA256-SHA 471 0.1066 z:ADH-DES-CBC-SHA 457 0.1035 z:ADH-DES-CBC3-SHA 1145 0.2593 z:ADH-RC4-MD5 929 0.2104 z:ADH-SEED-SHA 327 0.074 z:AECDH-AES128-SHA 13449 3.0453 z:AECDH-AES256-SHA 13444 3.0441 z:AECDH-DES-CBC3-SHA 13404 3.0351 z:AECDH-NULL-SHA 32 0.0072 z:AECDH-RC4-SHA 12431 2.8148 z:DES-CBC-MD5 21586 4.8877 z:DES-CBC-SHA 57810 13.09 z:DES-CBC3-MD5 38510 8.7199 z:ECDHE-RSA-NULL-SHA 40 0.0091 z:EDH-RSA-DES-CBC-SHA 50046 11.332 z:EXP-ADH-DES-CBC-SHA 370 0.0838 z:EXP-ADH-RC4-MD5 375 0.0849 z:EXP-DES-CBC-SHA 43742 9.9045 z:EXP-EDH-RSA-DES-CBC-SHA 32332 7.321 z:EXP-RC2-CBC-MD5 48992 11.0933 z:EXP-RC4-MD5 51816 11.7327 z:EXP1024-DES-CBC-SHA 10301 2.3325 z:EXP1024-RC4-SHA 10439 2.3637 z:NULL-MD5 308 0.0697 z:NULL-SHA 310 0.0702 z:NULL-SHA256 21 0.0048 z:RC2-CBC-MD5 21992 4.9797 z:RC4-64-MD5 1761 0.3987 Cipher ordering Count Percent -------------------------+---------+------- Client side 146876 33.2573 Server side 294760 66.7427 Supported Handshakes Count Percent -------------------------+---------+------- ADH 1219 0.276 AECDH 13477 3.0516 DHE 218697 49.5197 ECDHE 250523 56.7261 ECDHE and DHE 107307 24.2976 RSA 416216 94.2441 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 194241 43.9821 88.8174 DH,1536bits 1 0.0002 0.0005 DH,2047bits 1 0.0002 0.0005 DH,2048bits 22093 5.0025 10.1021 DH,2226bits 1 0.0002 0.0005 DH,2236bits 2 0.0005 0.0009 DH,3072bits 11 0.0025 0.005 DH,3248bits 2 0.0005 0.0009 DH,4096bits 1313 0.2973 0.6004 DH,512bits 32507 7.3606 14.8639 DH,768bits 866 0.1961 0.396 DH,8192bits 1 0.0002 0.0005 ECDH,B-163,163bits 12 0.0027 0.0048 ECDH,B-571,570bits 565 0.1279 0.2255 ECDH,P-224,224bits 15 0.0034 0.006 ECDH,P-256,256bits 244052 55.2609 97.417 ECDH,P-384,384bits 717 0.1624 0.2862 ECDH,P-521,521bits 6141 1.3905 2.4513 Prefer DH,1024bits 102473 23.203 46.8562 Prefer DH,2048bits 2729 0.6179 1.2478 Prefer DH,2236bits 1 0.0002 0.0005 Prefer DH,3072bits 1 0.0002 0.0005 Prefer DH,4096bits 87 0.0197 0.0398 Prefer DH,512bits 23 0.0052 0.0105 Prefer DH,768bits 459 0.1039 0.2099 Prefer ECDH,B-163,163bits 12 0.0027 0.0048 Prefer ECDH,B-571,570bits 394 0.0892 0.1573 Prefer ECDH,P-224,224bits 14 0.0032 0.0056 Prefer ECDH,P-256,256bits 196706 44.5403 78.5181 Prefer ECDH,P-384,384bits 660 0.1494 0.2634 Prefer ECDH,P-521,521bits 5660 1.2816 2.2593 Prefer PFS 309219 70.0167 0 Support PFS 361913 81.9483 0 Supported ECC curves Count Percent -------------------------+---------+-------- brainpoolP256r1 19 0.0043 brainpoolP384r1 19 0.0043 brainpoolP512r1 19 0.0043 prime192v1 573 0.1297 prime256v1 245656 55.6241 prime256v1 Only 213263 48.2893 secp160k1 554 0.1254 secp160r1 554 0.1254 secp160r2 554 0.1254 secp192k1 565 0.1279 secp224k1 576 0.1304 secp224r1 714 0.1617 secp256k1 579 0.1311 secp384r1 32501 7.3592 secp384r1 Only 109 0.0247 secp521r1 7817 1.77 secp521r1 Only 69 0.0156 sect163k1 559 0.1266 sect163k1 Only 1 0.0002 sect163r1 557 0.1261 sect163r2 570 0.1291 sect163r2 Only 12 0.0027 sect193r1 557 0.1261 sect193r2 557 0.1261 sect233k1 573 0.1297 sect233r1 573 0.1297 sect239k1 572 0.1295 sect283k1 573 0.1297 sect283r1 572 0.1295 sect409k1 570 0.1291 sect409r1 570 0.1291 sect571k1 574 0.13 sect571r1 574 0.13 Unsupported curve fallback Count Percent ------------------------------+---------+-------- False 52248 11.8306 True 161110 36.4803 order-specific 10 0.0023 unknown 228268 51.6869 ECC curve ordering Count Percent -------------------------+---------+-------- client 577 0.1307 inconclusive-noecc 2 0.0005 server 245280 55.539 unknown 195777 44.3299 TLSv1.2 PFS supported sigalgs Count Percent ------------------------------+---------+-------- ECDSA-SHA1 24443 5.5346 ECDSA-SHA224 24448 5.5358 ECDSA-SHA256 24449 5.536 ECDSA-SHA384 24451 5.5365 ECDSA-SHA512 24454 5.5371 ECDSA-SHA512 Only 3 0.0007 RSA-MD5 106330 24.0764 RSA-MD5 Only 3 0.0007 RSA-SHA1 225736 51.1136 RSA-SHA1 Only 35561 8.0521 RSA-SHA224 186614 42.2552 RSA-SHA256 191459 43.3522 RSA-SHA256 Only 926 0.2097 RSA-SHA384 186997 42.3419 RSA-SHA512 187037 42.3509 RSA-SHA512 Only 37 0.0084 TLSv1.2 PFS ordering Count Percent ------------------------------+---------+-------- client 170553 38.6185 indeterminate 8 0.0018 intolerant 661 0.1497 order-fallback 5 0.0011 server 80372 18.1987 unsupported 40930 9.2678 TLSv1.2 PFS sigalg fallback Count Percent ------------------------------+---------+-------- ECDSA SHA1 24438 5.5335 ECDSA intolerant 20 0.0045 ECDSA pfs-rsa-SHA512 1 0.0002 RSA False 104894 23.7512 RSA SHA1 105580 23.9066 RSA intolerant 15354 3.4766 RSA pfs-ecdsa-SHA512 2 0.0005 RSA soft-nopfs 1464 0.3315 Renegotiation Count Percent -------------------------+---------+-------- False 11218 2.5401 insecure 28271 6.4014 secure 402147 91.0585 Compression Count Percent -------------------------+---------+-------- 1 (zlib compression) 19036 4.3103 False 11218 2.5401 NONE 411382 93.1496 TLS session ticket hint Count Percent -------------------------+---------+-------- 1 1 0.0002 1 only 1 0.0002 3 2 0.0005 3 only 2 0.0005 5 1 0.0002 5 only 1 0.0002 10 3 0.0007 10 only 3 0.0007 15 7 0.0016 15 only 7 0.0016 30 9 0.002 30 only 9 0.002 45 1 0.0002 45 only 1 0.0002 60 71 0.0161 60 only 67 0.0152 65 1 0.0002 65 only 1 0.0002 70 1 0.0002 75 1 0.0002 75 only 1 0.0002 100 16 0.0036 100 only 16 0.0036 120 15 0.0034 120 only 15 0.0034 128 1 0.0002 128 only 1 0.0002 180 35 0.0079 180 only 35 0.0079 240 2 0.0005 240 only 2 0.0005 300 169526 38.3859 300 only 156066 35.3382 360 1 0.0002 360 only 1 0.0002 400 2 0.0005 400 only 2 0.0005 420 25 0.0057 420 only 17 0.0038 480 11 0.0025 480 only 10 0.0023 600 12859 2.9117 600 only 12605 2.8542 660 1 0.0002 660 only 1 0.0002 900 355 0.0804 900 only 337 0.0763 960 2 0.0005 960 only 2 0.0005 1000 1 0.0002 1000 only 1 0.0002 1200 253 0.0573 1200 only 249 0.0564 1500 11 0.0025 1500 only 10 0.0023 1800 258 0.0584 1800 only 254 0.0575 2100 1 0.0002 2100 only 1 0.0002 2400 1 0.0002 2400 only 1 0.0002 2700 5 0.0011 2700 only 5 0.0011 3000 8 0.0018 3000 only 8 0.0018 3600 336 0.0761 3600 only 309 0.07 5400 2 0.0005 6000 4 0.0009 6000 only 4 0.0009 7200 11602 2.6271 7200 only 8915 2.0186 10800 16 0.0036 10800 only 8 0.0018 14400 1087 0.2461 14400 only 1086 0.2459 18000 1 0.0002 18000 only 1 0.0002 21600 3246 0.735 21600 only 3244 0.7345 28800 13 0.0029 28800 only 12 0.0027 36000 420 0.0951 36000 only 412 0.0933 43200 2089 0.473 43200 only 2089 0.473 64800 40233 9.11 64800 only 40222 9.1075 72000 5 0.0011 72000 only 5 0.0011 86000 37 0.0084 86000 only 37 0.0084 86400 176 0.0399 86400 only 174 0.0394 100800 13809 3.1268 100800 only 13809 3.1268 115200 1 0.0002 115200 only 1 0.0002 129600 13 0.0029 129600 only 13 0.0029 604800 1 0.0002 604800 only 1 0.0002 864000 6 0.0014 864000 only 6 0.0014 None 201554 45.638 None only 185054 41.9019 Certificate sig alg Count Percent -------------------------+---------+-------- None 14532 3.2905 ecdsa-with-SHA256 24424 5.5303 sha1WithRSAEncryption 300669 68.0807 sha256WithRSAEncryption 116628 26.4082 sha512WithRSAEncryption 1 0.0002 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 24452 5.5367 ECDSA 384 5 0.0011 ECDSA 521 1 0.0002 RSA 1024 1689 0.3824 RSA 2028 1 0.0002 RSA 2047 2 0.0005 RSA 2048 400697 90.7301 RSA 2049 1 0.0002 RSA 2056 6 0.0014 RSA 2058 2 0.0005 RSA 2064 1 0.0002 RSA 2080 2 0.0005 RSA 2084 10 0.0023 RSA 2096 1 0.0002 RSA 2345 1 0.0002 RSA 2408 3 0.0007 RSA 2432 8 0.0018 RSA 2536 1 0.0002 RSA 2612 1 0.0002 RSA 3071 1 0.0002 RSA 3072 54 0.0122 RSA 3248 3 0.0007 RSA 3600 1 0.0002 RSA 4046 1 0.0002 RSA 4048 2 0.0005 RSA 4056 33 0.0075 RSA 4086 3 0.0007 RSA 4092 2 0.0005 RSA 4096 14699 3.3283 RSA 4098 2 0.0005 RSA 8192 4 0.0009 RSA/ECDSA Dual Stack 40 0.0091 OCSP stapling Count Percent -------------------------+---------+-------- Supported 73634 16.673 Unsupported 368002 83.327 Supported Protocols Count Percent -------------------------+---------+------- SSL2 38835 8.7934 SSL2 Only 100 0.0226 SSL3 204062 46.2059 SSL3 Only 2195 0.497 SSL3 or TLS1 Only 108575 24.5847 TLS1 438481 99.2856 TLS1 Only 46428 10.5127 TLS1.1 281522 63.7453 TLS1.1 Only 25 0.0057 TLS1.1 or up Only 443 0.1003 TLS1.2 292517 66.2349 TLS1.2 Only 337 0.0763 TLS1.2, 1.0 but not 1.1 13585 3.0761 Scan performed between 11th and 19th of November 2014.
Detail trust chain results
Statistics from 477473 chains provided by 632817 hosts Server provided chains Count Percent -------------------------+---------+------- complete 413143 65.2863 incomplete 27529 4.3502 untrusted 192145 30.3634 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 2158 0.452 3 444774 93.1517 4 30513 6.3905 5 28 0.0059 CA key size in chains Count -------------------------+--------- ECDSA 256 24427 ECDSA 384 24427 RSA 1024 1337 RSA 2045 1 RSA 2048 893943 RSA 4096 39222 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 24427 5.1159 ECDSA 384 24427 5.1159 RSA 1024 1333 0.2792 RSA 2045 1 0.0002 RSA 2048 451667 94.5953 RSA 4096 38725 8.1104 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 24427 sha1WithRSAEncryption 336966 sha256WithRSAEncryption 90026 sha384WithRSAEncryption 54445 sha512WithRSAEncryption 20 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 337471 70.6786 112 115573 24.2051 128 24429 5.1163 Most popular root CAs Count Percent ---------------------------------------------+---------+------- (2c543cd1) GeoTrust Global CA 112050 23.4673 (157753a5) AddTrust External CA Root 76553 16.0329 (5ad8a5d6) GlobalSign Root CA 48090 10.0718 (cbf06781) Go Daddy Root Certificate Authorit 37124 7.7751 (b204d74a) VeriSign Class 3 Public Primary Ce 30047 6.2929 (2e4eed3c) thawte Primary Root CA 28036 5.8717 (eed8c118) COMODO ECC Certification Authority 24425 5.1155 (244b5494) DigiCert High Assurance EV Root CA 23682 4.9599 (f081611a) The Go Daddy Group, Inc. 17028 3.5663 (b13cc6df) UTN-USERFirst-Hardware 12816 2.6841 (653b494a) Baltimore CyberTrust Root 11357 2.3786 (40547a79) COMODO Certification Authority 9670 2.0252 (ae8153b9) StartCom Certification Authority 9305 1.9488 (f387163d) Starfield Technologies, Inc. 7652 1.6026