ciphersuite usage

April 2016 scan results

Again, no analysis, just raw statistics, sorry.

SSL/TLS survey of 554044 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      488020    88.0833
3DES Only                 590       0.1065
3DES Preferred            1772      0.3198
3DES forced in TLS1.1+    936       0.1689
AES                       549187    99.1234
AES Only                  42441     7.6602
AES-CBC                   548762    99.0466
AES-CBC Only              8334      1.5042
AES-GCM                   448629    80.9735
AES-GCM Only              378       0.0682
CAMELLIA                  241430    43.576
CAMELLIA Only             1         0.0002
CHACHA20                  75592     13.6437
Insecure                  54139     9.7716
RC4                       160923    29.0452
RC4 Only                  183       0.033
RC4 Preferred             15628     2.8207
RC4 forced in TLS1.1+     8360      1.5089
x:FF 29 3DES Only         639       0.1153
x:FF 29 3DES Preferred    2130      0.3844
x:FF 29 RC4 Only          254       0.0458
x:FF 29 RC4 Preferred     17323     3.1266
x:FF 29 incompatible      272       0.0491
x:FF 35 3DES Only         645       0.1164
x:FF 35 3DES Preferred    2044      0.3689
x:FF 35 RC4 Only          301       0.0543
x:FF 35 RC4 Preferred     17346     3.1308
x:FF 35 incompatible      276       0.0498
x:FF 44 3DES Only         4576      0.8259
x:FF 44 3DES Preferred    8336      1.5046
x:FF 44 incompatible      577       0.1041
y:DHE-RSA-SEED-SHA        71951     12.9865
y:IDEA-CBC-SHA            67468     12.1774
y:SEED-SHA                82250     14.8454
z:ADH-AES128-GCM-SHA256   401       0.0724
z:ADH-AES128-SHA          730       0.1318
z:ADH-AES128-SHA256       275       0.0496
z:ADH-AES256-GCM-SHA384   411       0.0742
z:ADH-AES256-SHA          748       0.135
z:ADH-AES256-SHA256       274       0.0495
z:ADH-CAMELLIA128-SHA     390       0.0704
z:ADH-CAMELLIA256-SHA     400       0.0722
z:ADH-DES-CBC-SHA         321       0.0579
z:ADH-DES-CBC3-SHA        738       0.1332
z:ADH-RC4-MD5             539       0.0973
z:ADH-SEED-SHA            312       0.0563
z:AECDH-AES128-SHA        9716      1.7537
z:AECDH-AES256-SHA        9763      1.7621
z:AECDH-DES-CBC3-SHA      9685      1.7481
z:AECDH-NULL-SHA          85        0.0153
z:AECDH-RC4-SHA           9132      1.6482
z:DES-CBC-MD5             7224      1.3039
z:DES-CBC-SHA             33578     6.0605
z:DES-CBC3-MD5            17444     3.1485
z:ECDHE-RSA-NULL-SHA      95        0.0171
z:EDH-RSA-DES-CBC-SHA     28962     5.2274
z:EXP-ADH-DES-CBC-SHA     173       0.0312
z:EXP-ADH-RC4-MD5         171       0.0309
z:EXP-DES-CBC-SHA         11121     2.0072
z:EXP-EDH-RSA-DES-CBC-SHA 8776      1.584
z:EXP-RC2-CBC-MD5         13375     2.4141
z:EXP-RC4-MD5             14006     2.528
z:EXP1024-DES-CBC-SHA     3639      0.6568
z:EXP1024-RC4-SHA         3688      0.6657
z:IDEA-CBC-MD5            1523      0.2749
z:NULL-MD5                214       0.0386
z:NULL-SHA                218       0.0393
z:NULL-SHA256             32        0.0058
z:RC2-CBC-MD5             7396      1.3349
z:RC4-64-MD5              767       0.1384

Cipher ordering           Count     Percent
-------------------------+---------+-------
Client side               134999    24.3661
Server side               419045    75.6339

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       885       0.1597
AECDH                     9773      1.7639
DHE                       298929    53.954
ECDH                      2         0.0004
ECDHE                     476485    86.0013
ECDHE and DHE             253657    45.7828
RSA                       475653    85.8511

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               116515    21.0299  38.9775
DH,1536bits               1         0.0002   0.0003
DH,2048bits               170990    30.8622  57.2009
DH,2236bits               69        0.0125   0.0231
DH,2432bits               3         0.0005   0.001
DH,2560bits               1         0.0002   0.0003
DH,3072bits               111       0.02     0.0371
DH,3092bits               1         0.0002   0.0003
DH,4094bits               1         0.0002   0.0003
DH,4096bits               10885     1.9646   3.6413
DH,4098bits               1         0.0002   0.0003
DH,512bits                64        0.0116   0.0214
DH,6144bits               1         0.0002   0.0003
DH,768bits                377       0.068    0.1261
DH,8192bits               9         0.0016   0.003
ECDH,B-571,570bits        2314      0.4177   0.4856
ECDH,K-163,163bits        1         0.0002   0.0002
ECDH,P-192,192bits        23        0.0042   0.0048
ECDH,P-224,224bits        84        0.0152   0.0176
ECDH,P-256,256bits        456709    82.4319  95.8496
ECDH,P-384,384bits        5908      1.0663   1.2399
ECDH,P-521,521bits        13327     2.4054   2.7969
Prefer DH,1024bits        43925     7.9281   14.6941
Prefer DH,1536bits        1         0.0002   0.0003
Prefer DH,2048bits        5768      1.0411   1.9296
Prefer DH,3072bits        6         0.0011   0.002
Prefer DH,4096bits        423       0.0763   0.1415
Prefer DH,768bits         54        0.0097   0.0181
Prefer ECDH,B-571,570bits 2090      0.3772   0.4386
Prefer ECDH,K-163,163bits 1         0.0002   0.0002
Prefer ECDH,P-224,224bits 81        0.0146   0.017
Prefer ECDH,P-256,256bits 419866    75.7821  88.1174
Prefer ECDH,P-384,384bits 4218      0.7613   0.8852
Prefer ECDH,P-521,521bits 12182     2.1987   2.5566
Prefer PFS                488615    88.1906  0
Support PFS               521757    94.1725  0

Supported ECC curves      Count     Percent 
-------------------------+---------+--------
brainpoolP256r1           7632      1.3775   
brainpoolP384r1           7634      1.3779   
brainpoolP512r1           7637      1.3784   
prime192v1                1557      0.281    
prime256v1                473202    85.4087  
prime256v1 Only           404241    72.9619  
secp160k1                 1490      0.2689   
secp160r1                 1497      0.2702   
secp160r2                 1488      0.2686   
secp192k1                 1502      0.2711   
secp224k1                 1576      0.2845   
secp224r1                 4971      0.8972   
secp256k1                 10618     1.9165   
secp384r1                 70010     12.6362  
secp384r1 Only            1082      0.1953   
secp521r1                 36615     6.6087   
secp521r1 Only            140       0.0253   
sect163k1                 1492      0.2693   
sect163k1 Only            1         0.0002   
sect163r1                 1490      0.2689   
sect163r2                 1490      0.2689   
sect193r1                 1490      0.2689   
sect193r2                 1489      0.2688   
sect233k1                 1566      0.2826   
sect233r1                 1566      0.2826   
sect239k1                 1565      0.2825   
sect283k1                 9047      1.6329   
sect283k1 Only            1         0.0002   
sect283r1                 9044      1.6324   
sect409k1                 9041      1.6318   
sect409r1                 9038      1.6313   
sect571k1                 9044      1.6324   
sect571r1                 9045      1.6325   

Unsupported curve fallback     Count     Percent 
------------------------------+---------+--------
False                          46285     8.354    
True                           365389    65.9495  
order-specific                 61        0.011    
unknown                        142309    25.6855  

ECC curve ordering        Count     Percent 
-------------------------+---------+--------
client                    9132      1.6482   
inconclusive-noecc        4         0.0007   
server                    465324    83.9868  
unknown                   79584     14.3642  

TLSv1.2 PFS supported sigalgs  Count     Percent 
------------------------------+---------+--------
ECDSA-SHA1                     50518     9.118    
ECDSA-SHA1 Only                3         0.0005   
ECDSA-SHA224                   50534     9.1209   
ECDSA-SHA256                   66231     11.9541  
ECDSA-SHA384                   66277     11.9624  
ECDSA-SHA512                   66334     11.9727  
ECDSA-SHA512 Only              61        0.011    
RSA-MD5                        41528     7.4954   
RSA-SHA1                       408670    73.7613  
RSA-SHA1 Only                  36069     6.5101   
RSA-SHA224                     340011    61.369   
RSA-SHA256                     380914    68.7516  
RSA-SHA256 Only                7319      1.321    
RSA-SHA384                     345799    62.4136  
RSA-SHA384 Only                4         0.0007   
RSA-SHA512                     345776    62.4095  
RSA-SHA512 Only                118       0.0213   

TLSv1.2 PFS ordering           Count     Percent 
------------------------------+---------+--------
client                         255972    46.2007  
indeterminate                  42        0.0076   
intolerant                     5716      1.0317   
order-fallback                 9         0.0016   
server                         203222    36.6798  
unsupported                    17516     3.1615   

TLSv1.2 PFS sigalg fallback    Count     Percent 
------------------------------+---------+--------
ECDSA SHA1                     50464     9.1083   
ECDSA intolerant               381       0.0688   
ECDSA pfs-rsa-SHA512           15610     2.8175   
ECDSA soft-nopfs               2         0.0004   
RSA False                      41178     7.4323   
RSA SHA1                       336118    60.6663  
RSA intolerant                 40148     7.2464   
RSA pfs-ecdsa-SHA512           45        0.0081   
RSA soft-nopfs                 512       0.0924   

Renegotiation             Count     Percent 
-------------------------+---------+--------
False                     5199      0.9384   
insecure                  15950     2.8788   
secure                    532895    96.1828  

Compression               Count     Percent 
-------------------------+---------+--------
1 (zlib compression)      7539      1.3607   
False                     5199      0.9384   
NONE                      541306    97.7009  

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
1                         4         0.0007   
1 only                    4         0.0007   
2                         2         0.0004   
2 only                    2         0.0004   
5                         8         0.0014   
5 only                    8         0.0014   
10                        8         0.0014   
10 only                   8         0.0014   
15                        6         0.0011   
15 only                   6         0.0011   
30                        19        0.0034   
30 only                   18        0.0032   
60                        167       0.0301   
60 only                   164       0.0296   
65                        2         0.0004   
65 only                   2         0.0004   
70                        6         0.0011   
70 only                   4         0.0007   
75                        1         0.0002   
75 only                   1         0.0002   
100                       16        0.0029   
100 only                  16        0.0029   
120                       28        0.0051   
120 only                  28        0.0051   
128                       3         0.0005   
128 only                  3         0.0005   
150                       2         0.0004   
180                       66        0.0119   
180 only                  64        0.0116   
240                       11        0.002    
240 only                  11        0.002    
244                       2         0.0004   
244 only                  2         0.0004   
300                       272999    49.2739  
300 only                  269600    48.6604  
302                       3         0.0005   
302 only                  3         0.0005   
360                       3         0.0005   
360 only                  2         0.0004   
400                       5         0.0009   
400 only                  5         0.0009   
420                       122       0.022    
420 only                  105       0.019    
480                       10        0.0018   
480 only                  10        0.0018   
500                       4         0.0007   
500 only                  4         0.0007   
540                       3         0.0005   
540 only                  3         0.0005   
600                       28373     5.1211   
600 only                  28233     5.0958   
660                       1         0.0002   
660 only                  1         0.0002   
700                       3         0.0005   
700 only                  3         0.0005   
840                       2         0.0004   
840 only                  2         0.0004   
900                       1388      0.2505   
900 only                  1366      0.2466   
960                       2         0.0004   
960 only                  2         0.0004   
1000                      1         0.0002   
1000 only                 1         0.0002   
1200                      2912      0.5256   
1200 only                 2907      0.5247   
1210                      2         0.0004   
1210 only                 2         0.0004   
1320                      1         0.0002   
1320 only                 1         0.0002   
1380                      1         0.0002   
1380 only                 1         0.0002   
1440                      1         0.0002   
1440 only                 1         0.0002   
1500                      6         0.0011   
1500 only                 5         0.0009   
1800                      579       0.1045   
1800 only                 568       0.1025   
1980                      2         0.0004   
1980 only                 2         0.0004   
2100                      2         0.0004   
2100 only                 1         0.0002   
2160                      1         0.0002   
2160 only                 1         0.0002   
2400                      8         0.0014   
2400 only                 8         0.0014   
2700                      9         0.0016   
2700 only                 9         0.0016   
3000                      25        0.0045   
3000 only                 25        0.0045   
3300                      1         0.0002   
3300 only                 1         0.0002   
3600                      865       0.1561   
3600 only                 850       0.1534   
3900                      1         0.0002   
3900 only                 1         0.0002   
4200                      1         0.0002   
5160                      1         0.0002   
5160 only                 1         0.0002   
5400                      15        0.0027   
5400 only                 9         0.0016   
5940                      1         0.0002   
5940 only                 1         0.0002   
6000                      297       0.0536   
6000 only                 297       0.0536   
7200                      15195     2.7426   
7200 only                 15175     2.739    
7500                      1         0.0002   
7500 only                 1         0.0002   
10800                     4136      0.7465   
10800 only                4122      0.744    
14400                     95        0.0171   
14400 only                95        0.0171   
18000                     10        0.0018   
18000 only                10        0.0018   
21600                     4179      0.7543   
21600 only                4179      0.7543   
25200                     1         0.0002   
25200 only                1         0.0002   
28800                     3321      0.5994   
28800 only                3321      0.5994   
30000                     1         0.0002   
30000 only                1         0.0002   
36000                     1080      0.1949   
36000 only                1071      0.1933   
38854                     1         0.0002   
38866                     1         0.0002   
38879                     1         0.0002   
38893                     1         0.0002   
38908                     1         0.0002   
38925                     1         0.0002   
38940                     1         0.0002   
38953                     1         0.0002   
43200                     55        0.0099   
43200 only                55        0.0099   
60000                     2         0.0004   
60000 only                2         0.0004   
64800                     65043     11.7397  
64800 only                65041     11.7393  
72000                     9         0.0016   
72000 only                9         0.0016   
79200                     1         0.0002   
79200 only                1         0.0002   
86400                     2805      0.5063   
86400 only                2801      0.5056   
100800                    9140      1.6497   
100800 only               9137      1.6491   
108000                    1         0.0002   
108000 only               1         0.0002   
115200                    1         0.0002   
115200 only               1         0.0002   
129600                    6         0.0011   
129600 only               6         0.0011   
172800                    49        0.0088   
172800 only               49        0.0088   
216000                    4         0.0007   
216000 only               4         0.0007   
432000                    1         0.0002   
432000 only               1         0.0002   
604800                    2         0.0004   
864000                    2         0.0004   
864000 only               2         0.0004   
7776000                   2         0.0004   
7776000 only              2         0.0004   
None                      144581    26.0956  
None only                 140902    25.4316  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      10359     1.8697   
ecdsa-with-SHA256         63100     11.389   
sha1WithRSAEncryption     29544     5.3324   
sha256WithRSAEncryption   477256    86.1405  
sha384WithRSAEncryption   5         0.0009   
sha512WithRSAEncryption   60        0.0108   

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 66442     11.9922  
ECDSA 384                 21        0.0038   
ECDSA 521                 1         0.0002   
RSA 1024                  21        0.0038   
RSA 2048                  479886    86.6151  
RSA 2049                  2         0.0004   
RSA 2056                  3         0.0005   
RSA 2058                  3         0.0005   
RSA 2084                  3         0.0005   
RSA 2086                  1         0.0002   
RSA 2096                  2         0.0004   
RSA 2432                  2         0.0004   
RSA 3072                  150       0.0271   
RSA 3073                  1         0.0002   
RSA 3076                  3         0.0005   
RSA 3096                  2         0.0004   
RSA 3248                  3         0.0005   
RSA 4048                  3         0.0005   
RSA 4056                  15        0.0027   
RSA 4069                  1         0.0002   
RSA 4086                  4         0.0007   
RSA 4092                  2         0.0004   
RSA 4094                  1         0.0002   
RSA 4095                  1         0.0002   
RSA 4096                  26364     4.7585   
RSA 4196                  1         0.0002   
RSA 8192                  9         0.0016   
RSA 8392                  1         0.0002   
RSA/ECDSA Dual Stack      18891     3.4097

OCSP stapling             Count     Percent 
-------------------------+---------+--------
Supported                 128586    23.2086  
Unsupported               425458    76.7914  

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      17623     3.1808
SSL2 Only                 17        0.0031
SSL3                      98238     17.7311
SSL3 Only                 1159      0.2092
SSL3 or TLS1 Only         52628     9.4989
SSL3 or lower Only        1168      0.2108
TLS1                      543101    98.0249
TLS1 Only                 32939     5.9452
TLS1 or lower Only        68307     12.3288
TLS1.1                    473247    85.4169
TLS1.1 Only               208       0.0375
TLS1.1 or up Only         9606      1.7338
TLS1.2                    482460    87.0797
TLS1.2 Only               2594      0.4682
TLS1.2, 1.0 but not 1.1   8635      1.5585


Statistics from 589898 chains provided by 709652 hosts

Server provided chains    Count     Percent
-------------------------+---------+-------
complete                  529449    74.6068
incomplete                22333     3.147
untrusted                 157870    22.2461

Trusted chain statistics
========================

Chain length              Count     Percent
-------------------------+---------+-------
2                         8         0.0014
3                         587212    99.5447
4                         2665      0.4518
5                         13        0.0022

CA key size in chains     Count
-------------------------+---------
ECDSA 256                 63091     
ECDSA 384                 63090     
RSA 1024                  21        
RSA 2045                  2         
RSA 2048                  881842    
RSA 4096                  174433    

Chains with CA key        Count     Percent
-------------------------+---------+-------
ECDSA 256                 63091     10.6952
ECDSA 384                 63090     10.6951
RSA 1024                  19        0.0032
RSA 2045                  2         0.0003
RSA 2048                  526385    89.2332
RSA 4096                  173801    29.4629

Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384              63084     
sha1WithRSAEncryption          33756     
sha256WithRSAEncryption        339826    
sha384WithRSAEncryption        155860    
sha512WithRSAEncryption        55        

Eff. host cert chain LoS  Count     Percent
-------------------------+---------+-------
80                        33778     5.7261
112                       493007    83.575
128                       63113     10.699

Root CAs                                      Count     Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 138204    23.4285
(2c543cd1) GeoTrust Global CA                 95310     16.157
(eed8c118) COMODO ECC Certification Authority 63077     10.6929
(5ad8a5d6) GlobalSign Root CA                 56226     9.5315
(cbf06781) Go Daddy Root Certificate Authorit 49413     8.3765
(b204d74a) VeriSign Class 3 Public Primary Ce 30520     5.1738
(244b5494) DigiCert High Assurance EV Root CA 19387     3.2865
(2e4eed3c) thawte Primary Root CA             18858     3.1968
(653b494a) Baltimore CyberTrust Root          12557     2.1287
(2e5ac55d) DST Root CA X3                     12525     2.1232
(fc5a8f99) USERTrust RSA Certification Author 17514     2.969
(ae8153b9) StartCom Certification Authority   9654      1.6366
(3513523f) DigiCert Global Root CA            9633      1.633
(4bfab552) Starfield Root Certificate Authori 8780      1.4884


Scan performed between 18th of April and 1st of May 2016

October 2015 scan results

Because the previous two months were published with a much longer delay than usual (sorry about that, will explain myself in future post) the following analysis compares this month’s results to July, not September.

Number of servers supporting TLS has grown by over 4% during those 3 months. The most profound change during that time was decommissioning of over 10% of SHA-1 using certificates. Rest of changes is just continuation of established trends.

Cipher suites

3DES continues the somewhat surprising increase in support, gaining another 1.6%. AES in general and AES in CBC mode in particular have shown little change, gaining less than half a percent in use. AES-GCM has grown by over 5% at the same time. Similarly to AES, Camellia and ChaCha20 support is relatively stable, both gaining about 0.2% each.

Use of insecure ciphers has decreased somewhat, loosing nearly 3% since last publication of results. RC4 has lost a staggering 10% of market share, for the first time since scans began falling below Camellia levels.

Unfortunately, there are still over 1100 servers which require use of RC4 for a successful connection, or over 1600 if you’re using Firefox 35.

Use of server side cipher ordering also plateaued, with just 0.2% more servers opting to ignore client presented order of ciphers for negotiation.

Key exchange

Support for the modern ECDHE key exchange has grown by nearly 5% during that time, reaching over 79% of servers.

The older and slower DHE key exchange has lost 1.6% of support among the servers.

The insecure ADH and AECDH key exchanges have also fallen, the former to a level of below 1000 servers, the latter by 1.5% to just over 2.1%.

Most of the increases in the ECDHE support are due to P-256 NIST curve, gaining nearly 4.5%.

We also see very good changes in DHE support, use of 1024 bit prime has fallen by 9% while use of 2048 bit prime has risen by 8%. For ciphersuites effectively negotiated, the changes are a bit less pronounced, with just 4.1% less servers picking a DHE ciphersuite with 1024 bit prime, making connections to 11.4% of servers a bit less secure. While preference for 2048 bit DH risen by just 1.12%.

Overall, 1.6% more servers support ciphersuites that provide Forward Secrecy while a very nice 4.4% more actually prefer them.

As usual, the support for ECDHE is mostly driven by P-256 (a.k.a. prime256v1), with it gaining 4.8% more market share. One other curve has finally risen to the double digit level (though just barely), with an increase of 0.2% – P-384, a.k.a. secp384r1.

Hash and signature algorithms

Support for SHA256 with RSA certificates has grown by nearly 5%, stronger hashes have seen smaller changes with SHA384 and SHA512 gaining only 3.8%.

Support for the insecure MD5 is also increasing, thankfully at a slower rate, with it gaining only 0.7%. Number of servers that support only the rather weak SHA1 is decreasing though, over those 3 months it has fallen by 1.2%.

Vulnerabilities

Support for secure renegotiation is still missing in 3.6% of servers, loosing just over half a percent. Similarly, 1.2% of servers are vulnerable to the CRIME attack, a change of only 0.2%.

Certificates

Certificates used by servers have seen comparatively the biggest change. SHA-1 use has fallen by nearly 13%! The switch was shared by SHA-256 with RSA (increase by just over 12%) and SHA-256 with ECDSA (increase by 2.6%).

We’ve also finally reached a “less than 100 servers with 1024 bit RSA keys” milestone. Use of 2048 bit RSA has fallen by just one percent, at the same time use of 256 bit ECDSA has grown by 2.67%.

The list of CA’s with more than 1% of servers have also shrunk by 2 positions.

Protocols

Still over half a thousand of servers support only the insecure SSLv2 and SSLv3 protocols.

At the same time, more than 4 in 5 servers support the newest and most secure TLS v1.2 protocol.

Results

SSL/TLS survey of 523658 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      450366    86.0038
3DES Only                 598       0.1142
AES                       516026    98.5426
AES Only                  22924     4.3777
AES-CBC                   515568    98.4551
AES-CBC Only              10087     1.9263
AES-GCM                   388464    74.1828
AES-GCM Only              378       0.0722
CAMELLIA                  234209    44.7256
CAMELLIA Only             3         0.0006
CHACHA20                  64701     12.3556
CHACHA20 Only             1         0.0002
Insecure                  61963     11.8327
RC4                       213861    40.8398
RC4 Only                  1101      0.2103
RC4 Preferred             22873     4.3679
RC4 forced in TLS1.1+     11792     2.2519
x:FF 29 RC4 Only          1377      0.263
x:FF 29 RC4 Preferred     26049     4.9744
x:FF 29 incompatible      312       0.0596
x:FF 35 RC4 Only          1656      0.3162
x:FF 35 RC4 Preferred     26149     4.9935
x:FF 35 incompatible      315       0.0602
y:DHE-RSA-SEED-SHA        84215     16.0821
y:IDEA-CBC-SHA            78851     15.0577
y:SEED-SHA                95873     18.3083
z:ADH-AES128-GCM-SHA256   395       0.0754
z:ADH-AES128-SHA          756       0.1444
z:ADH-AES128-SHA256       295       0.0563
z:ADH-AES256-GCM-SHA384   403       0.077
z:ADH-AES256-SHA          764       0.1459
z:ADH-AES256-SHA256       297       0.0567
z:ADH-CAMELLIA128-SHA     380       0.0726
z:ADH-CAMELLIA256-SHA     388       0.0741
z:ADH-DES-CBC-SHA         305       0.0582
z:ADH-DES-CBC3-SHA        775       0.148
z:ADH-RC4-MD5             638       0.1218
z:ADH-SEED-SHA            313       0.0598
z:AECDH-AES128-SHA        11266     2.1514
z:AECDH-AES256-SHA        11290     2.156
z:AECDH-DES-CBC3-SHA      11231     2.1447
z:AECDH-NULL-SHA          59        0.0113
z:AECDH-RC4-SHA           10599     2.024
z:DES-CBC-MD5             11791     2.2517
z:DES-CBC-SHA             36853     7.0376
z:DES-CBC3-MD5            24006     4.5843
z:ECDHE-RSA-NULL-SHA      63        0.012
z:EDH-RSA-DES-CBC-SHA     31633     6.0408
z:EXP-ADH-DES-CBC-SHA     208       0.0397
z:EXP-ADH-RC4-MD5         205       0.0391
z:EXP-DES-CBC-SHA         15360     2.9332
z:EXP-EDH-RSA-DES-CBC-SHA 12356     2.3596
z:EXP-RC2-CBC-MD5         18735     3.5777
z:EXP-RC4-MD5             19564     3.736
z:EXP1024-DES-CBC-SHA     4870      0.93
z:EXP1024-RC4-SHA         4967      0.9485
z:IDEA-CBC-MD5            2349      0.4486
z:NULL-MD5                227       0.0433
z:NULL-SHA                232       0.0443
z:NULL-SHA256             29        0.0055
z:RC2-CBC-MD5             12033     2.2979
z:RC4-64-MD5              968       0.1849

Cipher ordering           Count     Percent
-------------------------+---------+-------
Client side               134694    25.7217
Server side               388964    74.2783

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       903       0.1724
AECDH                     11321     2.1619
DHE                       286818    54.772
ECDH                      3         0.0006
ECDHE                     415495    79.3447
ECDHE and DHE             219028    41.8265
RSA                       471189    89.9803

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               162798    31.0886  56.76
DH,1536bits               1         0.0002   0.0003
DH,2048bits               116370    22.2225  40.5728
DH,2236bits               11        0.0021   0.0038
DH,2432bits               1         0.0002   0.0003
DH,3072bits               109       0.0208   0.038
DH,3092bits               1         0.0002   0.0003
DH,4094bits               1         0.0002   0.0003
DH,4096bits               7102      1.3562   2.4761
DH,512bits                43        0.0082   0.015
DH,768bits                450       0.0859   0.1569
DH,8192bits               2         0.0004   0.0007
ECDH,B-571,570bits        1628      0.3109   0.3918
ECDH,K-163,163bits        1         0.0002   0.0002
ECDH,K-571,570bits        1         0.0002   0.0002
ECDH,P-192,192bits        8         0.0015   0.0019
ECDH,P-224,224bits        71        0.0136   0.0171
ECDH,P-256,256bits        402982    76.9552  96.9884
ECDH,P-384,384bits        2860      0.5462   0.6883
ECDH,P-521,521bits        8826      1.6855   2.1242
Prefer DH,1024bits        59986     11.4552  20.9143
Prefer DH,1536bits        1         0.0002   0.0003
Prefer DH,2048bits        9957      1.9014   3.4715
Prefer DH,3072bits        13        0.0025   0.0045
Prefer DH,4096bits        345       0.0659   0.1203
Prefer DH,768bits         65        0.0124   0.0227
Prefer ECDH,B-571,570bits 1429      0.2729   0.3439
Prefer ECDH,K-163,163bits 1         0.0002   0.0002
Prefer ECDH,K-571,570bits 1         0.0002   0.0002
Prefer ECDH,P-224,224bits 55        0.0105   0.0132
Prefer ECDH,P-256,256bits 358890    68.5352  86.3765
Prefer ECDH,P-384,384bits 2659      0.5078   0.64
Prefer ECDH,P-521,521bits 7931      1.5145   1.9088
Prefer PFS                441333    84.2789  0
Support PFS               483285    92.2902  0

Supported ECC curves      Count     Percent 
-------------------------+---------+--------
brainpoolP256r1           1825      0.3485   
brainpoolP384r1           1827      0.3489   
brainpoolP512r1           1828      0.3491   
prime192v1                1461      0.279    
prime256v1                413390    78.9427  
prime256v1 Only           360620    68.8656  
secp160k1                 1415      0.2702   
secp160r1                 1422      0.2716   
secp160r2                 1414      0.27     
secp192k1                 1433      0.2737   
secp224k1                 1489      0.2843   
secp224r1                 3846      0.7344   
secp256k1                 3218      0.6145   
secp384r1                 53089     10.1381  
secp384r1 Only            364       0.0695   
secp521r1                 22417     4.2808   
secp521r1 Only            125       0.0239   
sect163k1                 1415      0.2702   
sect163k1 Only            1         0.0002   
sect163r1                 1414      0.27     
sect163r2                 1414      0.27     
sect193r1                 1412      0.2696   
sect193r2                 1412      0.2696   
sect233k1                 1482      0.283    
sect233r1                 1481      0.2828   
sect239k1                 1481      0.2828   
sect283k1                 3187      0.6086   
sect283r1                 3187      0.6086   
sect409k1                 3189      0.609    
sect409r1                 3189      0.609    
sect571k1                 3201      0.6113   
sect571r1                 3201      0.6113   

Unsupported curve fallback     Count     Percent 
------------------------------+---------+--------
False                          70006     13.3686  
True                           291129    55.5953  
order-specific                 72        0.0137   
unknown                        162451    31.0223  

ECC curve ordering        Count     Percent 
-------------------------+---------+--------
client                    4674      0.8926   
inconclusive-noecc        10        0.0019   
server                    409225    78.1474  
unknown                   109749    20.9581  

TLSv1.2 PFS supported sigalgs  Count     Percent 
------------------------------+---------+--------
ECDSA-SHA1                     38366     7.3265   
ECDSA-SHA1 Only                3         0.0006   
ECDSA-SHA224                   38357     7.3248   
ECDSA-SHA256                   49346     9.4233   
ECDSA-SHA384                   49344     9.4229   
ECDSA-SHA512                   49347     9.4235   
ECDSA-SHA512 Only              3         0.0006   
RSA-MD5                        168481    32.1739  
RSA-SHA1                       361209    68.978   
RSA-SHA1 Only                  43815     8.3671   
RSA-SHA224                     296284    56.5797  
RSA-SHA256                     324294    61.9286  
RSA-SHA256 Only                5869      1.1208   
RSA-SHA384                     297506    56.813   
RSA-SHA384 Only                1         0.0002   
RSA-SHA512                     297620    56.8348  
RSA-SHA512 Only                137       0.0262   

TLSv1.2 PFS ordering           Count     Percent 
------------------------------+---------+--------
client                         238653    45.5742  
indeterminate                  202       0.0386   
intolerant                     4295      0.8202   
order-fallback                 10        0.0019   
server                         163641    31.2496  
unsupported                    21408     4.0882   

TLSv1.2 PFS sigalg fallback    Count     Percent 
------------------------------+---------+--------
ECDSA SHA1                     38349     7.3233   
ECDSA intolerant               24        0.0046   
ECDSA pfs-rsa-SHA512           10983     2.0974   
ECDSA soft-nopfs               1         0.0002   
RSA False                      167225    31.934   
RSA SHA1                       166732    31.8399  
RSA intolerant                 34038     6.5      
RSA pfs-ecdsa-SHA512           5         0.001    
RSA soft-nopfs                 1316      0.2513   

Renegotiation             Count     Percent 
-------------------------+---------+--------
False                     6661      1.272    
insecure                  19263     3.6785   
secure                    497734    95.0494  

Compression               Count     Percent 
-------------------------+---------+--------
1 (zlib compression)      9887      1.8881   
False                     6661      1.272    
NONE                      507110    96.8399  

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
1                         2         0.0004   
1 only                    2         0.0004   
2                         2         0.0004   
2 only                    2         0.0004   
5                         2         0.0004   
5 only                    2         0.0004   
10                        8         0.0015   
10 only                   8         0.0015   
15                        9         0.0017   
15 only                   9         0.0017   
30                        10        0.0019   
30 only                   9         0.0017   
60                        96        0.0183   
60 only                   89        0.017    
65                        1         0.0002   
65 only                   1         0.0002   
70                        7         0.0013   
75                        1         0.0002   
75 only                   1         0.0002   
100                       18        0.0034   
100 only                  18        0.0034   
120                       26        0.005    
120 only                  26        0.005    
128                       3         0.0006   
128 only                  3         0.0006   
150                       2         0.0004   
180                       42        0.008    
180 only                  39        0.0074   
200                       1         0.0002   
200 only                  1         0.0002   
240                       12        0.0023   
240 only                  12        0.0023   
300                       242606    46.3291  
300 only                  238057    45.4604  
302                       3         0.0006   
302 only                  3         0.0006   
360                       2         0.0004   
360 only                  1         0.0002   
400                       8         0.0015   
400 only                  8         0.0015   
420                       119       0.0227   
420 only                  88        0.0168   
480                       12        0.0023   
480 only                  12        0.0023   
500                       5         0.001    
500 only                  5         0.001    
540                       1         0.0002   
540 only                  1         0.0002   
600                       25719     4.9114   
600 only                  25574     4.8837   
700                       1         0.0002   
700 only                  1         0.0002   
720                       2         0.0004   
720 only                  2         0.0004   
840                       1         0.0002   
840 only                  1         0.0002   
900                       781       0.1491   
900 only                  766       0.1463   
960                       2         0.0004   
960 only                  2         0.0004   
1200                      2230      0.4259   
1200 only                 2222      0.4243   
1320                      1         0.0002   
1320 only                 1         0.0002   
1500                      10        0.0019   
1500 only                 9         0.0017   
1800                      490       0.0936   
1800 only                 476       0.0909   
2100                      1         0.0002   
2100 only                 1         0.0002   
2400                      8         0.0015   
2400 only                 8         0.0015   
2700                      8         0.0015   
2700 only                 8         0.0015   
3000                      23        0.0044   
3000 only                 23        0.0044   
3600                      575       0.1098   
3600 only                 566       0.1081   
3900                      1         0.0002   
3900 only                 1         0.0002   
4100                      1         0.0002   
4100 only                 1         0.0002   
4200                      1         0.0002   
5160                      1         0.0002   
5160 only                 1         0.0002   
5400                      20        0.0038   
5400 only                 8         0.0015   
6000                      66        0.0126   
6000 only                 66        0.0126   
7200                      14981     2.8608   
7200 only                 14963     2.8574   
10800                     2576      0.4919   
10800 only                2570      0.4908   
14400                     102       0.0195   
14400 only                102       0.0195   
18000                     7         0.0013   
18000 only                7         0.0013   
21600                     4999      0.9546   
21600 only                4999      0.9546   
25200                     1         0.0002   
25200 only                1         0.0002   
28800                     2018      0.3854   
28800 only                1601      0.3057   
36000                     1153      0.2202   
36000 only                1144      0.2185   
43200                     34        0.0065   
43200 only                34        0.0065   
60000                     1         0.0002   
60000 only                1         0.0002   
64800                     53897     10.2924  
64800 only                53896     10.2922  
72000                     16        0.0031   
72000 only                16        0.0031   
84600                     1         0.0002   
84600 only                1         0.0002   
86000                     39        0.0074   
86000 only                39        0.0074   
86400                     3516      0.6714   
86400 only                3512      0.6707   
100800                    10300     1.9669   
100800 only               10290     1.965    
129600                    9         0.0017   
129600 only               9         0.0017   
172800                    6         0.0011   
172800 only               6         0.0011   
216000                    1         0.0002   
216000 only               1         0.0002   
432000                    2         0.0004   
432000 only               2         0.0004   
604800                    1         0.0002   
864000                    4         0.0008   
864000 only               4         0.0008   
None                      162322    30.9977  
None only                 157058    29.9925  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      11981     2.2879   
ecdsa-with-SHA256         49307     9.4159   
sha1WithRSAEncryption     86227     16.4663  
sha256WithRSAEncryption   399420    76.275   
sha384WithRSAEncryption   6         0.0011   
sha512WithRSAEncryption   28        0.0053   

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 49343     9.4228   
ECDSA 384                 15        0.0029   
RSA 1024                  56        0.0107   
RSA 10240                 8         0.0015   
RSA 2047                  1         0.0002   
RSA 2048                  464934    88.7858  
RSA 2049                  4         0.0008   
RSA 2056                  4         0.0008   
RSA 2058                  2         0.0004   
RSA 2064                  2         0.0004   
RSA 2084                  4         0.0008   
RSA 2096                  2         0.0004   
RSA 2408                  2         0.0004   
RSA 2432                  1         0.0002   
RSA 2480                  1         0.0002   
RSA 3071                  1         0.0002   
RSA 3072                  127       0.0243   
RSA 3096                  2         0.0004   
RSA 3248                  2         0.0004   
RSA 4042                  1         0.0002   
RSA 4048                  1         0.0002   
RSA 4056                  25        0.0048   
RSA 4069                  3         0.0006   
RSA 4086                  2         0.0004   
RSA 4092                  6         0.0011   
RSA 4094                  1         0.0002   
RSA 4096                  20149     3.8477   
RSA 4098                  1         0.0002   
RSA 8192                  4         0.0008   
RSA/ECDSA Dual Stack      11039     2.1081

OCSP stapling             Count     Percent 
-------------------------+---------+--------
Supported                 113302    21.6366  
Unsupported               410356    78.3634  

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      24244     4.6297
SSL2 Only                 19        0.0036
SSL3                      122263    23.3479
SSL3 Only                 484       0.0924
SSL3 or TLS1 Only         69496     13.2713
SSL3 or lower Only        503       0.0961
TLS1                      518406    98.9971
TLS1 Only                 41584     7.9411
TLS1 or lower Only        92178     17.6027
TLS1.1                    418156    79.8529
TLS1.1 Only               267       0.051
TLS1.1 or up Only         4492      0.8578
TLS1.2                    428200    81.7709
TLS1.2 Only               1845      0.3523
TLS1.2, 1.0 but not 1.1   10863     2.0744



Statistics from 549280 chains provided by 697275 hosts

Server provided chains    Count     Percent
-------------------------+---------+-------
complete                  487661    69.9381
incomplete                27391     3.9283
untrusted                 182223    26.1336

Trusted chain statistics
========================

Chain length              Count     Percent
-------------------------+---------+-------
2                         114       0.0208
3                         547038    99.5918
4                         2101      0.3825
5                         27        0.0049

CA key size in chains     Count
-------------------------+---------
ECDSA 256                 48991     
ECDSA 384                 48992     
RSA 1024                  101       
RSA 2045                  3         
RSA 2048                  865095    
RSA 4096                  137419    

Chains with CA key        Count     Percent
-------------------------+---------+-------
ECDSA 256                 48991     8.9191
ECDSA 384                 48992     8.9193
RSA 1024                  99        0.018
RSA 2045                  3         0.0005
RSA 2048                  499889    91.008
RSA 4096                  136911    24.9255

Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384              48986     
sha1WithRSAEncryption          92825     
sha256WithRSAEncryption        287083    
sha384WithRSAEncryption        122355    
sha512WithRSAEncryption        72        

Eff. host cert chain LoS  Count     Percent
-------------------------+---------+-------
80                        92922     16.9171
112                       407358    74.1622
128                       49000     8.9208

Root CAs                                      Count     Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 113492    20.662
(2c543cd1) GeoTrust Global CA                 107601    19.5895
(eed8c118) COMODO ECC Certification Authority 48977     8.9166
(cbf06781) Go Daddy Root Certificate Authorit 47939     8.7276
(5ad8a5d6) GlobalSign Root CA                 44123     8.0329
(b204d74a) VeriSign Class 3 Public Primary Ce 29359     5.345
(244b5494) DigiCert High Assurance EV Root CA 25999     4.7333
(2e4eed3c) thawte Primary Root CA             23372     4.255
(157753a5) AddTrust External CA Root          20188     3.6754
(653b494a) Baltimore CyberTrust Root          12053     2.1943
(ae8153b9) StartCom Certification Authority   9139      1.6638
(fc5a8f99) USERTrust RSA Certification Author 8775      1.5975
(3513523f) DigiCert Global Root CA            8281      1.5076
(4bfab552) Starfield Root Certificate Authori 8226      1.4976
(480720ec) GeoTrust Primary Certification Aut 5570      1.0141


Scan performed between 19th of October and 9th of November 2015