badcrypto

RC4 in clients

While I’m checking which and how many servers use RC4 cipher suites I haven’t said anything about clients in general. The reason is two fold, firstly because basically all current clients should be supporting at least 3DES and usually AES ciphers and secondly because I don’t have access to any meaningfully large data set (or a site popular enough to make the statistics meaningful) to say anything about clients in general.

Interestingly, people at CloudFlare not only have analyzed their data but also provided quite a few nice graphs to go along it.

The gist of the article is that about 0.000002% (1 in 50 million) of requests ends up using RC4 ciphers. Of that about 50% are MitM proxies used by schools or institutions and 30% are old candy bar phones (from 2006 and 2007).

Head over to The Web is World-Wide, or who still needs RC4? for more info.

Advertisements

Microsoft new encryption efforts

Matt Thomlinson has posted an article “Advancing our encryption and transparency efforts” where he basically says that now the mail going though Outlook.com will be encrypted. Additionally that security enhancements to many other services, like Azure, Office 365, etc. are already deployed

Let’s take a closer look at those claims.

Outlook.com web interface

Quick scan of outlook.com using ssllabs.com scanner quickly shows that the servers are actually badly configured and support insecure, client-initiated renegotiation. In effect, they are vulnerable to the MITM attacks (CVE-2009-3555). Grade F.

They also don’t support TLS1.2 or perfect forward secrecy suites.

At least RC4 is not negotiated by default…

Very bad configuration.

Outlook.com SMTP

According to google data, the mails in transit are indeed encrypted both inbound and outbound.

And indeed, the configuration for the SMTP servers supports PFS, has good ordering of cipher suites and the certificates are trusted and have correct Subject Alternative Names:

./cipherscan -starttls smtp -servername mx1.hotmail.com mx1.hotmail.com:25
............                                
prio  ciphersuite              protocols                    pfs_keysize
1     ECDHE-RSA-AES256-SHA384  TLSv1.2                      ECDH,P-384,384bits
2     ECDHE-RSA-AES128-SHA256  TLSv1.2                      ECDH,P-256,256bits
3     ECDHE-RSA-AES256-SHA     TLSv1,TLSv1.1,TLSv1.2        ECDH,P-384,384bits
4     ECDHE-RSA-AES128-SHA     TLSv1,TLSv1.1,TLSv1.2        ECDH,P-256,256bits
5     AES256-SHA256            TLSv1.2 
6     AES128-SHA256            TLSv1.2
7     AES256-SHA               TLSv1,TLSv1.1,TLSv1.2
8     AES128-SHA               TLSv1,TLSv1.1,TLSv1.2
9     DES-CBC3-SHA             SSLv3,TLSv1,TLSv1.1,TLSv1.2
10    RC4-SHA                  SSLv3,TLSv1,TLSv1.1,TLSv1.2
11    RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Server side cipher ordering

OK configuration.

OneDrive web interface

The onedrive.live.com has also a good configuration. Grade A+. The server uses HTTP Strict Transport Security, is not vulnerable to any known exploits, uses PFS with modern browsers (ECDHE only, sadly no DHE) and does not use RC4 unless its the only cipher supported by client (prioritised above 3DES and AES cipher suites).

The only two small faults are: no support for AES-GCM cipher suites and the certificates are signed with the weak SHA1. The latter being definitely the bigger issue.

All in all, an OK config.

Azure web interface

Let us take a look at Azure web site now. While the server does get grade A-, the problems it has are a bit more major.

Firstly, the server prioritises RC4 cipher above others. Secondly, while it is PFS capable, it doesn’t prioritise ECDHE cipher suites.

Again, the server doesn’t support AES-GCM and uses certificates signed with the weak SHA1.

Bad configuration if we apply the advice from Microsoft Security Advisory 2868725.

Bad configuration.

Summary

While some of their servers are indeed configured correctly, leaving servers wide open to known security exploits (CVE-2009-3555) doesn’t bode well for the general security practice inside the cloud computing division…

Is RC4-less browsing possible?

As some of you know, YouTube now supports one other cipher except the venerable RC4. Unfortunately this other cipher suite is not supported by currently released Firefox (but is supported by the underlying cryptographic library – NSS).

So I went and implemented a patch that allows the user to enable this other cipher suite (among others).

Side note: while compiling Firefox requires quite a few dependencies and lots of patience (not to mention few gigabytes of disk space), the process itself is really easy with all the guides available on the Mozilla developer’s network. Props to all the people responsible for this documentation and scripts!

The patch I wrote unfortunately was shot down by Brian Smith because the current goal is to push server operators to implement support for ECDHE and AES-GCM. While this is a noble goal, I’m a bit more pragmatic (or impatient if you will) and want the cipher suite selection to represent what servers do not what we want them to do.

(While I write below about Firefox 29, the same is true about current development master branch.)

Current state of Firefox 29

I took this month’s scan results and checked them against Firefox offered ciphers.

The good news: Firefox 29 cipher selection is incompatible with less than 0.01% of sites (assuming that all Internet servers are supporting at least one cipher suite that OpenSSL supports).

The bad news: its cipher selection makes the number of servers that prefer RC4 over other cipher suites larger by another 2.68% (for a total of 21.3%).

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 RC4 Only          301       0.0858
x:FF 29 RC4 Preferred     9421      2.6844
x:FF 29 incompatible      31        0.0088

Lets look closer at the ciphers that cause some servers to be elevated to the RC4 Only state (excluding the obviously bad anonymous cipher suites or export grade):

FF 29 RC4 Only other ciphers  Count    Percent
-----------------------------+---------+------
AES128-GCM-SHA256              49        0.014
AES128-SHA256                  98        0.0279
AES256-GCM-SHA384              26        0.0074
AES256-SHA256                  98        0.0279
DHE-RSA-AES128-GCM-SHA256      7         0.002
DHE-RSA-AES128-SHA256          4         0.0011
DHE-RSA-AES256-GCM-SHA384      9         0.0026
DHE-RSA-AES256-SHA256          7         0.002
DHE-RSA-SEED-SHA               31        0.0088
ECDHE-RSA-AES128-SHA256        82        0.0234
ECDHE-RSA-AES256-GCM-SHA384    2         0.0006
ECDHE-RSA-AES256-SHA384        43        0.0123
IDEA-CBC-SHA                   32        0.0091
SEED-SHA                       32        0.0091

We can see that most of those servers support the non ephemeral AES128-SHA256 cipher or ECDHE-RSA-AES128-SHA256. In other words, secure ciphers but slower that the AES128-SHA or ECDHE-RSA-AES128-SHA ciphers (though not necessarily less secure than them).

Now, lets take a look at the set of ciphers that cause Firefox to prefer RC4 while it’s not actually the first cipher selected by server (again, excluding the obviously bad cipher suites):

FF 29 RC4 pref other ciphers  Count    Percent
-----------------------------+---------+------
AES128-GCM-SHA256              7935      2.261
AES128-SHA256                  9212      2.6249
AES256-GCM-SHA384              7887      2.2473
AES256-SHA256                  9212      2.6249
DHE-RSA-AES128-GCM-SHA256      110       0.0313
DHE-RSA-AES128-SHA256          110       0.0313
DHE-RSA-AES256-GCM-SHA384      112       0.0319
DHE-RSA-AES256-SHA256          113       0.0322
DHE-RSA-SEED-SHA               68        0.0194
ECDHE-RSA-AES128-SHA256        7050      2.0088
ECDHE-RSA-AES256-GCM-SHA384    6344      1.8077
ECDHE-RSA-AES256-SHA384        6698      1.9085
IDEA-CBC-SHA                   1770      0.5043
SEED-SHA                       1792      0.5106

We again see AES128-SHA256 and ECDHE-RSA-AES128-SHA256 high, additionally AES128-GCM-SHA256 and AES256-SHA256 is common and supported by NSS cryptographic library. AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384 and ECDHE-RSA-AES256-SHA384 are also common, but unsupported by NSS.

Interestingly, the sites that are unsupported by Firefox, are unsupported for a good reason:

FF 29 incompatible ciphers    Count    Percent
-----------------------------+---------+------
ADH-AES128-SHA                 8         0.0023
ADH-AES256-SHA                 8         0.0023
ADH-DES-CBC3-SHA               8         0.0023
ADH-RC4-MD5                    8         0.0023
AECDH-AES128-SHA               1         0.0003
AECDH-AES256-SHA               1         0.0003
AECDH-DES-CBC3-SHA             1         0.0003
AECDH-RC4-SHA                  1         0.0003
DES-CBC-SHA                    16        0.0046
DHE-RSA-AES128-GCM-SHA256      1         0.0003
DHE-RSA-AES256-GCM-SHA384      2         0.0006
DHE-RSA-AES256-SHA256          1         0.0003
ECDHE-RSA-AES256-GCM-SHA384    3         0.0009
EDH-RSA-DES-CBC-SHA            15        0.0043
EXP-DES-CBC-SHA                11        0.0031
EXP-EDH-RSA-DES-CBC-SHA        12        0.0034
EXP-RC2-CBC-MD5                11        0.0031
EXP-RC4-MD5                    11        0.0031
NULL-MD5                       4         0.0011
NULL-SHA                       4         0.0011
NULL-SHA256                    3         0.0009

That gives us at most 7 servers (but no less than 3 servers) that could be supported if NSS supported SHA384 as the TLSv1.2 PRF without adding any insecure cipher suites.

Firefox 29 with RC4 disabled

OK, so current cipher selection provides very good compatibility, but not security for over 20% of sites on the Internet. How this picture changes if we remove support for RC4 ciphers?

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 incompatible      3790      1.0799

We become incompatible with just a bit over 1% of servers. Lets take a look at ciphers we can enable then to become more compatible (excluding the obvious bad choices):

FF 29 incompatible ciphers    Count    Percent
-----------------------------+---------+------
AES128-GCM-SHA256              49        0.014
AES128-SHA256                  98        0.0279
AES256-GCM-SHA384              26        0.0074
AES256-SHA256                  98        0.0279
DHE-RSA-AES128-GCM-SHA256      8         0.0023
DHE-RSA-AES128-SHA256          4         0.0011
DHE-RSA-AES256-GCM-SHA384      11        0.0031
DHE-RSA-AES256-SHA256          8         0.0023
DHE-RSA-SEED-SHA               31        0.0088
ECDHE-RSA-AES128-SHA256        82        0.0234
ECDHE-RSA-AES256-GCM-SHA384    5         0.0014
ECDHE-RSA-AES256-SHA384        43        0.0123
ECDHE-RSA-RC4-SHA              104       0.0296
IDEA-CBC-SHA                   32        0.0091
RC4-MD5                        2136      0.6086
RC4-SHA                        3518      1.0024
SEED-SHA                       32        0.0091

The obvious solution would be to enable RC4, but as we’ve established, this is not a good idea.

Firefox 29 and one more cipher

If we could enable one more cipher, it would probably be ECDHE-RSA-AES128-SHA256. Result of such change would look like this:

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 RC4 Only          219       0.0624
x:FF 29 RC4 Preferred     2705      0.7708
x:FF 29 incompatible      31        0.0088

2% change by adding just a single cipher suite!

Firefox 29 with more cipher suites

We know that when we disable RC4 we loose access to about 1% of sites. Lets see if we can decrease the number of sites that select RC4 but don’t prefer it over all other ciphers.

When we enable ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256 and DHE-RSA-AES256-SHA256 the statistics look like this:

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 RC4 Only          209       0.0596
x:FF 29 RC4 Preferred     2631      0.7497
x:FF 29 incompatible      29        0.0083

In other words, this decreases the number of sites that prefer RC4 by nearly 2%!.

Adding AES128-GCM-SHA256, AES128-SHA256 and AES256-SHA256 to the mix causes the percentage to drop further to less than 0.1%:

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 RC4 Only          161       0.0459
x:FF 29 RC4 Preferred     251       0.0715
x:FF 29 incompatible      29        0.0083

Firefox 29 with more ciphers but no RC4

Removing RC4 ciphers in Firefox with this extended cipher set causes it to be incompatible with 1.04% of sites, compared to 1.08% in default configuration:

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 incompatible      3648      1.0395

The cipher suites that cause this lack of compatibility:

FF 29 incompatible ciphers    Count    Percent
-----------------------------+---------+------
ADH-AES128-GCM-SHA256          1         0.0003
ADH-AES128-SHA                 10        0.0028
ADH-AES128-SHA256              1         0.0003
ADH-AES256-GCM-SHA384          1         0.0003
ADH-AES256-SHA                 10        0.0028
ADH-AES256-SHA256              1         0.0003
ADH-CAMELLIA128-SHA            1         0.0003
ADH-CAMELLIA256-SHA            1         0.0003
ADH-DES-CBC-SHA                2         0.0006
ADH-DES-CBC3-SHA               10        0.0028
ADH-RC4-MD5                    25        0.0071
ADH-SEED-SHA                   1         0.0003
AECDH-AES128-SHA               6         0.0017
AECDH-AES256-SHA               6         0.0017
AECDH-DES-CBC3-SHA             6         0.0017
AECDH-RC4-SHA                  8         0.0023
AES128-SHA256                  3         0.0009
DES-CBC-SHA                    59        0.0168
DHE-RSA-AES256-GCM-SHA384      1         0.0003
DHE-RSA-SEED-SHA               31        0.0088
ECDHE-RSA-AES256-GCM-SHA384    4         0.0011
ECDHE-RSA-RC4-SHA              94        0.0268
EDH-RSA-DES-CBC-SHA            44        0.0125
EXP-ADH-DES-CBC-SHA            1         0.0003
EXP-ADH-RC4-MD5                4         0.0011
EXP-DES-CBC-SHA                38        0.0108
EXP-EDH-RSA-DES-CBC-SHA        30        0.0085
EXP-RC2-CBC-MD5                128       0.0365
EXP-RC4-MD5                    228       0.065
IDEA-CBC-SHA                   32        0.0091
NULL-MD5                       16        0.0046
NULL-SHA                       14        0.004
NULL-SHA256                    3         0.0009
RC4-MD5                        2038      0.5807
RC4-SHA                        3398      0.9682
SEED-SHA                       32        0.0091

Summary

Enabling additional cipher suites already supported by NSS makes connections to more than 2% of sites more secure. While enabling support for them is statistically insignificant for configuration with RC4 disabled, the sites affected by it are not exactly small.

Most likely the reason for the 2% discrepancy between sites that prefer RC4 in general and that negotiate RC4 with Firefox are the servers that run old (2.2.x) versions of Apache which do not support ECDHE key exchange but do support TLSv1.2. Administrators of those servers that still consider BEAST a threat, may want to select different ciphers in TLSv1.1 and later (which makes all ciphers BEAST invulnerable) than in TLSv1.0. Unfortunately, Apache doesn’t really facilitate that, and so they are left with just putting all ciphers that require TLSv1.2 right before RC4 ciphers. Combined with the fact that Firefox supports only two cipher suites that require TLSv1.2 (ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-GCM-SHA256), makes the connections in the end use RC4.

Thankfully Apache 2.2 will gain support for ECDHE so this number should fall in the future.

RC4 Only servers fall below 1% – June 2014 scan results

Another month, another set of results. This month’s big news is the percent of servers that support only RC4 ciphers has fallen below the 1% mark!

Note that this set is compared to the just now published results of SNI-enabled scan from last month not the results published a month ago!

The general choice of block ciphers haven’t changed much, AES-GCM has grown a bit (by 1.2%), the cipher of choice for the Internet is still AES (at over 93%).

Percent of servers with misconfigured cipher suites haven’t changed much, AECDH have grown by little bit (by 0.19%).

Number of servers that support PFS is steadily growing, with DHE gaining nearly 0.5% and ECDHE gaining 1.2%. Number of servers that prefer the weak 1024 bit DH parameters has also fallen by over 0.5%. So not only we’re getting new properly configured servers but also older ones are updated to support the more secure and faster ECDHE with 256bit curves!

Unfortunately, it looks like the sudden increase of SHA-256 signed certificates is over and we’re back to the steady, slow increase. This month it has grown by 0.9%.

The kind of keys that are being signed haven’t changed significantly. 2048bit RSA is still the key size of choice for over 95% of server admins.

Also, the number of servers that support only SSLv3 has fallen below 1% mark, it’s at 0.993% now. Unfortunately, the number of servers that support TLSv1.2 has increased only by 1.65%.

SSL/TLS survey of 350949 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      305304    86.9938
3DES Only                 137       0.039
AES                       329405    93.8612
AES Only                  923       0.263
AES-CBC Only              616       0.1755
AES-GCM                   137654    39.2234
AES-GCM Only              3         0.0009
CAMELLIA                  141331    40.2711
CHACHA20                  16443     4.6853
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
z:ADH-AES128-GCM-SHA256   320       0.0912
z:ADH-AES128-SHA          1336      0.3807
z:ADH-AES128-SHA256       299       0.0852
z:ADH-AES256-GCM-SHA384   305       0.0869
z:ADH-AES256-SHA          1338      0.3813
z:ADH-AES256-SHA256       302       0.0861
z:ADH-CAMELLIA128-SHA     706       0.2012 
z:ADH-CAMELLIA256-SHA     713       0.2032
z:ADH-DES-CBC-SHA         740       0.2109 
z:ADH-DES-CBC3-SHA        1405      0.4003
z:ADH-RC4-MD5             1268      0.3613
z:ADH-SEED-SHA            392       0.1117
z:AECDH-AES128-SHA        10114     2.8819
z:AECDH-AES256-SHA        10117     2.8828
z:AECDH-DES-CBC3-SHA      10087     2.8742
z:AECDH-NULL-SHA          16        0.0046
z:AECDH-RC4-SHA           9668      2.7548
z:DES-CBC-SHA             67043     19.1033
z:DHE-RSA-SEED-SHA        58392     16.6383
z:ECDHE-RSA-NULL-SHA      19        0.0054
z:EDH-RSA-DES-CBC-SHA     52382     14.9258
z:EXP-ADH-DES-CBC-SHA     453       0.1291
z:EXP-ADH-RC4-MD5         456       0.1299
z:EXP-DES-CBC-SHA         55024     15.6786
z:EXP-EDH-RSA-DES-CBC-SHA 37222     10.6061
z:EXP-RC2-CBC-MD5         52973     15.0942
z:IDEA-CBC-SHA            62257     17.7396
z:NULL-MD5                333       0.0949
z:NULL-SHA                330       0.094
z:NULL-SHA256             18        0.0051
z:SEED-SHA                72273     20.5936

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1461      0.4163
AECDH                     10145     2.8907
DHE                       170916    48.7011
ECDH                      1         0.0003
ECDHE                     158213    45.0815
ECDHE and DHE             54584     15.5533
RSA                       350676    99.9222

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               158684    45.2157  92.8433
DH,2048bits               10821     3.0834   6.3312
DH,2226bits               2         0.0006   0.0012
DH,3072bits               5         0.0014   0.0029
DH,3246bits               2         0.0006   0.0012
DH,3248bits               2         0.0006   0.0012
DH,4096bits               538       0.1533   0.3148
DH,512bits                37361     10.6457  21.8593
DH,768bits                720       0.2052   0.4213
ECDH,B-163,163bits        18        0.0051   0.0114
ECDH,B-571,570bits        347       0.0989   0.2193
ECDH,P-224,224bits        5         0.0014   0.0032
ECDH,P-256,256bits        157058    44.7524  99.27
ECDH,P-384,384bits        184       0.0524   0.1163
ECDH,P-521,521bits        683       0.1946   0.4317
Prefer DH,1024bits        103305    29.4359  60.442
Prefer DH,2048bits        2429      0.6921   1.4212
Prefer DH,4096bits        36        0.0103   0.0211
Prefer DH,512bits         2         0.0006   0.0012
Prefer DH,768bits         83        0.0237   0.0486
Prefer ECDH,B-163,163bits 18        0.0051   0.0114
Prefer ECDH,B-571,570bits 270       0.0769   0.1707
Prefer ECDH,P-224,224bits 3         0.0009   0.0019
Prefer ECDH,P-256,256bits 114187    32.5366  72.173
Prefer ECDH,P-384,384bits 120       0.0342   0.0758
Prefer ECDH,P-521,521bits 636       0.1812   0.402
Prefer PFS                221089    62.9975  0
Support PFS               274545    78.2293  0

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
5                         1         0.0003   
5 only                    1         0.0003   
10                        2         0.0006   
10 only                   2         0.0006   
30                        1         0.0003   
30 only                   1         0.0003   
42                        1         0.0003   
42 only                   1         0.0003   
60                        12        0.0034   
60 only                   7         0.002    
120                       2         0.0006   
120 only                  2         0.0006   
128                       1         0.0003   
128 only                  1         0.0003   
180                       21        0.006    
180 only                  21        0.006    
300                       125932    35.8833  
300 only                  110959    31.6168  
420                       8         0.0023   
420 only                  7         0.002    
480                       5         0.0014   
480 only                  5         0.0014   
600                       4723      1.3458   
600 only                  4590      1.3079   
900                       151       0.043    
900 only                  125       0.0356   
960                       1         0.0003   
960 only                  1         0.0003   
1200                      52        0.0148   
1200 only                 51        0.0145   
1500                      7         0.002    
1500 only                 7         0.002    
1800                      97        0.0276   
1800 only                 93        0.0265   
2400                      1         0.0003   
2400 only                 1         0.0003   
3000                      3         0.0009   
3000 only                 2         0.0006   
3600                      162       0.0462   
3600 only                 158       0.045    
5400                      1         0.0003   
6000                      1         0.0003   
6000 only                 1         0.0003   
7200                      10307     2.9369   
7200 only                 1565      0.4459   
10800                     5         0.0014   
10800 only                2         0.0006   
14400                     675       0.1923   
14400 only                675       0.1923   
18000                     3         0.0009   
18000 only                1         0.0003   
21600                     23        0.0066   
21600 only                23        0.0066   
28800                     5         0.0014   
28800 only                5         0.0014   
30720                     1         0.0003   
30720 only                1         0.0003   
36000                     521       0.1485   
36000 only                519       0.1479   
43200                     6485      1.8478   
43200 only                6481      1.8467   
64800                     8656      2.4665   
64800 only                8651      2.465    
86000                     30        0.0085   
86000 only                30        0.0085   
86400                     4061      1.1571   
86400 only                4060      1.1569   
100800                    16457     4.6893   
100800 only               13        0.0037   
115200                    1         0.0003   
115200 only               1         0.0003   
129600                    6         0.0017   
129600 only               6         0.0017   
864000                    6         0.0017   
864000 only               6         0.0017   
None                      212871    60.6558  
None only                 172526    49.1598  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      11549     3.2908   
ecdsa-with-SHA256         1         0.0003   
sha1WithRSAEncryption     308984    88.0424  
sha256WithRSAEncryption   41971     11.9593  

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 9203      2.6223   
ECDSA 384                 2         0.0006   
RSA 1024                  1881      0.536    
RSA 2028                  1         0.0003   
RSA 2047                  2         0.0006   
RSA 2048                  336774    95.961   
RSA 2056                  3         0.0009   
RSA 2058                  1         0.0003   
RSA 2060                  1         0.0003   
RSA 2064                  1         0.0003   
RSA 2080                  2         0.0006   
RSA 2084                  4         0.0011   
RSA 2408                  1         0.0003   
RSA 2432                  58        0.0165   
RSA 2536                  1         0.0003   
RSA 2612                  1         0.0003   
RSA 3050                  1         0.0003   
RSA 3072                  31        0.0088   
RSA 3073                  1         0.0003   
RSA 3248                  4         0.0011   
RSA 3600                  1         0.0003   
RSA 4042                  1         0.0003   
RSA 4046                  2         0.0006   
RSA 4048                  2         0.0006   
RSA 4086                  1         0.0003   
RSA 4092                  2         0.0006   
RSA 4096                  12167     3.4669   
RSA 4098                  2         0.0006   
RSA 4192                  1         0.0003   
RSA 8192                  1         0.0003   
RSA/ECDSA Dual Stack      9197      2.6206

OCSP stapling             Count     Percent 
-------------------------+---------+--------
Supported                 52153     14.8606  
Unsupported               298796    85.1394  

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      1         0.0003
SSL3                      346615    98.7651
SSL3 Only                 3485      0.993
SSL3 or TLS1 Only         145785    41.5402
TLS1                      346981    98.8694
TLS1 Only                 1030      0.2935
TLS1.1                    190351    54.2389
TLS1.1 Only               5         0.0014
TLS1.1 or up Only         29        0.0083
TLS1.2                    201166    57.3206
TLS1.2 Only               14        0.004
TLS1.2, 1.0 but not 1.1   14702     4.1892

Scan performed between 10th and 24th June 2014.

May 2014 scan results – SNI enabled

I have extended the cipherscan tool I use for scanning to use SNI for communicating to the servers, tweaked the order of cipher suites so that google servers negotiate ECDSA cipher suites and also collect additional data like OCSP stapling support or TLS session ticket hints.

This makes this results a bit different from the previously published results for May.

SSL/TLS survey of 349511 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      304525    87.1289
3DES Only                 132       0.0378
AES                       327024    93.5662
AES Only                  896       0.2564
AES-CBC Only              610       0.1745
AES-GCM                   132866    38.0148
AES-GCM Only              5         0.0014
CAMELLIA                  139004    39.771
CAMELLIA Only             2         0.0006
CHACHA20                  16551     4.7355
CHACHA20 Only             1         0.0003
RC4                       310624    88.8739
RC4 Only                  4173      1.194
RC4 Preferred             66086     18.9081
RC4 forced in TLS1.1+     42640     12.1999
z:ADH-AES128-GCM-SHA256   312       0.0893
z:ADH-AES128-SHA          1380      0.3948
z:ADH-AES128-SHA256       293       0.0838
z:ADH-AES256-GCM-SHA384   297       0.085
z:ADH-AES256-SHA          1382      0.3954
z:ADH-AES256-SHA256       296       0.0847
z:ADH-CAMELLIA128-SHA     725       0.2074
z:ADH-CAMELLIA256-SHA     731       0.2091
z:ADH-DES-CBC-SHA         766       0.2192
z:ADH-DES-CBC3-SHA        1446      0.4137
z:ADH-RC4-MD5             1303      0.3728
z:ADH-SEED-SHA            622       0.178
z:AECDH-AES128-SHA        9402      2.69
z:AECDH-AES256-SHA        9405      2.6909
z:AECDH-DES-CBC3-SHA      9378      2.6832
z:AECDH-NULL-SHA          19        0.0054
z:AECDH-RC4-SHA           8953      2.5616
z:DES-CBC-SHA             68469     19.5899
z:DHE-RSA-SEED-SHA        57227     16.3734
z:ECDHE-RSA-NULL-SHA      22        0.0063
z:EDH-RSA-DES-CBC-SHA     52676     15.0713
z:EXP-ADH-DES-CBC-SHA     470       0.1345
z:EXP-ADH-RC4-MD5         473       0.1353
z:EXP-DES-CBC-SHA         56608     16.1963
z:EXP-EDH-RSA-DES-CBC-SHA 37766     10.8054
z:EXP-RC2-CBC-MD5         53602     15.3363
z:IDEA-CBC-SHA            60579     17.3325
z:NULL-MD5                350       0.1001
z:NULL-SHA                345       0.0987
z:NULL-SHA256             18        0.0052
z:SEED-SHA                71590     20.4829

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1502      0.4297
AECDH                     9435      2.6995
DHE                       168752    48.2823
ECDHE                     153342    43.8733
ECDHE and DHE             50336     14.4018
RSA                       349257    99.9273

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               157223    44.9837  93.1681
DH,2048bits               10153     2.9049   6.0165
DH,3072bits               5         0.0014   0.003
DH,3248bits               4         0.0011   0.0024
DH,4096bits               513       0.1468   0.304
DH,512bits                37886     10.8397  22.4507
DH,768bits                733       0.2097   0.4344
DH,8192bits               2         0.0006   0.0012
ECDH,B-163,163bits        3         0.0009   0.002
ECDH,B-571,570bits        328       0.0938   0.2139
ECDH,P-224,224bits        4         0.0011   0.0026
ECDH,P-256,256bits        152376    43.5969  99.37
ECDH,P-384,384bits        165       0.0472   0.1076
ECDH,P-521,521bits        532       0.1522   0.3469
Prefer DH,1024bits        105105    30.072   62.2837
Prefer DH,2048bits        2396      0.6855   1.4198
Prefer DH,4096bits        36        0.0103   0.0213
Prefer DH,512bits         1         0.0003   0.0006
Prefer DH,768bits         82        0.0235   0.0486
Prefer ECDH,B-163,163bits 3         0.0009   0.002
Prefer ECDH,B-571,570bits 259       0.0741   0.1689
Prefer ECDH,P-224,224bits 2         0.0006   0.0013
Prefer ECDH,P-256,256bits 109734    31.3964  71.5616
Prefer ECDH,P-384,384bits 105       0.03     0.0685
Prefer ECDH,P-521,521bits 479       0.137    0.3124
Prefer PFS                218202    62.4307  0
Support PFS               271758    77.7538  0

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
5                         1         0.0003   
5 only                    1         0.0003   
10                        2         0.0006   
10 only                   2         0.0006   
30                        1         0.0003   
30 only                   1         0.0003   
42                        1         0.0003   
60                        11        0.0031   
60 only                   6         0.0017   
120                       3         0.0009   
120 only                  3         0.0009   
128                       1         0.0003   
128 only                  1         0.0003   
180                       20        0.0057   
180 only                  20        0.0057   
300                       122495    35.0475  
300 only                  108193    30.9555  
420                       6         0.0017   
420 only                  6         0.0017   
480                       4         0.0011   
480 only                  4         0.0011   
600                       4448      1.2726   
600 only                  4329      1.2386   
900                       120       0.0343   
900 only                  106       0.0303   
960                       1         0.0003   
960 only                  1         0.0003   
1200                      49        0.014    
1200 only                 49        0.014    
1500                      6         0.0017   
1500 only                 6         0.0017   
1800                      82        0.0235   
1800 only                 78        0.0223   
3000                      3         0.0009   
3000 only                 2         0.0006   
3600                      157       0.0449   
3600 only                 154       0.0441   
5400                      1         0.0003   
6000                      1         0.0003   
6000 only                 1         0.0003   
7200                      10327     2.9547   
7200 only                 1603      0.4586   
10800                     5         0.0014   
10800 only                2         0.0006   
14400                     573       0.1639   
14400 only                573       0.1639   
18000                     2         0.0006   
21600                     22        0.0063   
21600 only                22        0.0063   
28800                     5         0.0014   
28800 only                5         0.0014   
36000                     545       0.1559   
36000 only                532       0.1522   
43200                     6516      1.8643   
43200 only                6511      1.8629   
64800                     8477      2.4254   
64800 only                8465      2.422    
86000                     30        0.0086   
86000 only                30        0.0086   
86400                     3573      1.0223   
86400 only                3541      1.0131   
100800                    16555     4.7366   
100800 only               7         0.002    
115200                    1         0.0003   
115200 only               1         0.0003   
129600                    6         0.0017   
129600 only               6         0.0017   
864000                    6         0.0017   
864000 only               6         0.0017   
None                      215218    61.5769  
None only                 175481    50.2076  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      10888     3.1152   
ecdsa-with-SHA256         1         0.0003   
sha1WithRSAEncryption     310881    88.9474  
sha256WithRSAEncryption   38640     11.0554  

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 9306      2.6626   
ECDSA 384                 1         0.0003   
RSA 1024                  1928      0.5516   
RSA 2028                  1         0.0003   
RSA 2047                  2         0.0006   
RSA 2048                  335355    95.9498  
RSA 2056                  3         0.0009   
RSA 2060                  1         0.0003   
RSA 2064                  1         0.0003   
RSA 2080                  2         0.0006   
RSA 2084                  4         0.0011   
RSA 2408                  2         0.0006   
RSA 2432                  70        0.02     
RSA 2536                  1         0.0003   
RSA 2612                  1         0.0003   
RSA 3050                  1         0.0003   
RSA 3072                  29        0.0083   
RSA 3073                  1         0.0003   
RSA 3248                  4         0.0011   
RSA 3600                  1         0.0003   
RSA 4042                  1         0.0003   
RSA 4046                  2         0.0006   
RSA 4048                  2         0.0006   
RSA 4069                  1         0.0003   
RSA 4086                  1         0.0003   
RSA 4092                  1         0.0003   
RSA 4096                  12095     3.4605   
RSA 4098                  1         0.0003   
RSA 4192                  1         0.0003   
RSA 8192                  3         0.0009
RSA 16384                 1         0.0003
RSA/ECDSA Dual Stack      9305      2.6623

OCSP stapling             Count     Percent
-------------------------+---------+--------
Supported                 51404     14.7074
Unsupported               298107    85.2926

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      1         0.0003
SSL3                      345529    98.8607
SSL3 Only                 4396      1.2578
SSL3 or TLS1 Only         150360    43.0201
TLS1                      344639    98.6061
TLS1 Only                 1149      0.3287
TLS1.1                    185720    53.1371
TLS1.1 Only               4         0.0011
TLS1.1 or up Only         26        0.0074
TLS1.2                    194572    55.6698
TLS1.2 Only               17        0.0049
TLS1.2, 1.0 but not 1.1   13324     3.8122 

The scan was performed between 16th and 25th of May 2014.

YouTube, now with less RC4

After everybody said not to use RC4 any more, Google finally enabled one additional cipher on Google video servers: TLS_RSA_WITH_AES_128_GCM_SHA256.Unfortunately, this cipher is not supported either by Firefox 30 nor by Internet Explorer on Windows 8.1 or earlier.

Users of Firefox will have to wait for the bug 1029179 to be fixed.

This cipher is though supported by Google Chrome and Chromium, so if you’re a user of those browsers, you can finally disable RC4 for everyday browsing. You can do it either by creating a wrapper script, or modifying the shortcut you use to run those browsers to have one additional option:

chrome --cipher-suite-blacklist=0x0003,0x0004,0x0005,0x0017,0x0018,0x0020,0x0024,0x0028,0x002B,0x0066,0x008A,0x008E,0x0092,0xC002,0xC007,0xC00C,0xC011,0xC016,0xC033

This will disable following cipher suites:

  • 0x0003 – TLS_RSA_EXPORT_WITH_RC4_40_MD5
  • 0x0004 – TLS_RSA_WITH_RC4_128_MD5
  • 0x0005 – TLS_RSA_WITH_RC4_128_SHA
  • 0x0017 – TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
  • 0x0018 – TLS_DH_anon_WITH_RC4_128_MD5
  • 0x0020 – TLS_KRB5_WITH_RC4_128_SHA
  • 0x0024 – TLS_KRB5_WITH_RC4_128_MD5
  • 0x0028 – TLS_KRB5_EXPORT_WITH_RC4_40_SHA
  • 0x002B – TLS_KRB5_EXPORT_WITH_RC4_40_MD5
  • 0x0066 – SSL_DHE_DSS_WITH_RC4_128_SHA
  • 0x008A – TLS_PSK_WITH_RC4_128_SHA
  • 0x008E – TLS_DHE_PSK_WITH_RC4_128_SHA
  • 0x0092 – TLS_RSA_PSK_WITH_RC4_128_SHA
  • 0xC002 – TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  • 0xC007 – TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • 0xC00C – TLS_ECDH_RSA_WITH_RC4_128_SHA
  • 0xC011 – TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • 0xC016 – TLS_ECDH_anon_WITH_RC4_128_SHA
  • 0xC033 – TLS_ECDHE_PSK_WITH_RC4_128_SHA

While setting all of them is not necessary, as some of them are not supported by the currently used NSS, it may change in the future, so… better safe then sorry.

After starting browser with this new settings, head over to a test site run by Leibniz University Hannover, or the other one run by Qualys and double check if no RC4 ciphers are offered by your browser.

Mozilla recommends disabling RC4

Mozilla currently recommends using 3DES ciphers instead of RC4 for backwards compatibility with very old systems like Android 2 or Internet Explorer on Windows XP.

The current recommendation comes after similar recommendations from researchers that discovered the most recent flaws in it, Cisco, Microsoft and their proposition to IETF as well as Qualys and Bruce Schneier.

The message is clear: don’t use RC4.

If you had for some reason follow the Mozilla guide, you don’t have to use this insecure, nearly 30 year old cipher any more. While you’re changing the cipher suite defaults, consider also updating to Perfect Forward Secrecy capable configuration.

TLS 1.2 adoption half way mark reached! May 2014 cipher scan results

Update: previous version of results counted “broken” cipher suites (export, ADH, AECDH) even if server didn’t have a trusted certificate.

I’ve scanned Alexa Top 1 million sites again and this month’s results results are both depressing and encouraging.

The bad

Number of sites that force RC4 in TLS 1.1 and TLS 1.2 connections has grown (by nearly 1.5%). The percent of sites that accept export grade cryptography or plain broken cryptography hasn’t changed significantly.

The good

Fraction of servers that support only RC4 ciphers has fallen by 0.4% to 1.38%. More and more certificates are using the SHA-256 based signatures (now over 10%, an increase by nearly 5%).

Interestingly, there are first sites that use only ECDSA certificates (at the moment 2).

Also, we’ve finally reached the half way mark for TLS 1.2 adoption on the servers. Over 54% of servers support TLS1.2 and over 51% support TLS1.1.

Results

SSL/TLS survey of 318366 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)

Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      276742    86.9257
3DES Only                 137       0.043
AES                       296225    93.0454
AES Only                  930       0.2921
AES-CBC Only              588       0.1847
AES-GCM                   121699    38.2261
AES-GCM Only              4         0.0013
CAMELLIA                  127345    39.9996
CAMELLIA Only             1         0.0003
CHACHA20                  19834     6.2299
RC4                       283641    89.0927
RC4 Only                  4388      1.3783
RC4 Preferred             59422     18.6647
RC4 forced in TLS1.1+     37507     11.7811
z:ADH-AES128-GCM-SHA256   290       0.0911
z:ADH-AES128-SHA          1431      0.4495
z:ADH-AES128-SHA256       279       0.0876
z:ADH-AES256-GCM-SHA384   285       0.0895
z:ADH-AES256-SHA          1430      0.4492
z:ADH-AES256-SHA256       283       0.0889
z:ADH-CAMELLIA128-SHA     794       0.2494
z:ADH-CAMELLIA256-SHA     799       0.251
z:ADH-DES-CBC-SHA         845       0.2654
z:ADH-DES-CBC3-SHA        1482      0.4655
z:ADH-RC4-MD5             1345      0.4225
z:ADH-SEED-SHA            689       0.2164
z:AECDH-AES128-SHA        8482      2.6642
z:AECDH-AES256-SHA        8485      2.6652
z:AECDH-DES-CBC3-SHA      8457      2.6564
z:AECDH-NULL-SHA          4         0.0013
z:AECDH-RC4-SHA           8091      2.5414
z:DES-CBC-MD5             254       0.0798
z:DES-CBC-SHA             60478     18.9964
z:DHE-RSA-SEED-SHA        51890     16.2989
z:ECDHE-RSA-NULL-SHA      7         0.0022
z:EDH-RSA-DES-CBC-SHA     49291     15.4825
z:EXP-ADH-DES-CBC-SHA     461       0.1448
z:EXP-ADH-RC4-MD5         467       0.1467
z:EXP-DES-CBC-SHA         49466     15.5375
z:EXP-EDH-RSA-DES-CBC-SHA 35342     11.1011
z:EXP-RC2-CBC-MD5         46932     14.7415
z:IDEA-CBC-MD5            27        0.0085
z:IDEA-CBC-SHA            51847     16.2853
z:NULL-MD5                319       0.1002
z:NULL-SHA                313       0.0983
z:NULL-SHA256             10        0.0031
z:RC2-CBC-MD5             281       0.0883
z:SEED-SHA                65444     20.5562

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1525      0.479
AECDH                     8502      2.6705
DHE                       154179    48.4282
ECDHE                     134412    42.2193
RSA                       318109    99.9193

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               145407    45.6729  94.3105
DH,2048bits               7568      2.3771   4.9086
DH,3072bits               2         0.0006   0.0013
DH,3248bits               2         0.0006   0.0013
DH,4096bits               428       0.1344   0.2776
DH,4097bits               2         0.0006   0.0013
DH,512bits                35433     11.1296  22.9817
DH,768bits                683       0.2145   0.443
ECDH,B-163,163bits        1         0.0003   0.0007
ECDH,B-571,570bits        294       0.0923   0.2187
ECDH,P-224,224bits        3         0.0009   0.0022
ECDH,P-256,256bits        133565    41.9533  99.3698
ECDH,P-384,384bits        165       0.0518   0.1228
ECDH,P-521,521bits        450       0.1413   0.3348
Prefer DH,1024bits        98865     31.0539  64.1235
Prefer DH,2048bits        2143      0.6731   1.3899
Prefer DH,4096bits        34        0.0107   0.0221
Prefer DH,512bits         1         0.0003   0.0006
Prefer DH,768bits         74        0.0232   0.048
Prefer ECDH,B-163,163bits 1         0.0003   0.0007
Prefer ECDH,B-571,570bits 236       0.0741   0.1756
Prefer ECDH,P-256,256bits 94747     29.7604  70.49
Prefer ECDH,P-384,384bits 115       0.0361   0.0856
Prefer ECDH,P-521,521bits 409       0.1285   0.3043
Prefer PFS                196625    61.7607  0
Support PFS               245584    77.1389  0

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      9994      3.1392   
ecdsa-with-SHA256         2         0.0006   
sha1WithRSAEncryption     286277    89.9207  
sha256WithRSAEncryption   32146     10.0972  

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 384                 2         0.0006   
RSA 1024                  1935      0.6078   
RSA 2028                  1         0.0003   
RSA 2047                  2         0.0006   
RSA 2048                  304898    95.7696  
RSA 2049                  2         0.0006   
RSA 2056                  3         0.0009   
RSA 2058                  1         0.0003
RSA 2060                  1         0.0003
RSA 2064                  1         0.0003
RSA 2080                  3         0.0009
RSA 2084                  4         0.0013
RSA 2345                  1         0.0003
RSA 2408                  1         0.0003
RSA 2432                  60        0.0188
RSA 2536                  1         0.0003
RSA 2612                  1         0.0003
RSA 3000                  1         0.0003
RSA 3050                  1         0.0003
RSA 3072                  19        0.006
RSA 3248                  3         0.0009
RSA 3600                  1         0.0003
RSA 4042                  1         0.0003
RSA 4046                  1         0.0003
RSA 4048                  1         0.0003
RSA 4069                  1         0.0003
RSA 4086                  1         0.0003
RSA 4092                  2         0.0006
RSA 4096                  11427     3.5893
RSA 4098                  1         0.0003
RSA 4192                  2         0.0006
RSA 8192                  3         0.0009
RSA/ECDSA Dual Stack      0         0.0

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      621       0.1951
SSL2 Only                 73        0.0229
SSL3                      314763    98.8683
SSL3 Only                 3524      1.1069
SSL3 or TLS1 Only         140708    44.1969
TLS1                      314191    98.6886
TLS1 Only                 1117      0.3509
TLS1.1                    164225    51.5837
TLS1.1 Only               8         0.0025
TLS1.1 or up Only         68        0.0214
TLS1.2                    173049    54.3554
TLS1.2 Only               48        0.0151
TLS1.2, 1.0 but not 1.1   12720     3.9954

Scan performed between 7th and 15th of May 2014.

Cipher scan results in April 2014

Update: The previous version of the tool incorrectly counted broken cipher suites (export, ADH, AECDH).

I scanned Alexa top 1 million sites between 5th and 17th of April 2014 and found out that many servers still not only are badly configured (prefer RC4 ciphers) but won’t negotiate with safely configured browser (one that does not support RC4).

 

SSL/TLS survey of 305280 websites from Alexa's top 0.97 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate
installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      274502    89.9181
3DES Only                 9641      3.1581
AES                       277199    90.8016
AES Only                  520       0.1703
AES-CBC Only              265       0.0868
AES-GCM                   100595    32.9517
AES-GCM Only              12        0.0039
CAMELLIA                  112135    36.7319
CAMELLIA Only             1         0.0003
CHACHA20                  19072     6.2474
RC4                       268295    87.8849
RC4 Only                  5408      1.7715
RC4 Preferred             59552     19.5073
RC4 forced in TLS1.1+     31737     10.396
z:ADH-AES128-GCM-SHA256   248       0.0812
z:ADH-AES128-SHA          1413      0.4629
z:ADH-AES128-SHA256       241       0.0789
z:ADH-AES256-GCM-SHA384   250       0.0819
z:ADH-AES256-SHA          1412      0.4625
z:ADH-AES256-SHA256       245       0.0803
z:ADH-CAMELLIA128-SHA     736       0.2411
z:ADH-CAMELLIA256-SHA     740       0.2424
z:ADH-DES-CBC-SHA         831       0.2722
z:ADH-DES-CBC3-SHA        1469      0.4812
z:ADH-RC4-MD5             1333      0.4366
z:ADH-SEED-SHA            636       0.2083
z:AECDH-AES128-SHA        10300     3.374
z:AECDH-AES256-SHA        10349     3.39
z:AECDH-DES-CBC3-SHA      10313     3.3782
z:AECDH-NULL-SHA          3         0.001
z:AECDH-RC4-SHA           9913      3.2472
z:DES-CBC-MD5             279       0.0914
z:DES-CBC-SHA             60744     19.8978
z:DHE-RSA-SEED-SHA        46262     15.154
z:ECDHE-RSA-NULL-SHA      6         0.002
z:EDH-RSA-DES-CBC-SHA     49529     16.2241
z:EXP-ADH-DES-CBC-SHA     458       0.15
z:EXP-ADH-RC4-MD5         458       0.15
z:EXP-DES-CBC-SHA         49850     16.3293
z:EXP-EDH-RSA-DES-CBC-SHA 36180     11.8514
z:EXP-RC2-CBC-MD5         47372     15.5176
z:IDEA-CBC-MD5            28        0.0092
z:IDEA-CBC-SHA            44932     14.7183
z:NULL-MD5                322       0.1055
z:NULL-SHA                317       0.1038
z:NULL-SHA256             11        0.0036
z:RC2-CBC-MD5             307       0.1006
z:SEED-SHA                59061     19.3465

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1503      0.4923
AECDH                     10393     3.4044
DHE                       145234    47.574
ECDHE                     113831    37.2874
RSA                       305033    99.9191

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               138773    45.4576  95.5513
DH,2048bits               5472      1.7925   3.7677
DH,3072bits               2         0.0007   0.0014
DH,3248bits               2         0.0007   0.0014
DH,4094bits               1         0.0003   0.0007
DH,4096bits               250       0.0819   0.1721
DH,512bits                36257     11.8766  24.9645
DH,768bits                662       0.2169   0.4558
ECDH,B-163,163bits        1         0.0003   0.0009
ECDH,B-571,570bits        279       0.0914   0.2451
ECDH,P-224,224bits        3         0.001    0.0026
ECDH,P-256,256bits        113201    37.081   99.4465
ECDH,P-384,384bits        138       0.0452   0.1212
ECDH,P-521,521bits        266       0.0871   0.2337
Prefer DH,1024bits        99289     32.5239  68.3648
Prefer DH,2048bits        1848      0.6053   1.2724
Prefer DH,4096bits        12        0.0039   0.0083
Prefer DH,512bits         1         0.0003   0.0007
Prefer DH,768bits         72        0.0236   0.0496
Prefer ECDH,B-163,163bits 1         0.0003   0.0009
Prefer ECDH,B-571,570bits 226       0.074    0.1985
Prefer ECDH,P-256,256bits 80220     26.2775  70.4729
Prefer ECDH,P-384,384bits 84        0.0275   0.0738
Prefer ECDH,P-521,521bits 246       0.0806   0.2161
Prefer PFS                181999    59.6171  0
Support PFS               225224    73.7762  0

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      11870     3.8882   
sha1WithRSAEncryption     289276    94.7576  
sha256WithRSAEncryption   16033     5.2519   

Certificate key size    Count     Percent 
-------------------------+---------+--------
RSA 1024                  2098      0.6872   
RSA 2028                  1         0.0003   
RSA 2047                  3         0.001    
RSA 2048                  295413    96.7679
RSA 2049                  4         0.0013
RSA 2056                  3         0.001
RSA 2058                  1         0.0003
RSA 2060                  1         0.0003
RSA 2064                  1         0.0003
RSA 2080                  3         0.001
RSA 2084                  2         0.0007
RSA 2345                  1         0.0003
RSA 2408                  1         0.0003
RSA 2432                  88        0.0288
RSA 2536                  1         0.0003
RSA 2612                  1         0.0003
RSA 3000                  1         0.0003
RSA 3050                  1         0.0003
RSA 3072                  18        0.0059
RSA 3248                  2         0.0007
RSA 3600                  1         0.0003
RSA 4042                  1         0.0003
RSA 4048                  1         0.0003
RSA 4069                  1         0.0003
RSA 4086                  1         0.0003
RSA 4092                  2         0.0007
RSA 4096                  7634      2.5007
RSA 4098                  1         0.0003
RSA 4192                  2         0.0007
RSA 8192                  4         0.0013
RSA/ECDSA Dual Stack      0         0.0

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      644       0.211
SSL2 Only                 20        0.0066
SSL3                      303052    99.2702
SSL3 Only                 3706      1.214
SSL3 or TLS1 Only         155876    51.06
TLS1                      301098    98.6301
TLS1 Only                 673       0.2205
TLS1.1                    136386    44.6757
TLS1.1 Only               4         0.0013
TLS1.1 or up Only         60        0.0197
TLS1.2                    144857    47.4505
TLS1.2 Only               45        0.0147
TLS1.2, 1.0 but not 1.1   12292     4.0265