internet scan

September 2015 scan results

(I have declared “analysis bankruptcy”, only raw results available for this month. Sorry! 🙇)

SSL/TLS survey of 514491 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      441032    85.722
3DES Only                 662       0.1287
AES                       506240    98.3963
AES Only                  20155     3.9175
AES-CBC                   506132    98.3753
AES-CBC Only              9532      1.8527
AES-GCM                   372880    72.4755
AES-GCM Only              53        0.0103
CAMELLIA                  228600    44.4323
CAMELLIA Only             1         0.0002
CHACHA20                  63632     12.368
CHACHA20 Only             1         0.0002
Insecure                  64742     12.5837
RC4                       231507    44.9973
RC4 Only                  1252      0.2433
RC4 Preferred             27685     5.381
RC4 forced in TLS1.1+     15710     3.0535
x:FF 29 RC4 Only          1532      0.2978
x:FF 29 RC4 Preferred     31430     6.109
x:FF 29 incompatible      137       0.0266
x:FF 35 RC4 Only          1845      0.3586
x:FF 35 RC4 Preferred     31550     6.1323
x:FF 35 incompatible      138       0.0268
y:DHE-RSA-SEED-SHA        86011     16.7177
y:IDEA-CBC-SHA            78923     15.34
y:SEED-SHA                96111     18.6808
z:ADH-AES128-GCM-SHA256   333       0.0647
z:ADH-AES128-SHA          745       0.1448
z:ADH-AES128-SHA256       236       0.0459
z:ADH-AES256-GCM-SHA384   343       0.0667
z:ADH-AES256-SHA          749       0.1456
z:ADH-AES256-SHA256       236       0.0459
z:ADH-CAMELLIA128-SHA     344       0.0669
z:ADH-CAMELLIA256-SHA     350       0.068
z:ADH-DES-CBC-SHA         321       0.0624
z:ADH-DES-CBC3-SHA        759       0.1475
z:ADH-RC4-MD5             621       0.1207
z:ADH-SEED-SHA            272       0.0529
z:AECDH-AES128-SHA        12374     2.4051
z:AECDH-AES256-SHA        12403     2.4107
z:AECDH-DES-CBC3-SHA      12331     2.3967
z:AECDH-NULL-SHA          55        0.0107
z:AECDH-RC4-SHA           11656     2.2655
z:DES-CBC-MD5             12201     2.3715
z:DES-CBC-SHA             37676     7.323
z:DES-CBC3-MD5            24906     4.8409
z:ECDHE-RSA-NULL-SHA      59        0.0115
z:EDH-RSA-DES-CBC-SHA     32341     6.286
z:EXP-ADH-DES-CBC-SHA     225       0.0437
z:EXP-ADH-RC4-MD5         222       0.0431
z:EXP-DES-CBC-SHA         16253     3.159
z:EXP-EDH-RSA-DES-CBC-SHA 13136     2.5532
z:EXP-RC2-CBC-MD5         19785     3.8455
z:EXP-RC4-MD5             20799     4.0426
z:EXP1024-DES-CBC-SHA     5124      0.9959
z:EXP1024-RC4-SHA         5211      1.0128
z:IDEA-CBC-MD5            2368      0.4603
z:NULL-MD5                228       0.0443
z:NULL-SHA                231       0.0449
z:NULL-SHA256             22        0.0043
z:RC2-CBC-MD5             12471     2.4239
z:RC4-64-MD5              1000      0.1944

Cipher ordering           Count     Percent
-------------------------+---------+-------
Client side               131154    25.492
Server side               383337    74.508

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       872       0.1695
AECDH                     12430     2.416
DHE                       282349    54.8793
ECDH                      3         0.0006
ECDHE                     400761    77.8947
ECDHE and DHE             210872    40.9865
RSA                       466026    90.58

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               176947    34.3926  62.6696
DH,1536bits               1         0.0002   0.0004
DH,2048bits               97579     18.9661  34.5597
DH,2236bits               10        0.0019   0.0035
DH,2560bits               1         0.0002   0.0004
DH,3072bits               1027      0.1996   0.3637
DH,3092bits               1         0.0002   0.0004
DH,4096bits               6303      1.2251   2.2323
DH,512bits                53        0.0103   0.0188
DH,768bits                502       0.0976   0.1778
DH,8192bits               1         0.0002   0.0004
ECDH,B-163,163bits        1         0.0002   0.0002
ECDH,B-571,570bits        1514      0.2943   0.3778
ECDH,K-163,163bits        1         0.0002   0.0002
ECDH,K-571,570bits        1         0.0002   0.0002
ECDH,P-192,192bits        2         0.0004   0.0005
ECDH,P-224,224bits        89        0.0173   0.0222
ECDH,P-256,256bits        389270    75.6612  97.1327
ECDH,P-384,384bits        2668      0.5186   0.6657
ECDH,P-521,521bits        8073      1.5691   2.0144
Prefer DH,1024bits        63712     12.3835  22.565
Prefer DH,1536bits        1         0.0002   0.0004
Prefer DH,2048bits        9342      1.8158   3.3087
Prefer DH,2236bits        1         0.0002   0.0004
Prefer DH,3072bits        14        0.0027   0.005
Prefer DH,4096bits        342       0.0665   0.1211
Prefer DH,768bits         102       0.0198   0.0361
Prefer ECDH,B-163,163bits 1         0.0002   0.0002
Prefer ECDH,B-571,570bits 1305      0.2536   0.3256
Prefer ECDH,K-163,163bits 1         0.0002   0.0002
Prefer ECDH,K-571,570bits 1         0.0002   0.0002
Prefer ECDH,P-224,224bits 55        0.0107   0.0137
Prefer ECDH,P-256,256bits 337269    65.5539  84.1571
Prefer ECDH,P-384,384bits 2525      0.4908   0.6301
Prefer ECDH,P-521,521bits 7266      1.4123   1.8131
Prefer PFS                421937    82.0106  0
Support PFS               472238    91.7874  0

Supported ECC curves      Count     Percent 
-------------------------+---------+--------
brainpoolP256r1           1285      0.2498   
brainpoolP384r1           1285      0.2498   
brainpoolP512r1           1285      0.2498   
prime192v1                1409      0.2739   
prime256v1                399379    77.626   
prime256v1 Only           346484    67.345   
secp160k1                 1372      0.2667   
secp160r1                 1376      0.2674   
secp160r2                 1372      0.2667   
secp192k1                 1393      0.2708   
secp224k1                 1466      0.2849   
secp224r1                 3478      0.676    
secp224r1 Only            2         0.0004   
secp256k1                 2664      0.5178   
secp384r1                 53002     10.3018  
secp384r1 Only            342       0.0665   
secp521r1                 22491     4.3715   
secp521r1 Only            118       0.0229   
sect163k1                 1376      0.2674   
sect163k1 Only            2         0.0004   
sect163r1                 1374      0.2671   
sect163r2                 1375      0.2673   
sect163r2 Only            1         0.0002   
sect193r1                 1374      0.2671   
sect193r2                 1374      0.2671   
sect233k1                 1460      0.2838   
sect233r1                 1458      0.2834   
sect239k1                 1458      0.2834   
sect283k1                 2637      0.5125   
sect283r1                 2637      0.5125   
sect409k1                 2637      0.5125   
sect409r1                 2637      0.5125   
sect571k1                 2650      0.5151   
sect571r1                 2650      0.5151   

Unsupported curve fallback     Count     Percent 
------------------------------+---------+--------
False                          69342     13.4778  
True                           279091    54.246   
order-specific                 247       0.048    
unknown                        165811    32.2282  

ECC curve ordering        Count     Percent 
-------------------------+---------+--------
client                    4128      0.8023   
inconclusive-noecc        10        0.0019   
server                    395723    76.9154  
unknown                   114630    22.2803  

TLSv1.2 PFS supported sigalgs  Count     Percent 
------------------------------+---------+--------
ECDSA-SHA1                     36846     7.1616   
ECDSA-SHA1 Only                3         0.0006   
ECDSA-SHA224                   36847     7.1618   
ECDSA-SHA256                   36861     7.1646   
ECDSA-SHA384                   36862     7.1648   
ECDSA-SHA512                   36877     7.1677   
ECDSA-SHA512 Only              15        0.0029   
RSA-MD5                        169404    32.9265  
RSA-SHA1                       349277    67.8879  
RSA-SHA1 Only                  46373     9.0134   
RSA-SHA224                     283789    55.1592  
RSA-SHA256                     309288    60.1153  
RSA-SHA256 Only                5302      1.0305   
RSA-SHA384                     284974    55.3895  
RSA-SHA384 Only                1         0.0002   
RSA-SHA512                     285175    55.4286  
RSA-SHA512 Only                218       0.0424   

TLSv1.2 PFS ordering           Count     Percent 
------------------------------+---------+--------
client                         247485    48.1029  
indeterminate                  113       0.022    
intolerant                     3917      0.7613   
order-fallback                 6         0.0012   
server                         141461    27.4953  
unsupported                    22160     4.3072   

TLSv1.2 PFS sigalg fallback    Count     Percent 
------------------------------+---------+--------
ECDSA SHA1                     36832     7.1589   
ECDSA intolerant               63        0.0122   
ECDSA pfs-rsa-SHA512           1         0.0002   
RSA False                      168019    32.6573  
RSA SHA1                       154614    30.0518  
RSA intolerant                 32671     6.3502   
RSA pfs-ecdsa-SHA512           1         0.0002   
RSA soft-nopfs                 1437      0.2793   

Renegotiation             Count     Percent 
-------------------------+---------+--------
False                     6340      1.2323   
insecure                  19961     3.8798   
secure                    488190    94.888   

Compression               Count     Percent 
-------------------------+---------+--------
1 (zlib compression)      10392     2.0199   
False                     6340      1.2323   
NONE                      497759    96.7479  

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
1                         4         0.0008   
1 only                    4         0.0008   
2                         2         0.0004   
2 only                    2         0.0004   
5                         1         0.0002   
5 only                    1         0.0002   
10                        7         0.0014   
10 only                   7         0.0014   
15                        8         0.0016   
15 only                   8         0.0016   
30                        11        0.0021   
30 only                   10        0.0019   
60                        93        0.0181   
60 only                   87        0.0169   
65                        1         0.0002   
65 only                   1         0.0002   
70                        7         0.0014   
100                       14        0.0027   
100 only                  14        0.0027   
120                       30        0.0058   
120 only                  30        0.0058   
128                       2         0.0004   
128 only                  2         0.0004   
150                       2         0.0004   
180                       39        0.0076   
180 only                  37        0.0072   
240                       14        0.0027   
240 only                  14        0.0027   
300                       232702    45.2296  
300 only                  227970    44.3098  
302                       2         0.0004   
302 only                  2         0.0004   
360                       2         0.0004   
360 only                  1         0.0002   
400                       7         0.0014   
400 only                  7         0.0014   
420                       113       0.022    
420 only                  87        0.0169   
480                       11        0.0021   
480 only                  11        0.0021   
500                       4         0.0008   
500 only                  4         0.0008   
540                       1         0.0002   
540 only                  1         0.0002   
600                       24187     4.7012   
600 only                  24031     4.6708   
720                       2         0.0004   
720 only                  2         0.0004   
840                       2         0.0004   
840 only                  2         0.0004   
900                       718       0.1396   
900 only                  702       0.1364   
960                       3         0.0006   
960 only                  3         0.0006   
1200                      2085      0.4053   
1200 only                 2080      0.4043   
1320                      1         0.0002   
1320 only                 1         0.0002   
1500                      11        0.0021   
1500 only                 10        0.0019   
1800                      473       0.0919   
1800 only                 468       0.091    
2100                      1         0.0002   
2100 only                 1         0.0002   
2400                      6         0.0012   
2400 only                 6         0.0012   
2700                      7         0.0014   
2700 only                 7         0.0014   
3000                      19        0.0037   
3000 only                 19        0.0037   
3600                      512       0.0995   
3600 only                 498       0.0968   
3900                      1         0.0002   
3900 only                 1         0.0002   
4200                      1         0.0002   
5160                      1         0.0002   
5160 only                 1         0.0002   
5400                      14        0.0027   
5400 only                 6         0.0012   
6000                      3         0.0006   
6000 only                 3         0.0006   
7200                      16177     3.1443   
7200 only                 16154     3.1398   
10800                     2416      0.4696   
10800 only                2411      0.4686   
14400                     70        0.0136   
14400 only                70        0.0136   
18000                     7         0.0014   
18000 only                7         0.0014   
21600                     4966      0.9652   
21600 only                4963      0.9646   
28800                     2049      0.3983   
28800 only                637       0.1238   
36000                     1187      0.2307   
36000 only                1176      0.2286   
43200                     35        0.0068   
43200 only                35        0.0068   
60000                     1         0.0002   
60000 only                1         0.0002   
64800                     51944     10.0962  
64800 only                51911     10.0898  
72000                     13        0.0025   
72000 only                13        0.0025   
86000                     31        0.006    
86000 only                31        0.006    
86400                     3546      0.6892   
86400 only                3543      0.6886   
100800                    11273     2.1911   
100800 only               11263     2.1892   
129600                    9         0.0017   
129600 only               9         0.0017   
172800                    7         0.0014   
172800 only               7         0.0014   
216000                    1         0.0002   
216000 only               1         0.0002   
432000                    2         0.0004   
432000 only               2         0.0004   
604800                    1         0.0002   
604800 only               1         0.0002   
864000                    3         0.0006   
864000 only               3         0.0006   
2592000                   1         0.0002   
2592000 only              1         0.0002   
None                      166108    32.2859  
None only                 159631    31.027   

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      13099     2.546    
ecdsa-with-SHA256         36858     7.164    
sha1WithRSAEncryption     100797    19.5916  
sha256WithRSAEncryption   377291    73.3329  
sha384WithRSAEncryption   6         0.0012   
sha512WithRSAEncryption   26        0.0051   

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 36891     7.1704   
ECDSA 384                 8         0.0016   
RSA 1024                  68        0.0132   
RSA 10240                 5         0.001    
RSA 2048                  459006    89.2156  
RSA 2049                  3         0.0006   
RSA 2056                  2         0.0004   
RSA 2058                  2         0.0004   
RSA 2064                  1         0.0002   
RSA 2078                  1         0.0002   
RSA 2080                  2         0.0004   
RSA 2084                  6         0.0012   
RSA 2096                  2         0.0004   
RSA 2408                  1         0.0002   
RSA 2432                  2         0.0004   
RSA 2480                  1         0.0002   
RSA 2890                  1         0.0002   
RSA 3024                  1         0.0002   
RSA 3071                  1         0.0002   
RSA 3072                  119       0.0231   
RSA 3248                  3         0.0006   
RSA 4042                  1         0.0002   
RSA 4048                  1         0.0002   
RSA 4056                  26        0.0051   
RSA 4069                  2         0.0004   
RSA 4092                  6         0.0012   
RSA 4094                  1         0.0002   
RSA 4096                  18374     3.5713   
RSA 8192                  5         0.001    
RSA/ECDSA Dual Stack      44        0.0086

OCSP stapling             Count     Percent 
-------------------------+---------+--------
Supported                 110108    21.4013  
Unsupported               404383    78.5987  

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      25202     4.8984
SSL2 Only                 15        0.0029
SSL3                      126817    24.649
SSL3 Only                 549       0.1067
SSL3 or TLS1 Only         72846     14.1588
SSL3 or lower Only        571       0.111
TLS1                      510753    99.2735
TLS1 Only                 43061     8.3696
TLS1 or lower Only        96394     18.7358
TLS1.1                    405071    78.7324
TLS1.1 Only               30        0.0058
TLS1.1 or up Only         2939      0.5712
TLS1.2                    415131    80.6877
TLS1.2 Only               1267      0.2463
TLS1.2, 1.0 but not 1.1   11078     2.1532

Statistics from 481615 chains provided by 696385 hosts

Server provided chains    Count     Percent
-------------------------+---------+-------
complete                  438491    62.9667
incomplete                20877     2.9979
untrusted                 237017    34.0353

Trusted chain statistics
========================

Chain length              Count     Percent
-------------------------+---------+-------
2                         214       0.0444
3                         479299    99.5191
4                         2064      0.4286
5                         38        0.0079

CA key size in chains     Count
-------------------------+---------
ECDSA 256                 21571     
ECDSA 384                 21574     
RSA 1024                  189       
RSA 2045                  3         
RSA 2048                  797792    
RSA 4096                  124027    

Chains with CA key        Count     Percent
-------------------------+---------+-------
ECDSA 256                 21571     4.4789
ECDSA 384                 21574     4.4795
RSA 1024                  187       0.0388
RSA 2045                  3         0.0006
RSA 2048                  459556    95.4198
RSA 4096                  123505    25.6439

Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384              21569     
sha1WithRSAEncryption          87272     
sha256WithRSAEncryption        264799    
sha384WithRSAEncryption        109831    
sha512WithRSAEncryption        70        

Eff. host cert chain LoS  Count     Percent
-------------------------+---------+-------
80                        87432     18.1539
112                       372602    77.3651
128                       21581     4.481

Root CAs                                      Count     Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA                 102403    21.2624
(d6325660) COMODO RSA Certification Authority 101866    21.1509
(cbf06781) Go Daddy Root Certificate Authorit 47350     9.8315
(5ad8a5d6) GlobalSign Root CA                 41408     8.5977
(b204d74a) VeriSign Class 3 Public Primary Ce 26837     5.5723
(244b5494) DigiCert High Assurance EV Root CA 25125     5.2168
(2e4eed3c) thawte Primary Root CA             22902     4.7553
(eed8c118) COMODO ECC Certification Authority 21557     4.476
(653b494a) Baltimore CyberTrust Root          11908     2.4725
(157753a5) AddTrust External CA Root          10009     2.0782
(ae8153b9) StartCom Certification Authority   8637      1.7933
(fc5a8f99) USERTrust RSA Certification Author 7875      1.6351
(3513523f) DigiCert Global Root CA            7502      1.5577
(4bfab552) Starfield Root Certificate Authori 6246      1.2969
(480720ec) GeoTrust Primary Certification Aut 5252      1.0905
(f387163d) Starfield Technologies, Inc.       4889      1.0151


Scan performed between 18th and 28th of September 2015.

August 2015 scan results

Another rather uneventful month – more TLS servers among Alexa top 1 million, more support for AES-GCM, ECDHE, TLS1.2. Less servers with bad configurations – RC4 and other insecure ciphers, SSL2 and SSL3, SHA-1 certificates.

Cipher suites

AES in CBC mode remains unchanged but we see continued growth of the GCM, with it gaining another 2%. Despite its age, 3DES is still showing growth with 1% more servers supporting it, likely because of removal of RC4, which lost another 3% overall and 0.4% for servers which prefer it. There are still over 1300 servers among Alexa top 1 million that support only RC4 (0.27% of total).

Similarly, the overall percentage of servers which support completely insecure ciphers has dropped by over 1.5%.

Despite FREAK and Logjam, over 6.5% of servers support export grade ciphers.

Key exchange

ECDHE support is still growing, although at a rather slow pace – this month 2.2% more servers were willing to use this mechanism. DHE has fallen by nearly 1.5%

As always, the growth was fuelled by adding support for the P-256 curve.

Support as well as preference for PFS has grown – by just under a 1% and 1.5% respectively

Hash and signature algorithms

Unfortunately the roll-out of TLS 1.2 also brings with itself additional servers willing to negotiate MD5 signature algorithm on ServerKeyExchange messages, it has grown by 1% month over month.

Support for SHA-256 has grown by 2% so deployment of more capable systems is at least higher.

Vulnerabilities

Support for insecure renegotiation is still at a fairly high level of 4%, falling just by 0.2% since last month.

Compression has fallen by a same amount, reducing the percentage of servers vulnerable to CRIME to 2.1%

Certificates

Certificates using SHA-1 signatures have fallen by just over 6%, getting replaced mostly by RSA certificates signed with SHA-256 with some signed by ECDSA.

2048 bit RSA sees little changes, towering at nearly 90% of all servers.

Protocols

SSLv2 and SSLv3 continue their journey down, at the same slow pace. But we are at a level of just 600 servers in Alexa Top 1 million requiring use of SSLv3 to connect. Over 99% of servers support at least TLSv1.0.

At the same time, we have reached the milestone of “only one in five servers supporting TLSv1.0 as the highest protocol version”. We are shy of just 0.3% to be able to say that 4 in 5 servers support TLSv1.2!

Results

SSL/TLS survey of 509351 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      435183    85.4387
3DES Only                 725       0.1423
AES                       500583    98.2786
AES Only                  18647     3.6609
AES-CBC                   500485    98.2594
AES-CBC Only              9344      1.8345
AES-GCM                   363787    71.4217
AES-GCM Only              37        0.0073
CAMELLIA                  225125    44.1984
CAMELLIA Only             3         0.0006
CHACHA20                  63145     12.3971
CHACHA20 Only             2         0.0004
Insecure                  67027     13.1593
RC4                       239979    47.1147
RC4 Only                  1395      0.2739
RC4 Preferred             29355     5.7632
RC4 forced in TLS1.1+     16525     3.2443
x:FF 29 RC4 Only          1696      0.333
x:FF 29 RC4 Preferred     33338     6.5452
x:FF 29 incompatible      107       0.021
x:FF 35 RC4 Only          2022      0.397
x:FF 35 RC4 Preferred     33466     6.5703
x:FF 35 incompatible      112       0.022
y:DHE-RSA-SEED-SHA        85997     16.8836
y:IDEA-CBC-SHA            78567     15.4249
y:SEED-SHA                95725     18.7935
z:ADH-AES128-GCM-SHA256   290       0.0569
z:ADH-AES128-SHA          690       0.1355
z:ADH-AES128-SHA256       194       0.0381
z:ADH-AES256-GCM-SHA384   300       0.0589
z:ADH-AES256-SHA          701       0.1376
z:ADH-AES256-SHA256       196       0.0385
z:ADH-CAMELLIA128-SHA     306       0.0601
z:ADH-CAMELLIA256-SHA     312       0.0613
z:ADH-DES-CBC-SHA         295       0.0579
z:ADH-DES-CBC3-SHA        712       0.1398
z:ADH-RC4-MD5             569       0.1117
z:ADH-SEED-SHA            230       0.0452
z:AECDH-AES128-SHA        13191     2.5898
z:AECDH-AES256-SHA        13214     2.5943
z:AECDH-DES-CBC3-SHA      13149     2.5815
z:AECDH-NULL-SHA          51        0.01
z:AECDH-RC4-SHA           12459     2.4461
z:DES-CBC-MD5             12757     2.5046
z:DES-CBC-SHA             38652     7.5885
z:DES-CBC3-MD5            25783     5.0619
z:ECDHE-RSA-NULL-SHA      60        0.0118
z:EDH-RSA-DES-CBC-SHA     33192     6.5165
z:EXP-ADH-DES-CBC-SHA     214       0.042
z:EXP-ADH-RC4-MD5         213       0.0418
z:EXP-DES-CBC-SHA         17083     3.3539
z:EXP-EDH-RSA-DES-CBC-SHA 13893     2.7276
z:EXP-RC2-CBC-MD5         20743     4.0724
z:EXP-RC4-MD5             21811     4.2821
z:EXP1024-DES-CBC-SHA     5319      1.0443
z:EXP1024-RC4-SHA         5395      1.0592
z:IDEA-CBC-MD5            2435      0.4781
z:NULL-MD5                230       0.0452
z:NULL-SHA                232       0.0455
z:NULL-SHA256             22        0.0043
z:RC2-CBC-MD5             13042     2.5605
z:RC4-64-MD5              1052      0.2065

Cipher ordering           Count     Percent
-------------------------+---------+-------
Client side               130864    25.6923
Server side               378487    74.3077

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       817       0.1604
AECDH                     13248     2.601
DHE                       280098    54.9912
ECDH                      3         0.0006
ECDHE                     390772    76.7196
ECDHE and DHE             205466    40.3388
RSA                       463146    90.9287

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               187360    36.7841  66.8909
DH,1536bits               2         0.0004   0.0007
DH,2048bits               83731     16.4388  29.8935
DH,2236bits               3         0.0006   0.0011
DH,3072bits               2656      0.5214   0.9482
DH,3092bits               1         0.0002   0.0004
DH,4096bits               5788      1.1363   2.0664
DH,512bits                59        0.0116   0.0211
DH,768bits                553       0.1086   0.1974
DH,8192bits               2         0.0004   0.0007
ECDH,B-163,163bits        1         0.0002   0.0003
ECDH,B-571,570bits        1431      0.2809   0.3662
ECDH,K-163,163bits        1         0.0002   0.0003
ECDH,K-571,570bits        1         0.0002   0.0003
ECDH,P-224,224bits        83        0.0163   0.0212
ECDH,P-256,256bits        379964    74.5977  97.2342
ECDH,P-384,384bits        2696      0.5293   0.6899
ECDH,P-521,521bits        7641      1.5001   1.9554
Prefer DH,1024bits        70139     13.7703  25.0409
Prefer DH,1536bits        1         0.0002   0.0004
Prefer DH,2048bits        6067      1.1911   2.166
Prefer DH,2236bits        1         0.0002   0.0004
Prefer DH,3072bits        21        0.0041   0.0075
Prefer DH,4096bits        310       0.0609   0.1107
Prefer DH,768bits         170       0.0334   0.0607
Prefer ECDH,B-163,163bits 1         0.0002   0.0003
Prefer ECDH,B-571,570bits 1231      0.2417   0.315
Prefer ECDH,K-163,163bits 1         0.0002   0.0003
Prefer ECDH,K-571,570bits 1         0.0002   0.0003
Prefer ECDH,P-224,224bits 49        0.0096   0.0125
Prefer ECDH,P-256,256bits 327275    64.2533  83.7509
Prefer ECDH,P-384,384bits 2552      0.501    0.6531
Prefer ECDH,P-521,521bits 6909      1.3564   1.768
Prefer PFS                414728    81.4228  0
Support PFS               465404    91.372   0

Supported ECC curves      Count     Percent 
-------------------------+---------+--------
brainpoolP256r1           1013      0.1989   
brainpoolP384r1           1014      0.1991   
brainpoolP512r1           1015      0.1993   
prime192v1                1346      0.2643   
prime256v1                389473    76.4646  
prime256v1 Only           338238    66.4057  
secp160k1                 1313      0.2578   
secp160r1                 1315      0.2582   
secp160r2                 1312      0.2576   
secp192k1                 1335      0.2621   
secp224k1                 1403      0.2754   
secp224r1                 3044      0.5976   
secp224r1 Only            2         0.0004   
secp256k1                 2305      0.4525   
secp384r1                 51317     10.075   
secp384r1 Only            330       0.0648   
secp521r1                 20958     4.1146   
secp521r1 Only            124       0.0243   
sect163k1                 1322      0.2595   
sect163k1 Only            2         0.0004   
sect163r1                 1320      0.2592   
sect163r2                 1319      0.259    
sect163r2 Only            1         0.0002   
sect193r1                 1316      0.2584   
sect193r2                 1315      0.2582   
sect233k1                 1395      0.2739   
sect233r1                 1395      0.2739   
sect239k1                 1394      0.2737   
sect283k1                 2280      0.4476   
sect283r1                 2279      0.4474   
sect409k1                 2281      0.4478   
sect409r1                 2278      0.4472   
sect571k1                 2291      0.4498   
sect571r1                 2290      0.4496   

Unsupported curve fallback     Count     Percent 
------------------------------+---------+--------
False                          76188     14.9579  
True                           263977    51.8261  
order-specific                 263       0.0516   
unknown                        168923    33.1644  

ECC curve ordering        Count     Percent 
-------------------------+---------+--------
client                    3661      0.7188   
inconclusive-noecc        9         0.0018   
server                    386286    75.8389  
unknown                   119395    23.4406  

TLSv1.2 PFS supported sigalgs  Count     Percent 
------------------------------+---------+--------
ECDSA-SHA1                     35626     6.9944   
ECDSA-SHA1 Only                4         0.0008   
ECDSA-SHA224                   35618     6.9928   
ECDSA-SHA256                   35628     6.9948   
ECDSA-SHA384                   35625     6.9942   
ECDSA-SHA512                   35631     6.9954   
ECDSA-SHA512 Only              6         0.0012   
RSA-MD5                        165235    32.4403  
RSA-SHA1                       341873    67.1193  
RSA-SHA1 Only                  46530     9.1352   
RSA-SHA224                     277602    54.5011  
RSA-SHA256                     301111    59.1166  
RSA-SHA256 Only                4859      0.954    
RSA-SHA384                     278555    54.6882  
RSA-SHA512                     278643    54.7055  
RSA-SHA512 Only                93        0.0183   

TLSv1.2 PFS ordering           Count     Percent 
------------------------------+---------+--------
client                         243146    47.7364  
indeterminate                  8         0.0016   
intolerant                     3556      0.6981   
order-fallback                 16        0.0031   
server                         136828    26.8632  
unsupported                    22608     4.4386   

TLSv1.2 PFS sigalg fallback    Count     Percent 
------------------------------+---------+--------
ECDSA SHA1                     35612     6.9916   
ECDSA intolerant               39        0.0077   
RSA False                      163780    32.1546  
RSA SHA1                       152230    29.8871  
RSA intolerant                 30949     6.0762   
RSA soft-nopfs                 1543      0.3029   

Renegotiation             Count     Percent 
-------------------------+---------+--------
False                     6729      1.3211   
insecure                  20615     4.0473   
secure                    482007    94.6316  

Compression               Count     Percent 
-------------------------+---------+--------
1 (zlib compression)      10877     2.1355   
False                     6729      1.3211   
NONE                      491745    96.5434  

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
1                         2         0.0004   
1 only                    2         0.0004   
2                         2         0.0004   
2 only                    2         0.0004   
5                         4         0.0008   
5 only                    4         0.0008   
10                        7         0.0014   
10 only                   7         0.0014   
15                        10        0.002    
15 only                   10        0.002    
30                        10        0.002    
30 only                   9         0.0018   
60                        100       0.0196   
60 only                   92        0.0181   
65                        1         0.0002   
65 only                   1         0.0002   
70                        6         0.0012   
100                       12        0.0024   
100 only                  12        0.0024   
120                       32        0.0063   
120 only                  32        0.0063   
128                       3         0.0006   
128 only                  3         0.0006   
150                       2         0.0004   
180                       52        0.0102   
180 only                  50        0.0098   
240                       14        0.0027   
240 only                  14        0.0027   
300                       227236    44.6129  
300 only                  222350    43.6536  
302                       1         0.0002   
302 only                  1         0.0002   
360                       3         0.0006   
360 only                  1         0.0002   
400                       7         0.0014   
400 only                  7         0.0014   
420                       113       0.0222   
420 only                  82        0.0161   
450                       1         0.0002   
450 only                  1         0.0002   
480                       12        0.0024   
480 only                  12        0.0024   
500                       4         0.0008   
500 only                  4         0.0008   
540                       1         0.0002   
540 only                  1         0.0002   
600                       23677     4.6485   
600 only                  23483     4.6104   
720                       1         0.0002   
720 only                  1         0.0002   
840                       2         0.0004   
840 only                  2         0.0004   
900                       664       0.1304   
900 only                  648       0.1272   
960                       2         0.0004   
960 only                  2         0.0004   
1200                      1996      0.3919   
1200 only                 1989      0.3905   
1500                      8         0.0016   
1500 only                 7         0.0014   
1800                      449       0.0882   
1800 only                 441       0.0866   
2400                      6         0.0012   
2400 only                 6         0.0012   
2700                      6         0.0012   
2700 only                 6         0.0012   
3000                      20        0.0039   
3000 only                 20        0.0039   
3600                      463       0.0909   
3600 only                 439       0.0862   
3900                      1         0.0002   
3900 only                 1         0.0002   
5400                      15        0.0029   
5400 only                 5         0.001    
6000                      6         0.0012   
6000 only                 6         0.0012   
7200                      15785     3.099    
7200 only                 15761     3.0943   
10800                     2395      0.4702   
10800 only                2391      0.4694   
14400                     73        0.0143   
14400 only                73        0.0143   
18000                     14        0.0027   
18000 only                14        0.0027   
21600                     5069      0.9952   
21600 only                5067      0.9948   
28800                     1936      0.3801   
28800 only                846       0.1661   
36000                     1219      0.2393   
36000 only                1212      0.2379   
43200                     32        0.0063   
43200 only                32        0.0063   
60000                     1         0.0002   
60000 only                1         0.0002   
64800                     50264     9.8682   
64800 only                50206     9.8569   
72000                     10        0.002    
72000 only                10        0.002    
84600                     1         0.0002   
84600 only                1         0.0002   
86000                     37        0.0073   
86000 only                37        0.0073   
86400                     3516      0.6903   
86400 only                3515      0.6901   
100800                    12467     2.4476   
100800 only               12460     2.4463   
115200                    1         0.0002   
115200 only               1         0.0002   
129600                    7         0.0014   
129600 only               7         0.0014   
172800                    8         0.0016   
172800 only               8         0.0016   
216000                    1         0.0002   
216000 only               1         0.0002   
432000                    2         0.0004   
432000 only               2         0.0004   
604800                    1         0.0002   
864000                    2         0.0004   
864000 only               2         0.0004   
2592000                   1         0.0002   
2592000 only              1         0.0002   
None                      167946    32.9725  
None only                 161562    31.7192  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      13903     2.7296   
ecdsa-with-SHA256         35609     6.9911   
sha1WithRSAEncryption     118117    23.1897  
sha256WithRSAEncryption   355741    69.842   
sha384WithRSAEncryption   5         0.001    
sha512WithRSAEncryption   17        0.0033   

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 35649     6.9989   
ECDSA 384                 6         0.0012   
ECDSA 521                 1         0.0002   
RSA 1024                  81        0.0159   
RSA 10240                 7         0.0014   
RSA 2048                  455461    89.4199  
RSA 2049                  3         0.0006   
RSA 2056                  2         0.0004   
RSA 2058                  2         0.0004   
RSA 2064                  1         0.0002   
RSA 2080                  2         0.0004   
RSA 2084                  5         0.001    
RSA 2408                  1         0.0002   
RSA 2432                  2         0.0004   
RSA 2480                  1         0.0002   
RSA 2890                  1         0.0002   
RSA 3071                  2         0.0004   
RSA 3072                  111       0.0218   
RSA 3102                  1         0.0002   
RSA 3248                  3         0.0006   
RSA 4042                  1         0.0002   
RSA 4048                  1         0.0002   
RSA 4056                  25        0.0049   
RSA 4069                  3         0.0006   
RSA 4086                  2         0.0004   
RSA 4092                  6         0.0012   
RSA 4094                  1         0.0002   
RSA 4096                  18024     3.5386   
RSA 8192                  5         0.001    
RSA/ECDSA Dual Stack      50        0.0098

OCSP stapling             Count     Percent 
-------------------------+---------+--------
Supported                 109199    21.4389  
Unsupported               400152    78.5611  

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      26076     5.1195
SSL2 Only                 24        0.0047
SSL3                      130306    25.5828
SSL3 Only                 584       0.1147
SSL3 or TLS1 Only         75720     14.866
SSL3 or lower Only        607       0.1192
TLS1                      506048    99.3515
TLS1 Only                 44327     8.7026
TLS1 or lower Only        100132    19.6587
TLS1.1                    396444    77.8332
TLS1.1 Only               30        0.0059
TLS1.1 or up Only         2473      0.4855
TLS1.2                    406149    79.7385
TLS1.2 Only               1063      0.2087
TLS1.2, 1.0 but not 1.1   11004     2.1604

Statistics from 528021 chains provided by 691201 hosts

Server provided chains    Count     Percent
-------------------------+---------+-------
complete                  479672    69.3969
incomplete                23576     3.4109
untrusted                 187953    27.1922

Trusted chain statistics
========================

Chain length              Count     Percent
-------------------------+---------+-------
2                         269       0.0509
3                         525613    99.544
4                         2106      0.3988
5                         33        0.0062

CA key size in chains     Count
-------------------------+---------
ECDSA 256                 35610     
ECDSA 384                 35613     
RSA 1024                  255       
RSA 2045                  1         
RSA 2048                  860646    
RSA 4096                  125820    

Chains with CA key        Count     Percent
-------------------------+---------+-------
ECDSA 256                 35610     6.744
ECDSA 384                 35613     6.7446
RSA 1024                  253       0.0479
RSA 2045                  1         0.0002
RSA 2048                  491885    93.1563
RSA 4096                  125302    23.7305

Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384              35609     
sha1WithRSAEncryption          136788    
sha256WithRSAEncryption        246213    
sha384WithRSAEncryption        111253    
sha512WithRSAEncryption        61        

Eff. host cert chain LoS  Count     Percent
-------------------------+---------+-------
80                        137062    25.9577
112                       355341    67.2968
128                       35618     6.7456

Root CAs                                      Count     Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA                 109891    20.8119
(d6325660) COMODO RSA Certification Authority 103786    19.6557
(5ad8a5d6) GlobalSign Root CA                 51859     9.8214
(cbf06781) Go Daddy Root Certificate Authorit 48094     9.1083
(eed8c118) COMODO ECC Certification Authority 35597     6.7416
(b204d74a) VeriSign Class 3 Public Primary Ce 30261     5.731
(244b5494) DigiCert High Assurance EV Root CA 26028     4.9293
(2e4eed3c) thawte Primary Root CA             24484     4.6369
(157753a5) AddTrust External CA Root          12314     2.3321
(653b494a) Baltimore CyberTrust Root          12080     2.2878
(ae8153b9) StartCom Certification Authority   9217      1.7456
(3513523f) DigiCert Global Root CA            7329      1.388
(fc5a8f99) USERTrust RSA Certification Author 7360      1.3939
(4bfab552) Starfield Root Certificate Authori 6079      1.1513
(f081611a) The Go Daddy Group, Inc.           5382      1.0193
(480720ec) GeoTrust Primary Certification Aut 5448      1.0318
(f387163d) Starfield Technologies, Inc.       5310      1.0056


Scan performed between 17th of August and 4th of September 2015.