Unfortunately during scanning the disk space on the server run out so the results are not complete.
Other than that, no interesting developments, just continuation of established trends.
SSL/TLS survey of 479178 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 419340 87.5124 3DES Only 506 0.1056 3DES Preferred 1692 0.3531 3DES forced in TLS1.1+ 922 0.1924 AES 474652 99.0555 AES Only 37306 7.7854 AES-CBC 474138 98.9482 AES-CBC Only 7523 1.57 AES-GCM 380917 79.4938 AES-GCM Only 466 0.0972 CAMELLIA 201933 42.1415 CAMELLIA Only 3 0.0006 CHACHA20 66326 13.8416 CHACHA20 Only 1 0.0002 Insecure 48383 10.0971 RC4 149250 31.1471 RC4 Only 177 0.0369 RC4 Preferred 15506 3.236 RC4 forced in TLS1.1+ 8442 1.7618 x:FF 29 3DES Only 550 0.1148 x:FF 29 3DES Preferred 2012 0.4199 x:FF 29 RC4 Only 265 0.0553 x:FF 29 RC4 Preferred 17097 3.568 x:FF 29 incompatible 321 0.067 x:FF 35 3DES Only 559 0.1167 x:FF 35 3DES Preferred 1924 0.4015 x:FF 35 RC4 Only 311 0.0649 x:FF 35 RC4 Preferred 17124 3.5736 x:FF 35 incompatible 325 0.0678 y:DHE-RSA-SEED-SHA 60590 12.6446 y:IDEA-CBC-SHA 58075 12.1197 y:SEED-SHA 70022 14.6129 z:ADH-AES128-GCM-SHA256 354 0.0739 z:ADH-AES128-SHA 605 0.1263 z:ADH-AES128-SHA256 246 0.0513 z:ADH-AES256-GCM-SHA384 367 0.0766 z:ADH-AES256-SHA 618 0.129 z:ADH-AES256-SHA256 245 0.0511 z:ADH-CAMELLIA128-SHA 316 0.0659 z:ADH-CAMELLIA256-SHA 321 0.067 z:ADH-DES-CBC-SHA 243 0.0507 z:ADH-DES-CBC3-SHA 620 0.1294 z:ADH-RC4-MD5 455 0.095 z:ADH-SEED-SHA 254 0.053 z:AECDH-AES128-SHA 7521 1.5696 z:AECDH-AES256-SHA 7556 1.5769 z:AECDH-DES-CBC3-SHA 7499 1.565 z:AECDH-NULL-SHA 45 0.0094 z:AECDH-RC4-SHA 7010 1.4629 z:DES-CBC-MD5 7605 1.5871 z:DES-CBC-SHA 30728 6.4126 z:DES-CBC3-MD5 17199 3.5893 z:ECDHE-RSA-NULL-SHA 53 0.0111 z:EDH-RSA-DES-CBC-SHA 25945 5.4145 z:EXP-ADH-DES-CBC-SHA 148 0.0309 z:EXP-ADH-RC4-MD5 145 0.0303 z:EXP-DES-CBC-SHA 10647 2.2219 z:EXP-EDH-RSA-DES-CBC-SHA 8346 1.7417 z:EXP-RC2-CBC-MD5 12795 2.6702 z:EXP-RC4-MD5 13391 2.7946 z:EXP1024-DES-CBC-SHA 3415 0.7127 z:EXP1024-RC4-SHA 3465 0.7231 z:IDEA-CBC-MD5 1613 0.3366 z:NULL-MD5 162 0.0338 z:NULL-SHA 169 0.0353 z:NULL-SHA256 38 0.0079 z:RC2-CBC-MD5 7754 1.6182 z:RC4-64-MD5 712 0.1486 Cipher ordering Count Percent -------------------------+---------+------- Client side 116701 24.3544 Server side 362477 75.6456 Supported Handshakes Count Percent -------------------------+---------+------- ADH 753 0.1571 AECDH 7568 1.5794 DHE 255330 53.285 ECDH 2 0.0004 ECDHE 404645 84.4457 ECDHE and DHE 212045 44.2518 RSA 411697 85.9173 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 107150 22.3612 41.9653 DH,1338bits 1 0.0002 0.0004 DH,1536bits 1 0.0002 0.0004 DH,2048bits 139444 29.1007 54.6132 DH,2236bits 57 0.0119 0.0223 DH,2432bits 3 0.0006 0.0012 DH,3072bits 93 0.0194 0.0364 DH,3092bits 1 0.0002 0.0004 DH,4096bits 8367 1.7461 3.2769 DH,512bits 52 0.0109 0.0204 DH,768bits 313 0.0653 0.1226 DH,8192bits 7 0.0015 0.0027 ECDH,B-571,570bits 1786 0.3727 0.4414 ECDH,K-163,163bits 1 0.0002 0.0002 ECDH,P-192,192bits 15 0.0031 0.0037 ECDH,P-224,224bits 84 0.0175 0.0208 ECDH,P-256,256bits 389954 81.3798 96.3694 ECDH,P-384,384bits 4297 0.8967 1.0619 ECDH,P-521,521bits 10105 2.1088 2.4973 Prefer DH,1024bits 41750 8.7128 16.3514 Prefer DH,1536bits 1 0.0002 0.0004 Prefer DH,2048bits 4670 0.9746 1.829 Prefer DH,3072bits 7 0.0015 0.0027 Prefer DH,4096bits 333 0.0695 0.1304 Prefer DH,768bits 37 0.0077 0.0145 Prefer ECDH,B-571,570bits 1575 0.3287 0.3892 Prefer ECDH,K-163,163bits 1 0.0002 0.0002 Prefer ECDH,P-224,224bits 81 0.0169 0.02 Prefer ECDH,P-256,256bits 357787 74.6668 88.42 Prefer ECDH,P-384,384bits 3158 0.659 0.7804 Prefer ECDH,P-521,521bits 9166 1.9129 2.2652 Prefer PFS 418566 87.3508 0 Support PFS 447930 93.4788 0 Supported ECC curves Count Percent -------------------------+---------+-------- brainpoolP256r1 5523 1.1526 brainpoolP384r1 5524 1.1528 brainpoolP512r1 5525 1.153 prime192v1 1353 0.2824 prime256v1 401476 83.7843 prime256v1 Only 345957 72.198 secp160k1 1299 0.2711 secp160r1 1304 0.2721 secp160r2 1299 0.2711 secp192k1 1314 0.2742 secp224k1 1392 0.2905 secp224r1 4371 0.9122 secp256k1 7238 1.5105 secp384r1 56063 11.6998 secp384r1 Only 584 0.1219 secp521r1 28028 5.8492 secp521r1 Only 125 0.0261 sect163k1 1310 0.2734 sect163k1 Only 3 0.0006 sect163r1 1306 0.2726 sect163r2 1307 0.2728 sect193r1 1306 0.2726 sect193r2 1304 0.2721 sect233k1 1387 0.2895 sect233r1 1386 0.2892 sect239k1 1383 0.2886 sect283k1 6795 1.4181 sect283k1 Only 1 0.0002 sect283r1 6792 1.4174 sect409k1 6793 1.4176 sect409r1 6793 1.4176 sect571k1 6797 1.4185 sect571r1 6797 1.4185 Unsupported curve fallback Count Percent ------------------------------+---------+-------- False 43974 9.177 True 304974 63.6452 order-specific 61 0.0127 unknown 130169 27.1651 ECC curve ordering Count Percent -------------------------+---------+-------- client 6487 1.3538 inconclusive-noecc 8 0.0017 server 395730 82.5852 unknown 76953 16.0594 TLSv1.2 PFS supported sigalgs Count Percent ------------------------------+---------+-------- ECDSA-SHA1 40044 8.3568 ECDSA-SHA1 Only 3 0.0006 ECDSA-SHA224 40035 8.3549 ECDSA-SHA256 54403 11.3534 ECDSA-SHA384 54398 11.3524 ECDSA-SHA512 54399 11.3526 ECDSA-SHA512 Only 1 0.0002 RSA-MD5 47971 10.0111 RSA-SHA1 347530 72.5263 RSA-SHA1 Only 36263 7.5678 RSA-SHA224 288147 60.1336 RSA-SHA256 318675 66.5045 RSA-SHA256 Only 6467 1.3496 RSA-SHA384 290085 60.538 RSA-SHA384 Only 2 0.0004 RSA-SHA512 290093 60.5397 RSA-SHA512 Only 126 0.0263 TLSv1.2 PFS ordering Count Percent ------------------------------+---------+-------- client 215610 44.9958 indeterminate 32 0.0067 intolerant 4623 0.9648 order-fallback 3 0.0006 server 175045 36.5303 unsupported 17219 3.5934 TLSv1.2 PFS sigalg fallback Count Percent ------------------------------+---------+-------- ECDSA SHA1 40031 8.3541 ECDSA intolerant 47 0.0098 ECDSA pfs-rsa-SHA512 14337 2.992 ECDSA soft-nopfs 1 0.0002 RSA False 47573 9.928 RSA SHA1 274148 57.2121 RSA intolerant 34088 7.1138 RSA pfs-ecdsa-SHA512 4 0.0008 RSA soft-nopfs 498 0.1039 Renegotiation Count Percent -------------------------+---------+-------- False 5212 1.0877 insecure 15480 3.2305 secure 458486 95.6818 Compression Count Percent -------------------------+---------+-------- 1 (zlib compression) 7370 1.5381 False 5212 1.0877 NONE 466596 97.3743 TLS session ticket hint Count Percent -------------------------+---------+-------- 1 4 0.0008 1 only 4 0.0008 2 1 0.0002 2 only 1 0.0002 10 6 0.0013 10 only 6 0.0013 15 5 0.001 15 only 5 0.001 30 18 0.0038 30 only 17 0.0035 60 142 0.0296 60 only 138 0.0288 65 1 0.0002 65 only 1 0.0002 70 6 0.0013 100 15 0.0031 100 only 15 0.0031 120 24 0.005 120 only 24 0.005 128 3 0.0006 128 only 3 0.0006 150 1 0.0002 180 58 0.0121 180 only 55 0.0115 240 7 0.0015 240 only 7 0.0015 244 1 0.0002 244 only 1 0.0002 300 230415 48.0855 300 only 226909 47.3538 302 2 0.0004 302 only 2 0.0004 360 3 0.0006 360 only 1 0.0002 400 7 0.0015 400 only 7 0.0015 420 116 0.0242 420 only 93 0.0194 480 10 0.0021 480 only 10 0.0021 500 4 0.0008 500 only 4 0.0008 540 2 0.0004 540 only 2 0.0004 600 23920 4.9919 600 only 23758 4.9581 660 1 0.0002 660 only 1 0.0002 840 1 0.0002 840 only 1 0.0002 900 983 0.2051 900 only 962 0.2008 960 3 0.0006 960 only 3 0.0006 1000 1 0.0002 1000 only 1 0.0002 1200 2630 0.5489 1200 only 2627 0.5482 1320 1 0.0002 1320 only 1 0.0002 1500 2 0.0004 1500 only 1 0.0002 1800 500 0.1043 1800 only 491 0.1025 1980 2 0.0004 1980 only 2 0.0004 2100 2 0.0004 2100 only 1 0.0002 2400 7 0.0015 2400 only 7 0.0015 2700 10 0.0021 2700 only 10 0.0021 3000 26 0.0054 3000 only 26 0.0054 3600 664 0.1386 3600 only 655 0.1367 3900 1 0.0002 3900 only 1 0.0002 5160 1 0.0002 5160 only 1 0.0002 5400 15 0.0031 5400 only 8 0.0017 6000 214 0.0447 6000 only 214 0.0447 7200 14927 3.1151 7200 only 14908 3.1112 10800 3286 0.6858 10800 only 3277 0.6839 14400 93 0.0194 14400 only 91 0.019 18000 9 0.0019 18000 only 9 0.0019 21600 3668 0.7655 21600 only 3668 0.7655 25200 1 0.0002 25200 only 1 0.0002 28800 1854 0.3869 28800 only 1853 0.3867 36000 954 0.1991 36000 only 945 0.1972 43200 39 0.0081 43200 only 39 0.0081 60000 1 0.0002 60000 only 1 0.0002 64800 56248 11.7384 64800 only 56243 11.7374 72000 21 0.0044 72000 only 21 0.0044 79200 1 0.0002 79200 only 1 0.0002 86000 44 0.0092 86000 only 44 0.0092 86400 2743 0.5724 86400 only 2734 0.5706 100800 8629 1.8008 100800 only 8618 1.7985 115200 1 0.0002 115200 only 1 0.0002 129600 7 0.0015 129600 only 7 0.0015 172800 9 0.0019 172800 only 9 0.0019 216000 2 0.0004 216000 only 2 0.0004 259200 2 0.0004 259200 only 2 0.0004 432000 1 0.0002 432000 only 1 0.0002 604800 2 0.0004 864000 3 0.0006 864000 only 3 0.0006 7776000 2 0.0004 7776000 only 2 0.0004 None 130619 27.259 None only 126799 26.4618 Certificate sig alg Count Percent -------------------------+---------+-------- None 8093 1.6889 ecdsa-with-SHA256 54346 11.3415 sha1WithRSAEncryption 32309 6.7426 sha256WithRSAEncryption 406902 84.9167 sha384WithRSAEncryption 3 0.0006 sha512WithRSAEncryption 52 0.0109 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 54398 11.3524 ECDSA 384 18 0.0038 ECDSA 521 1 0.0002 RSA 1024 28 0.0058 RSA 2048 416954 87.0144 RSA 2049 3 0.0006 RSA 2056 2 0.0004 RSA 2058 2 0.0004 RSA 2084 4 0.0008 RSA 2086 1 0.0002 RSA 2096 2 0.0004 RSA 2432 1 0.0002 RSA 3071 1 0.0002 RSA 3072 118 0.0246 RSA 3073 1 0.0002 RSA 3076 2 0.0004 RSA 3096 2 0.0004 RSA 3248 2 0.0004 RSA 4048 1 0.0002 RSA 4056 17 0.0035 RSA 4092 7 0.0015 RSA 4094 1 0.0002 RSA 4096 22025 4.5964 RSA 4098 1 0.0002 RSA 8192 4 0.0008 RSA 8392 1 0.0002 RSA/ECDSA Dual Stack 14407 3.0066 OCSP stapling Count Percent -------------------------+---------+-------- Supported 112039 23.3815 Unsupported 367139 76.6185 Supported Protocols Count Percent -------------------------+---------+------- SSL2 17376 3.6262 SSL2 Only 10 0.0021 SSL3 93563 19.5257 SSL3 Only 980 0.2045 SSL3 or TLS1 Only 47829 9.9815 SSL3 or lower Only 992 0.207 TLS1 472039 98.5102 TLS1 Only 29199 6.0936 TLS1 or lower Only 63377 13.2262 TLS1.1 404578 84.4317 TLS1.1 Only 297 0.062 TLS1.1 or up Only 5984 1.2488 TLS1.2 412518 86.0887 TLS1.2 Only 2158 0.4504 TLS1.2, 1.0 but not 1.1 7981 1.6656 Statistics from 487333 chains provided by 621854 hosts Server provided chains Count Percent -------------------------+---------+------- complete 436283 70.1584 incomplete 20784 3.3423 untrusted 164787 26.4993 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 12 0.0025 3 485364 99.596 4 1945 0.3991 5 12 0.0025 CA key size in chains Count -------------------------+--------- ECDSA 256 42987 ECDSA 384 42988 RSA 1024 28 RSA 2045 2 RSA 2048 746942 RSA 4096 143676 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 42987 8.8209 ECDSA 384 42988 8.8211 RSA 1024 26 0.0053 RSA 2045 2 0.0004 RSA 2048 443976 91.1032 RSA 4096 143127 29.3694 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 42983 sha1WithRSAEncryption 37695 sha256WithRSAEncryption 279113 sha384WithRSAEncryption 129437 sha512WithRSAEncryption 62 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 37722 7.7405 112 406613 83.4364 128.0 42998 8.8231 Root CAs Count Percent ---------------------------------------------+---------+------- (d6325660) COMODO RSA Certification Authority 115692 23.7398 (2c543cd1) GeoTrust Global CA 85975 17.6419 (cbf06781) Go Daddy Root Certificate Authorit 43560 8.9384 (eed8c118) COMODO ECC Certification Authority 42977 8.8188 (5ad8a5d6) GlobalSign Root CA 41299 8.4745 (b204d74a) VeriSign Class 3 Public Primary Ce 28043 5.7544 (244b5494) DigiCert High Assurance EV Root CA 18414 3.7785 (2e4eed3c) thawte Primary Root CA 17524 3.5959 (fc5a8f99) USERTrust RSA Certification Author 13626 2.796 (653b494a) Baltimore CyberTrust Root 10432 2.1406 (3513523f) DigiCert Global Root CA 8525 1.7493 (ae8153b9) StartCom Certification Authority 7668 1.5735 (4bfab552) Starfield Root Certificate Authori 7663 1.5724 (480720ec) GeoTrust Primary Certification Aut 4978 1.0215 Scan performed between 22nd of February and 16th of March 2016
securitypitfalls 
Hi, any updated scans since February available?
ah! I knew I had to do something! 😉 Yes, I have been running them, I haven’t had the time to process them, I’ll probably just post the statistics, without analysis.
That being said, it’s not that I have not been working on scans, I have been working, and I’ll even have new statistic – TLSv1.3 intolerance for July (once it finishes running). For August the scan will be even more detailed, with extension and overall size intolerance added.