March 2016 scan results

Haven’t had much time to process the results, at the same time, not much has changed (just continuation of established trends).

SSL/TLS survey of 551637 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      484308    87.7947
3DES Only                 592       0.1073
3DES Preferred            1803      0.3268
3DES forced in TLS1.1+    945       0.1713
AES                       546565    99.0806
AES Only                  43629     7.909
AES-CBC                   546039    98.9852
AES-CBC Only              8757      1.5875
AES-GCM                   442034    80.1313
AES-GCM Only              490       0.0888
CAMELLIA                  235037    42.6072
CAMELLIA Only             3         0.0005
CHACHA20                  74906     13.5789
CHACHA20 Only             1         0.0002
Insecure                  53675     9.7301
RC4                       165105    29.93
RC4 Only                  189       0.0343
RC4 Preferred             16635     3.0156
RC4 forced in TLS1.1+     8955      1.6234
x:FF 29 3DES Only         637       0.1155
x:FF 29 3DES Preferred    2172      0.3937
x:FF 29 RC4 Only          263       0.0477
x:FF 29 RC4 Preferred     18392     3.3341
x:FF 29 incompatible      389       0.0705
x:FF 35 3DES Only         644       0.1167
x:FF 35 3DES Preferred    2079      0.3769
x:FF 35 RC4 Only          313       0.0567
x:FF 35 RC4 Preferred     18423     3.3397
x:FF 35 incompatible      393       0.0712
x:FF 44 3DES Only         4780      0.8665
x:FF 44 3DES Preferred    8693      1.5759
x:FF 44 incompatible      706       0.128
y:DHE-RSA-SEED-SHA        69733     12.6411
y:IDEA-CBC-SHA            66812     12.1116
y:SEED-SHA                80215     14.5413
z:ADH-AES128-GCM-SHA256   415       0.0752
z:ADH-AES128-SHA          692       0.1254
z:ADH-AES128-SHA256       283       0.0513
z:ADH-AES256-GCM-SHA384   428       0.0776
z:ADH-AES256-SHA          704       0.1276
z:ADH-AES256-SHA256       283       0.0513
z:ADH-CAMELLIA128-SHA     365       0.0662
z:ADH-CAMELLIA256-SHA     368       0.0667
z:ADH-DES-CBC-SHA         279       0.0506
z:ADH-DES-CBC3-SHA        707       0.1282
z:ADH-RC4-MD5             522       0.0946
z:ADH-SEED-SHA            294       0.0533
z:AECDH-AES128-SHA        8357      1.5149
z:AECDH-AES256-SHA        8387      1.5204
z:AECDH-DES-CBC3-SHA      8323      1.5088
z:AECDH-NULL-SHA          56        0.0102
z:AECDH-RC4-SHA           7767      1.408
z:DES-CBC-MD5             7631      1.3833
z:DES-CBC-SHA             34001     6.1637
z:DES-CBC3-MD5            18130     3.2866
z:ECDHE-RSA-NULL-SHA      63        0.0114
z:EDH-RSA-DES-CBC-SHA     28894     5.2379
z:EXP-ADH-DES-CBC-SHA     182       0.033
z:EXP-ADH-RC4-MD5         181       0.0328
z:EXP-DES-CBC-SHA         11397     2.066
z:EXP-EDH-RSA-DES-CBC-SHA 8988      1.6293
z:EXP-RC2-CBC-MD5         13770     2.4962
z:EXP-RC4-MD5             14407     2.6117
z:EXP1024-DES-CBC-SHA     3787      0.6865
z:EXP1024-RC4-SHA         3834      0.695
z:IDEA-CBC-MD5            1577      0.2859
z:NULL-MD5                182       0.033
z:NULL-SHA                189       0.0343
z:NULL-SHA256             43        0.0078
z:RC2-CBC-MD5             7791      1.4123
z:RC4-64-MD5              776       0.1407

Cipher ordering           Count     Percent
-------------------------+---------+-------
Client side               133547    24.2092
Server side               418090    75.7908

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       857       0.1554
AECDH                     8405      1.5236
DHE                       295868    53.6345
ECDH                      2         0.0004
ECDHE                     469045    85.0278
ECDHE and DHE             247197    44.8115
RSA                       474406    85.9997

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               118316    21.4482  39.9895
DH,1536bits               1         0.0002   0.0003
DH,2048bits               166870    30.25    56.4002
DH,2236bits               65        0.0118   0.022
DH,2432bits               3         0.0005   0.001
DH,3072bits               115       0.0208   0.0389
DH,3092bits               1         0.0002   0.0003
DH,4046bits               1         0.0002   0.0003
DH,4094bits               1         0.0002   0.0003
DH,4096bits               10250     1.8581   3.4644
DH,512bits                57        0.0103   0.0193
DH,768bits                352       0.0638   0.119
DH,8192bits               10        0.0018   0.0034
ECDH,B-571,570bits        2139      0.3878   0.456
ECDH,K-163,163bits        1         0.0002   0.0002
ECDH,P-192,192bits        20        0.0036   0.0043
ECDH,P-224,224bits        90        0.0163   0.0192
ECDH,P-256,256bits        450911    81.7405  96.1338
ECDH,P-384,384bits        5288      0.9586   1.1274
ECDH,P-521,521bits        12472     2.2609   2.659
Prefer DH,1024bits        46513     8.4318   15.7209
Prefer DH,1536bits        1         0.0002   0.0003
Prefer DH,2048bits        5993      1.0864   2.0256
Prefer DH,3072bits        10        0.0018   0.0034
Prefer DH,4096bits        386       0.07     0.1305
Prefer DH,768bits         37        0.0067   0.0125
Prefer ECDH,B-571,570bits 1925      0.349    0.4104
Prefer ECDH,K-163,163bits 1         0.0002   0.0002
Prefer ECDH,P-224,224bits 87        0.0158   0.0185
Prefer ECDH,P-256,256bits 414883    75.2094  88.4527
Prefer ECDH,P-384,384bits 3903      0.7075   0.8321
Prefer ECDH,P-521,521bits 11412     2.0688   2.433
Prefer PFS                485151    87.9475  0
Support PFS               517716    93.8508  0

Supported ECC curves      Count     Percent 
-------------------------+---------+--------
brainpoolP256r1           7010      1.2708   
brainpoolP384r1           7016      1.2719   
brainpoolP512r1           7016      1.2719   
prime192v1                1542      0.2795   
prime192v1 Only           1         0.0002   
prime256v1                465478    84.3812  
prime256v1 Only           399795    72.4743  
secp160k1                 1479      0.2681   
secp160r1                 1485      0.2692   
secp160r2                 1478      0.2679   
secp192k1                 1492      0.2705   
secp224k1                 1571      0.2848   
secp224r1                 4963      0.8997   
secp256k1                 8958      1.6239   
secp384r1                 66416     12.0398  
secp384r1 Only            776       0.1407   
secp521r1                 33828     6.1323   
secp521r1 Only            143       0.0259   
sect163k1                 1480      0.2683   
sect163k1 Only            2         0.0004   
sect163r1                 1478      0.2679   
sect163r2                 1478      0.2679   
sect193r1                 1478      0.2679   
sect193r2                 1478      0.2679   
sect233k1                 1563      0.2833   
sect233r1                 1563      0.2833   
sect239k1                 1563      0.2833   
sect283k1                 8428      1.5278   
sect283r1                 8425      1.5273   
sect409k1                 8431      1.5284   
sect409r1                 8429      1.528    
sect571k1                 8434      1.5289   
sect571r1                 8434      1.5289   

Unsupported curve fallback     Count     Percent 
------------------------------+---------+--------
False                          48103     8.72     
True                           357854    64.8713  
order-specific                 74        0.0134   
unknown                        145606    26.3953  

ECC curve ordering        Count     Percent 
-------------------------+---------+--------
client                    8089      1.4664   
inconclusive-noecc        7         0.0013   
server                    458334    83.0862  
unknown                   85207     15.4462  

TLSv1.2 PFS supported sigalgs  Count     Percent 
------------------------------+---------+--------
ECDSA-SHA1                     48616     8.813    
ECDSA-SHA1 Only                5         0.0009   
ECDSA-SHA224                   48602     8.8105   
ECDSA-SHA256                   64365     11.668   
ECDSA-SHA384                   64360     11.6671  
ECDSA-SHA512                   64365     11.668   
ECDSA-SHA512 Only              6         0.0011   
RSA-MD5                        46119     8.3604   
RSA-SHA1                       404339    73.298   
RSA-SHA1 Only                  37023     6.7115   
RSA-SHA224                     339349    61.5167  
RSA-SHA256                     375560    68.081   
RSA-SHA256 Only                7280      1.3197   
RSA-SHA384                     341601    61.925   
RSA-SHA384 Only                3         0.0005   
RSA-SHA512                     341567    61.9188  
RSA-SHA512 Only                84        0.0152   

TLSv1.2 PFS ordering           Count     Percent 
------------------------------+---------+--------
client                         252624    45.7953  
indeterminate                  57        0.0103   
intolerant                     5553      1.0066   
order-fallback                 7         0.0013   
server                         199982    36.2525  
unsupported                    18801     3.4082   

TLSv1.2 PFS sigalg fallback    Count     Percent 
------------------------------+---------+--------
ECDSA SHA1                     48595     8.8092   
ECDSA intolerant               74        0.0134   
ECDSA pfs-rsa-SHA512           15721     2.8499   
RSA False                      45736     8.291    
RSA SHA1                       328060    59.4703  
RSA intolerant                 39590     7.1768   
RSA pfs-ecdsa-SHA512           1         0.0002   
RSA soft-nopfs                 500       0.0906   

Renegotiation             Count     Percent 
-------------------------+---------+--------
False                     5768      1.0456   
insecure                  16732     3.0332   
secure                    529137    95.9212  

Compression               Count     Percent 
-------------------------+---------+--------
1 (zlib compression)      7977      1.4461   
False                     5768      1.0456   
NONE                      537892    97.5083  

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
1                         4         0.0007   
1 only                    4         0.0007   
2                         2         0.0004   
2 only                    2         0.0004   
5                         3         0.0005   
5 only                    3         0.0005   
10                        6         0.0011   
10 only                   6         0.0011   
15                        5         0.0009   
15 only                   5         0.0009   
30                        18        0.0033   
30 only                   17        0.0031   
60                        170       0.0308   
60 only                   166       0.0301   
65                        1         0.0002   
65 only                   1         0.0002   
70                        6         0.0011   
75                        1         0.0002   
75 only                   1         0.0002   
100                       13        0.0024   
100 only                  13        0.0024   
120                       23        0.0042   
120 only                  23        0.0042   
128                       2         0.0004   
128 only                  2         0.0004   
150                       2         0.0004   
180                       72        0.0131   
180 only                  70        0.0127   
240                       14        0.0025   
240 only                  14        0.0025   
244                       1         0.0002   
244 only                  1         0.0002   
300                       268504    48.674   
300 only                  264860    48.0135  
302                       3         0.0005   
302 only                  3         0.0005   
360                       2         0.0004   
360 only                  1         0.0002   
400                       5         0.0009   
400 only                  5         0.0009   
420                       124       0.0225   
420 only                  105       0.019    
450                       1         0.0002   
450 only                  1         0.0002   
480                       10        0.0018   
480 only                  10        0.0018   
500                       4         0.0007   
500 only                  4         0.0007   
540                       3         0.0005   
540 only                  3         0.0005   
600                       27697     5.0209   
600 only                  27547     4.9937   
660                       3         0.0005   
660 only                  3         0.0005   
720                       1         0.0002   
720 only                  1         0.0002   
840                       1         0.0002   
840 only                  1         0.0002   
900                       1254      0.2273   
900 only                  1233      0.2235   
960                       2         0.0004   
960 only                  2         0.0004   
1000                      1         0.0002   
1000 only                 1         0.0002   
1200                      3011      0.5458   
1200 only                 3007      0.5451   
1210                      1         0.0002   
1210 only                 1         0.0002   
1300                      1         0.0002   
1300 only                 1         0.0002   
1320                      1         0.0002   
1320 only                 1         0.0002   
1380                      1         0.0002   
1380 only                 1         0.0002   
1500                      5         0.0009   
1500 only                 4         0.0007   
1800                      570       0.1033   
1800 only                 559       0.1013   
1980                      2         0.0004   
1980 only                 2         0.0004   
2100                      2         0.0004   
2100 only                 1         0.0002   
2400                      8         0.0015   
2400 only                 8         0.0015   
2700                      9         0.0016   
2700 only                 9         0.0016   
3000                      28        0.0051   
3000 only                 28        0.0051   
3600                      802       0.1454   
3600 only                 792       0.1436   
3900                      1         0.0002   
3900 only                 1         0.0002   
5160                      1         0.0002   
5160 only                 1         0.0002   
5400                      15        0.0027   
5400 only                 8         0.0015   
6000                      288       0.0522   
6000 only                 287       0.052    
7200                      16170     2.9313   
7200 only                 16152     2.928    
10800                     3928      0.7121   
10800 only                3918      0.7102   
14400                     85        0.0154   
14400 only                84        0.0152   
18000                     9         0.0016   
18000 only                9         0.0016   
21600                     4289      0.7775   
21600 only                4289      0.7775   
25200                     1         0.0002   
25200 only                1         0.0002   
28800                     3301      0.5984   
28800 only                3301      0.5984   
36000                     1118      0.2027   
36000 only                1107      0.2007   
43200                     46        0.0083   
43200 only                46        0.0083   
60000                     2         0.0004   
60000 only                2         0.0004   
64800                     63048     11.4293  
64800 only                63047     11.4291  
72000                     8         0.0015   
72000 only                8         0.0015   
79200                     1         0.0002   
79200 only                1         0.0002   
84000                     1         0.0002   
84000 only                1         0.0002   
86000                     51        0.0092   
86000 only                51        0.0092   
86400                     2862      0.5188   
86400 only                2858      0.5181   
100800                    10169     1.8434   
100800 only               10144     1.8389   
108000                    1         0.0002   
108000 only               1         0.0002   
115200                    1         0.0002   
115200 only               1         0.0002   
129600                    8         0.0015   
129600 only               8         0.0015   
172800                    9         0.0016   
172800 only               9         0.0016   
216000                    5         0.0009   
216000 only               5         0.0009   
259200                    2         0.0004   
259200 only               2         0.0004   
432000                    1         0.0002   
432000 only               1         0.0002   
604800                    2         0.0004   
604800 only               1         0.0002   
864000                    4         0.0007   
864000 only               4         0.0007   
7776000                   2         0.0004   
7776000 only              2         0.0004   
None                      147762    26.7861  
None only                 143812    26.07    

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      9012      1.6337   
ecdsa-with-SHA256         61035     11.0643  
sha1WithRSAEncryption     33972     6.1584   
sha256WithRSAEncryption   472384    85.6331  
sha384WithRSAEncryption   5         0.0009   
sha512WithRSAEncryption   59        0.0107   

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 64371     11.6691  
ECDSA 384                 20        0.0036   
ECDSA 521                 1         0.0002   
RSA 1024                  29        0.0053   
RSA 2048                  480108    87.0333  
RSA 2049                  2         0.0004   
RSA 2056                  2         0.0004   
RSA 2058                  3         0.0005   
RSA 2084                  4         0.0007   
RSA 2086                  1         0.0002   
RSA 2096                  2         0.0004   
RSA 2432                  2         0.0004   
RSA 3071                  1         0.0002   
RSA 3072                  141       0.0256   
RSA 3073                  1         0.0002   
RSA 3076                  6         0.0011   
RSA 3096                  2         0.0004   
RSA 3248                  4         0.0007   
RSA 4048                  4         0.0007   
RSA 4056                  15        0.0027   
RSA 4092                  2         0.0004   
RSA 4094                  2         0.0004   
RSA 4095                  1         0.0002   
RSA 4096                  25981     4.7098   
RSA 8192                  8         0.0015   
RSA 8392                  1         0.0002   
RSA/ECDSA Dual Stack      19066     3.4563

OCSP stapling             Count     Percent 
-------------------------+---------+--------
Supported                 128880    23.3632  
Unsupported               422757    76.6368  

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      18283     3.3143
SSL2 Only                 14        0.0025
SSL3                      101196    18.3447
SSL3 Only                 1158      0.2099
SSL3 or TLS1 Only         54616     9.9007
SSL3 or lower Only        1168      0.2117
TLS1                      542011    98.255
TLS1 Only                 34339     6.2249
TLS1 or lower Only        70962     12.8639
TLS1.1                    467843    84.8099
TLS1.1 Only               333       0.0604
TLS1.1 or up Only         8279      1.5008
TLS1.2                    477009    86.4715
TLS1.2 Only               2566      0.4652
TLS1.2, 1.0 but not 1.1   9002      1.6319


Statistics from 587252 chains provided by 715935 hosts

Server provided chains    Count     Percent
-------------------------+---------+-------
complete                  525344    73.3787
incomplete                23228     3.2444
untrusted                 167363    23.3768

Trusted chain statistics
========================

Chain length              Count     Percent
-------------------------+---------+-------
2                         13        0.0022
3                         585030    99.6216
4                         2197      0.3741
5                         12        0.002

CA key size in chains     Count
-------------------------+---------
ECDSA 256                 61011     
ECDSA 384                 61009     
RSA 1024                  26        
RSA 2045                  2         
RSA 2048                  885900    
RSA 4096                  168764    

Chains with CA key        Count     Percent
-------------------------+---------+-------
ECDSA 256                 61011     10.3892
ECDSA 384                 61009     10.3889
RSA 1024                  24        0.0041
RSA 2045                  2         0.0003
RSA 2048                  525829    89.5406
RSA 4096                  168152    28.6337

Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384              61004     
sha1WithRSAEncryption          38564     
sha256WithRSAEncryption        338536    
sha384WithRSAEncryption        151286    
sha512WithRSAEncryption        70        

Eff. host cert chain LoS  Count     Percent
-------------------------+---------+-------
80                        38602     6.5733
112                       487624    83.0349
128.0                     61026     10.3918

Most popular root CAs                         Count     Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 135263    23.0332
(2c543cd1) GeoTrust Global CA                 101180    17.2294
(eed8c118) COMODO ECC Certification Authority 60996     10.3867
(5ad8a5d6) GlobalSign Root CA                 56051     9.5446
(cbf06781) Go Daddy Root Certificate Authorit 49631     8.4514
(b204d74a) VeriSign Class 3 Public Primary Ce 31013     5.281
(244b5494) DigiCert High Assurance EV Root CA 20318     3.4598
(2e4eed3c) thawte Primary Root CA             18889     3.2165
(fc5a8f99) USERTrust RSA Certification Author 15885     2.705
(653b494a) Baltimore CyberTrust Root          13245     2.2554
(4bfab552) Starfield Root Certificate Authori 10600     1.805
(3513523f) DigiCert Global Root CA            9653      1.6438
(ae8153b9) StartCom Certification Authority   8863      1.5092
(2e5ac55d) DST Root CA X3                     7351      1.2518


Test ran between 17th of March and 5th of April 2016
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s