tls intolerance

July 2016 scan results

This month the scan has a bit more information.

I’ve added special probes to detect whether the server is intolerant to specific types of Client Hello messages.

While support for TLSv1.2 is still not universal (being just under 90%), tolerance to Client Hello messages advertising support for TLSv1.2 is essentially full, with just 67 servers being detected as intolerant to such messages.

Support for more uncommon messages is much worse though, clients sending their maximum supported version set to TLSv1.2 can expect 1.3% of servers rejecting their connections. Higher protocol versions like TLSv1.4 have a rate of rejection on around 2.45%, for very high protocol versions it rises to 3.295% for SSL 3.254 (that would be TLSv1.253).

Clients sending Client Hello with a lot of options or extensions can expect even more intolerance. Sending multiple key shares (from TLSv1.3 draft), most of defined extensions and couple hundred ciphersuites can expect their connections rejected by over 7% of servers. In general intolerance for very big Client Hello messages, like 16KiB and 24KiB large, is respectively at 23.7% and a whopping 89.5%!

If fixing this will follow similar deployment rates as TLSv1.2 or RC4 deprecation, it doesn’t look like we will be able to deploy most Post Quantum key exchanges any time soon…

Besides that, there were no major changes, just continuation of long established trends, so I won’t be doing full analysis for this month too.

SSL/TLS survey of 603391 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      532905    88.3184
3DES Only                 550       0.0912
3DES Preferred            1719      0.2849
3DES forced in TLS1.1+    992       0.1644
AES                       599329    99.3268
AES Only                  46610     7.7247
AES-CBC                   598756    99.2318
AES-CBC Only              4850      0.8038
AES-GCM                   509780    84.4858
AES-GCM Only              526       0.0872
CAMELLIA                  267705    44.3668
CAMELLIA Only             1         0.0002
CHACHA20                  83982     13.9183
CHACHA20 Only             3         0.0005
Insecure                  53186     8.8145
RC4                       153525    25.4437
RC4 Only                  140       0.0232
RC4 Preferred             12783     2.1185
RC4 forced in TLS1.1+     6911      1.1454
x:FF 29 3DES Only         597       0.0989
x:FF 29 3DES Preferred    2030      0.3364
x:FF 29 RC4 Only          193       0.032
x:FF 29 RC4 Preferred     14404     2.3872
x:FF 29 incompatible      530       0.0878
x:FF 35 3DES Only         605       0.1003
x:FF 35 3DES Preferred    1956      0.3242
x:FF 35 RC4 Only          218       0.0361
x:FF 35 RC4 Preferred     14418     2.3895
x:FF 35 incompatible      532       0.0882
x:FF 44 3DES Only         3874      0.642
x:FF 44 3DES Preferred    7464      1.237
x:FF 44 incompatible      750       0.1243
y:DHE-RSA-SEED-SHA        79084     13.1066
y:IDEA-CBC-SHA            75906     12.5799
y:SEED-SHA                90103     14.9328
z:ADH-AES128-GCM-SHA256   428       0.0709
z:ADH-AES128-SHA          715       0.1185
z:ADH-AES128-SHA256       281       0.0466
z:ADH-AES256-GCM-SHA384   442       0.0733
z:ADH-AES256-SHA          759       0.1258
z:ADH-AES256-SHA256       284       0.0471
z:ADH-CAMELLIA128-SHA     368       0.061
z:ADH-CAMELLIA128-SHA256  1         0.0002
z:ADH-CAMELLIA256-SHA     393       0.0651
z:ADH-CAMELLIA256-SHA256  1         0.0002
z:ADH-DES-CBC-SHA         279       0.0462
z:ADH-DES-CBC3-SHA        720       0.1193
z:ADH-RC4-MD5             517       0.0857
z:ADH-SEED-SHA            298       0.0494
z:AECDH-AES128-SHA        9498      1.5741
z:AECDH-AES256-SHA        9566      1.5854
z:AECDH-DES-CBC3-SHA      9463      1.5683
z:AECDH-NULL-SHA          60        0.0099
z:AECDH-RC4-SHA           8940      1.4816
z:DES-CBC-MD5             6015      0.9969
z:DES-CBC-SHA             33753     5.5939
z:DES-CBC3-MD5            15538     2.5751
z:ECDHE-RSA-NULL-SHA      67        0.0111
z:EDH-RSA-DES-CBC-SHA     28904     4.7903
z:EXP-ADH-DES-CBC-SHA     180       0.0298
z:EXP-ADH-RC4-MD5         178       0.0295
z:EXP-DES-CBC-SHA         9916      1.6434
z:EXP-EDH-RSA-DES-CBC-SHA 7950      1.3176
z:EXP-RC2-CBC-MD5         11811     1.9574
z:EXP-RC4-MD5             12355     2.0476
z:EXP1024-DES-CBC-SHA     3045      0.5046
z:EXP1024-RC4-SHA         3108      0.5151
z:IDEA-CBC-MD5            1225      0.203
z:NULL-MD5                196       0.0325
z:NULL-SHA                201       0.0333
z:NULL-SHA256             39        0.0065
z:RC2-CBC-MD5             6171      1.0227
z:RC4-64-MD5              692       0.1147

Cipher ordering           Count     Percent
-------------------------+---------+-------
Client side               149228    24.7316
Server side               454163    75.2684

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       918       0.1521
AECDH                     9574      1.5867
DHE                       327644    54.3004
ECDH                      2         0.0003
ECDHE                     532966    88.3285
ECDHE and DHE             285103    47.2501
RSA                       517470    85.7603

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               115821    19.195   35.3496
DH,2048bits               196265    32.527   59.9019
DH,2049bits               1         0.0002   0.0003
DH,2236bits               77        0.0128   0.0235
DH,2432bits               3         0.0005   0.0009
DH,3072bits               141       0.0234   0.043
DH,3092bits               2         0.0003   0.0006
DH,3196bits               1         0.0002   0.0003
DH,4096bits               14972     2.4813   4.5696
DH,512bits                122       0.0202   0.0372
DH,6144bits               1         0.0002   0.0003
DH,768bits                355       0.0588   0.1083
DH,8192bits               7         0.0012   0.0021
ECDH,B-571,570bits        4696      0.7783   0.8811
ECDH,K-163,163bits        1         0.0002   0.0002
ECDH,P-192,192bits        68        0.0113   0.0128
ECDH,P-224,224bits        91        0.0151   0.0171
ECDH,P-256,256bits        500295    82.9139  93.87
ECDH,P-384,384bits        12707     2.1059   2.3842
ECDH,P-521,521bits        17146     2.8416   3.2171
ECDH,brainpoolP512r1,512bits 3         0.0005   0.0006
ECDH,secp256k1,256bits    1         0.0002   0.0002
Prefer DH,1024bits        42440     7.0336   12.9531
Prefer DH,2048bits        4955      0.8212   1.5123
Prefer DH,3072bits        9         0.0015   0.0027
Prefer DH,3092bits        2         0.0003   0.0006
Prefer DH,4096bits        379       0.0628   0.1157
Prefer DH,768bits         33        0.0055   0.0101
Prefer ECDH,B-571,570bits 4438      0.7355   0.8327
Prefer ECDH,K-163,163bits 1         0.0002   0.0002
Prefer ECDH,P-192,192bits 1         0.0002   0.0002
Prefer ECDH,P-224,224bits 89        0.0147   0.0167
Prefer ECDH,P-256,256bits 465038    77.0708  87.2547
Prefer ECDH,P-384,384bits 10660     1.7667   2.0001
Prefer ECDH,P-521,521bits 15901     2.6353   2.9835
Prefer ECDH,brainpoolP512r1,512bits 3         0.0005   0.0006
Prefer ECDH,secp256k1,256bits 1         0.0002   0.0002
Prefer PFS                543950    90.1488  0
Support PFS               575507    95.3788  0

Supported ECC curves      Count     Percent 
-------------------------+---------+--------
None                      2         0.0003   
None Only                 2         0.0003   
brainpoolP256r1           27492     4.5562   
brainpoolP384r1           27491     4.5561   
brainpoolP512r1           27484     4.5549   
prime192v1                1647      0.273    
prime256v1                510415    84.5911  
prime256v1 Only           428464    71.0093  
secp160k1                 1528      0.2532   
secp160r1                 1536      0.2546   
secp160r2                 1528      0.2532   
secp192k1                 1543      0.2557   
secp224k1                 1625      0.2693   
secp224r1                 5406      0.8959   
secp256k1                 29683     4.9194   
secp384r1                 88419     14.6537  
secp384r1 Only            5169      0.8567   
secp521r1                 58499     9.695    
secp521r1 Only            153       0.0254   
sect163k1                 1531      0.2537   
sect163k1 Only            3         0.0005   
sect163r1                 1529      0.2534   
sect163r2                 1529      0.2534   
sect193r1                 1529      0.2534   
sect193r2                 1529      0.2534   
sect233k1                 1614      0.2675   
sect233r1                 1614      0.2675   
sect239k1                 1614      0.2675   
sect283k1                 28930     4.7946   
sect283k1 Only            2         0.0003   
sect283r1                 28927     4.7941   
sect409k1                 28927     4.7941   
sect409r1                 28927     4.7941   
sect571k1                 28927     4.7941   
sect571r1                 28930     4.7946   
server                    38445     6.3715   
server Only               38445     6.3715   

Unsupported curve fallback     Count     Percent 
------------------------------+---------+--------
False                          532806    88.3019  
unknown                        70585     11.6981  

ECC curve ordering        Count     Percent 
-------------------------+---------+--------
                          36744     6.0896   
client                    18027     2.9876   
server                    478197    79.2516  
unknown                   70423     11.6712  

TLSv1.2 PFS supported sigalgs  Count     Percent 
------------------------------+---------+--------
ECDSA-SHA1                     54563     9.0427   
ECDSA-SHA1 Only                9         0.0015   
ECDSA-SHA224                   54587     9.0467   
ECDSA-SHA256                   72567     12.0265  
ECDSA-SHA384                   72639     12.0385  
ECDSA-SHA512                   72750     12.0569  
ECDSA-SHA512 Only              118       0.0196   
RSA-MD5                        23842     3.9513   
RSA-SHA1                       462908    76.7178  
RSA-SHA1 Only                  30278     5.018    
RSA-SHA224                     387875    64.2825  
RSA-SHA256                     441866    73.2305  
RSA-SHA256 Only                8016      1.3285   
RSA-SHA384                     403401    66.8557  
RSA-SHA384 Only                4         0.0007   
RSA-SHA512                     403342    66.8459  
RSA-SHA512 Only                131       0.0217   

TLSv1.2 PFS ordering           Count     Percent 
------------------------------+---------+--------
client                         282677    46.8481  
indeterminate                  38        0.0063   
intolerant                     6561      1.0874   
order-fallback                 4         0.0007   
server                         236059    39.1221  
unsupported                    14339     2.3764   

TLSv1.2 PFS sigalg fallback    Count     Percent 
------------------------------+---------+--------
ECDSA SHA1                     54456     9.025    
ECDSA intolerant               652       0.1081   
ECDSA pfs-rsa-SHA512           17783     2.9472   
ECDSA soft-nopfs               15        0.0025   
RSA False                      23629     3.916    
RSA SHA1                       399316    66.1786  
RSA intolerant                 50007     8.2877   
RSA pfs-ecdsa-SHA512           99        0.0164   
RSA soft-nopfs                 389       0.0645   

Renegotiation             Count     Percent 
-------------------------+---------+--------
False                     4550      0.7541   
insecure                  15701     2.6021   
secure                    583140    96.6438  

Compression               Count     Percent 
-------------------------+---------+--------
1 (zlib compression)      6683      1.1076   
False                     4550      0.7541   
NONE                      592158    98.1384  

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
1                         3         0.0005   
1 only                    3         0.0005   
5                         8         0.0013   
5 only                    8         0.0013   
10                        9         0.0015   
10 only                   9         0.0015   
15                        7         0.0012   
15 only                   7         0.0012   
30                        29        0.0048   
30 only                   29        0.0048   
60                        172       0.0285   
60 only                   166       0.0275   
65                        2         0.0003   
65 only                   2         0.0003   
70                        6         0.001    
70 only                   4         0.0007   
75                        1         0.0002   
75 only                   1         0.0002   
90                        1         0.0002   
90 only                   1         0.0002   
100                       15        0.0025   
100 only                  15        0.0025   
120                       28        0.0046   
120 only                  28        0.0046   
128                       3         0.0005   
128 only                  2         0.0003   
150                       2         0.0003   
180                       83        0.0138   
180 only                  80        0.0133   
240                       12        0.002    
240 only                  12        0.002    
300                       306995    50.8783  
300 only                  304055    50.391   
302                       2         0.0003   
302 only                  2         0.0003   
360                       3         0.0005   
360 only                  2         0.0003   
400                       8         0.0013   
400 only                  8         0.0013   
420                       120       0.0199   
420 only                  103       0.0171   
480                       11        0.0018   
480 only                  11        0.0018   
500                       4         0.0007   
500 only                  4         0.0007   
540                       4         0.0007   
540 only                  4         0.0007   
600                       29961     4.9654   
600 only                  29817     4.9416   
630                       1         0.0002   
630 only                  1         0.0002   
700                       1         0.0002   
700 only                  1         0.0002   
720                       6         0.001    
720 only                  6         0.001    
840                       2         0.0003   
840 only                  2         0.0003   
900                       1560      0.2585   
900 only                  1541      0.2554   
960                       3         0.0005   
960 only                  3         0.0005   
1000                      1         0.0002   
1000 only                 1         0.0002   
1200                      3528      0.5847   
1200 only                 3525      0.5842   
1210                      2         0.0003   
1210 only                 2         0.0003   
1320                      1         0.0002   
1320 only                 1         0.0002   
1380                      1         0.0002   
1380 only                 1         0.0002   
1440                      1         0.0002   
1440 only                 1         0.0002   
1500                      4         0.0007   
1500 only                 3         0.0005   
1800                      860       0.1425   
1800 only                 839       0.139    
1980                      2         0.0003   
1980 only                 2         0.0003   
2100                      1         0.0002   
2400                      8         0.0013   
2400 only                 8         0.0013   
2700                      12        0.002    
2700 only                 12        0.002    
3000                      41        0.0068   
3000 only                 41        0.0068   
3600                      1100      0.1823   
3600 only                 1090      0.1806   
3900                      2         0.0003   
3900 only                 2         0.0003   
4200                      2         0.0003   
4200 only                 1         0.0002   
4500                      1         0.0002   
4500 only                 1         0.0002   
5160                      1         0.0002   
5160 only                 1         0.0002   
5400                      15        0.0025   
5400 only                 9         0.0015   
6000                      341       0.0565   
6000 only                 340       0.0563   
7200                      15389     2.5504   
7200 only                 15355     2.5448   
7500                      2         0.0003   
7500 only                 2         0.0003   
9000                      2         0.0003   
9000 only                 2         0.0003   
10800                     5322      0.882    
10800 only                5300      0.8784   
14400                     147       0.0244   
14400 only                144       0.0239   
18000                     9         0.0015   
18000 only                8         0.0013   
21600                     4353      0.7214   
21600 only                4353      0.7214   
25200                     1         0.0002   
25200 only                1         0.0002   
28800                     2164      0.3586   
28800 only                2164      0.3586   
30000                     2         0.0003   
30000 only                1         0.0002   
36000                     1239      0.2053   
36000 only                1231      0.204    
43200                     67        0.0111   
43200 only                67        0.0111   
54000                     2         0.0003   
54000 only                2         0.0003   
60000                     3         0.0005   
60000 only                3         0.0005   
64800                     73037     12.1044  
64800 only                73018     12.1013  
72000                     12        0.002    
72000 only                12        0.002    
79200                     1         0.0002   
79200 only                1         0.0002   
86400                     3232      0.5356   
86400 only                3222      0.534    
100800                    9169      1.5196   
100800 only               9156      1.5174   
108000                    1         0.0002   
108000 only               1         0.0002   
115200                    1         0.0002   
115200 only               1         0.0002   
129600                    6         0.001    
129600 only               6         0.001    
172800                    49        0.0081   
172800 only               49        0.0081   
216000                    3         0.0005   
216000 only               3         0.0005   
259200                    3         0.0005   
259200 only               3         0.0005   
432000                    1         0.0002   
432000 only               1         0.0002   
604800                    1         0.0002   
864000                    2         0.0003   
864000 only               2         0.0003   
7776000                   2         0.0003   
7776000 only              2         0.0003   
None                      147458    24.4382  
None only                 144200    23.8983  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      10178     1.6868   
ecdsa-with-SHA256         70598     11.7002  
sha1WithRSAEncryption     17351     2.8756   
sha256WithRSAEncryption   533303    88.3843  
sha384WithRSAEncryption   7         0.0012   
sha512WithRSAEncryption   77        0.0128   

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 72865     12.0759  
ECDSA 384                 41        0.0068   
ECDSA 521                 1         0.0002   
RSA 1024                  14        0.0023   
RSA 2048                  516458    85.5926  
RSA 2049                  4         0.0007   
RSA 2056                  1         0.0002   
RSA 2058                  3         0.0005   
RSA 2059                  1         0.0002   
RSA 2080                  6         0.001    
RSA 2084                  1         0.0002   
RSA 2086                  1         0.0002   
RSA 2096                  3         0.0005   
RSA 2408                  1         0.0002   
RSA 2432                  6         0.001    
RSA 2560                  1         0.0002   
RSA 2948                  1         0.0002   
RSA 3072                  158       0.0262   
RSA 3096                  2         0.0003   
RSA 3120                  1         0.0002   
RSA 3248                  3         0.0005   
RSA 4048                  3         0.0005   
RSA 4056                  21        0.0035   
RSA 4069                  1         0.0002   
RSA 4086                  3         0.0005   
RSA 4092                  2         0.0003   
RSA 4094                  1         0.0002   
RSA 4095                  1         0.0002   
RSA 4096                  33887     5.6161   
RSA 4196                  1         0.0002   
RSA 8192                  12        0.002    
RSA 8392                  1         0.0002   
RSA/ECDSA Dual Stack      20097     3.3307

OCSP stapling             Count     Percent 
-------------------------+---------+--------
Supported                 139486    23.117   
Unsupported               463905    76.883   

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      15694     2.601
SSL2 Only                 9         0.0015
SSL3                      88647     14.6915
SSL3 Only                 325       0.0539
SSL3 or TLS1 Only         47120     7.8092
SSL3 or lower Only        335       0.0555
TLS1                      590402    97.8473
TLS1 Only                 28435     4.7125
TLS1 or lower Only        61759     10.2353
TLS1.1                    532582    88.2648
TLS1.1 Only               43        0.0071
TLS1.1 or up Only         12475     2.0675
TLS1.2                    539663    89.4384
TLS1.2 Only               3587      0.5945
TLS1.2, 1.0 but not 1.1   5029      0.8335

Client Hello intolerance                 Count     Percent
----------------------------------------+---------+-------
Huge Cipher List                         539862    89.4713
Huge Cipher List (trunc 16388)           143271    23.7443
SSL 3.254                                19882     3.295
TLS 1.0                                  66391     11.003
TLS 1.1                                  3190      0.5287
TLS 1.2                                  67        0.0111
TLS 1.3                                  7896      1.3086
TLS 1.4                                  14758     2.4458
Xmas tree                                43001     7.1266
x:missing information                    44        0.0073



Statistics from 544239 chains provided by 734331 hosts

Server provided chains    Count     Percent
-------------------------+---------+-------
complete                  493648    67.2242
incomplete                20056     2.7312
untrusted                 220627    30.0446

Trusted chain statistics
========================

Chain length              Count     Percent
-------------------------+---------+-------
2                         1         0.0002
3                         540295    99.2753
4                         3930      0.7221
5                         13        0.0024

CA key size in chains     Count
-------------------------+---------
ECDSA 256                 30197     
ECDSA 384                 30193     
RSA 1024                  9         
RSA 2045                  2         
RSA 2048                  845143    
RSA 4096                  186889    

Chains with CA key        Count     Percent
-------------------------+---------+-------
ECDSA 256                 30197     5.5485
ECDSA 384                 30193     5.5477
RSA 1024                  7         0.0013
RSA 2045                  2         0.0004
RSA 2048                  513612    94.3725
RSA 4096                  186227    34.2179

Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384              30185     
sha1WithRSAEncryption          20474     
sha256WithRSAEncryption        330105    
sha384WithRSAEncryption        167373    
sha512WithRSAEncryption        57        

Eff. host cert chain LoS  Count     Percent
-------------------------+---------+-------
80                        20448     3.7572
112                       493575    90.6909
128                       30216     5.552

Most popular root CAs                         Count     Percent
---------------------------------------------+---------+-------
(d6325660) COMODO RSA Certification Authority 149876    27.5386
(2c543cd1) GeoTrust Global CA                 82272     15.1169
(cbf06781) Go Daddy Root Certificate Authorit 46152     8.4801
(5ad8a5d6) GlobalSign Root CA                 42046     7.7256
(b204d74a) VeriSign Class 3 Public Primary Ce 30585     5.6198
(eed8c118) COMODO ECC Certification Authority 30178     5.545
(244b5494) DigiCert High Assurance EV Root CA 21202     3.8957
(2e4eed3c) thawte Primary Root CA             17390     3.1953
(fc5a8f99) USERTrust RSA Certification Author 17354     3.1887
(2e5ac55d) DST Root CA X3                     16492     3.0303
(653b494a) Baltimore CyberTrust Root          11315     2.079
(3513523f) DigiCert Global Root CA            10347     1.9012
(ae8153b9) StartCom Certification Authority   9044      1.6618
(4bfab552) Starfield Root Certificate Authori 9012      1.6559
(e2799e36) GeoTrust Primary Certification Aut 6148      1.1297
(480720ec) GeoTrust Primary Certification Aut 5775      1.0611
(02265526) Entrust Root Certification Authori 3969      0.7293
(ba89ed3b) thawte Primary Root CA - G3        3394      0.6236
(8096d0a9) Certification Authority of WoSign  2877      0.5286
(157753a5) AddTrust External CA Root          2782      0.5112

Most popular intermediate CA                  Count     Percent
---------------------------------------------+---------+-------
(8d28ae65) COMODO RSA Domain Validation Secur 100923    18.5439
(27eb7704) Go Daddy Secure Certificate Author 46152     8.4801
(53f3e569) RapidSSL SHA256 CA - G3            40339     7.412
(6cfa716c) COMODO ECC Domain Validation Secur 30126     5.5354
(7d9c641e) Symantec Class 3 Secure Server CA  21662     3.9802
(1400f578) cPanel, Inc. Certification Authori 19580     3.5977
(38ae8eda) DigiCert SHA2 High Assurance Serve 17140     3.1494
(4f06f81d) Let's Encrypt Authority X3         16492     3.0303
(16744f0c) AlphaSSL CA - SHA256 - G2          16239     2.9838
(493a2f06) COMODO RSA Domain Validation Secur 13442     2.4699
(10310d4b) GeoTrust SSL CA - G3               13423     2.4664
(80ecc636) RapidSSL SHA256 CA                 12795     2.351
(d7d634d4) GlobalSign Domain Validation CA -  11432     2.1005
(b85455c4) GlobalSign Organization Validation 11363     2.0879
(c43a77d9) COMODO RSA Organization Validation 11217     2.061
(85cf5865) DigiCert SHA2 Secure Server CA     10208     1.8756
(9ad474ec) thawte SSL CA - G2                 9146      1.6805
(cd7781e5) Starfield Secure Certificate Autho 9012      1.6559
(d84ef247) GeoTrust DV SSL CA - G4            7163      1.3161
(a0f7ac3e) Symantec Class 3 EV SSL CA - G3    7144      1.3127
(3d97f5e2) Verizon Akamai SureServer CA G14-S 7025      1.2908
(fd917e82) SecureCore RSA DV CA               6995      1.2853
(b71a5f76) GeoTrust EV SSL CA - G4            5724      1.0517
(661c52cc) thawte DV SSL CA - G2              5368      0.9863
(e22cd3f0) COMODO RSA Extended Validation Sec 4365      0.802
(7f8496de) StartCom Class 1 DV Server CA      3678      0.6758
(45bfefc3) DigiCert SHA2 Extended Validation  3527      0.6481
(2835d715) Entrust Certification Authority -  3328      0.6115
(f131b364) RapidSSL CA                        3180      0.5843
(98d7cad7) GeoTrust DV SSL CA - G3            3154      0.5795



Scan performed between 20th of July and 17th of August 2016

November 2014 results – intolerancies

This time around, I have extended the scanning script to also include tests checking whatever servers are tolerant to specific settings inside client hello messages. The scan itself also gained a fallback mode in case the regular scan (used up until now for all data collection) haven’t detected any ciphers to be supported by server or server appearing to support just SSLv2. Another additions include scan for supported curves for ECDHE key exchange, key signature algorithm for TLSv1.2 ECDHE and DHE key exchange, secure renegotiation support and compression.

Protocol versions

While I have provided some results for intolerance of specific settings in the Halloween special, scan of the full Alexa top 1 million proved to be much more complex and harder to pin down in just few lines. I’m afraid I won’t be able to tell much about the bugs the servers seem to be showing until I develop tests for specific bugs rather than current probing with very generic (and rather standard) client hello messages.

That being said, general statistics look like this: about 4.8% of servers refused connection that started with a big full featured TLSv1.2 client hello, that includes about 0.1% of servers that are strictly TLSv1.2 ClientHello intolerant (even when inside V2 Client Hello) and 0.18% that are intolerant to regular TLSv1.2 client hello, rest seem to be intolerant to just big client hello or placement of RC4-SHA and RC4-MD5 ciphers after 64th position (Windows 2003 bug).

Supported curves

Around 56.7% of servers will negotiate ECDHE cipher suites. The vast majority of servers support the NIST prime256v1 curve (55.6% of all TLS-enabled) and high part of them support only this one curve (48.2%). Second most supported curve is secp384r1, where 7.3% of servers support it (0.02% support only this one). Third most supported curve is secp521r1, at 1.77%. Other curves hover around 0.13% mark, with the exception of brainpool curves (all 3 of them), which are supported by only 19 servers.

At the same time, there are servers which support only secp521r1, sect163k1 or sect163r2 curves – those servers won’t be able to negotiate ECDHE ciphers with common web browsers. This is because secp521r1 curve is supported only by some browsers (list that doesn’t include Firefox and Internet Explorer) while the other two are unsupported by all major browsers.

Interestingly, nearly all servers dictate the selected curve (use server side ordering for curves) – only 0.13% of servers let the client select the most preferred curve.

Many servers (11.8% of total) will abort connection completely in case the client does not support the curve preferred by server.

Signature algorithms in PFS TLSv1.2 key exchange

As more eagle-eyed readers of the RFC 5246 (TLSv1.2 definition) may have noticed, the standard also allows the peers to negotiate the signature algorithm used for signing the DHE and ECDHE key exchange. In detail it allows the server to sign the key exchange with MD5, SHA1 and SHA-2 family functions.

As we all know, MD5 is far from secure when used for digital signatures.

Unfortunately, many servers (24% of TLS-enabled) will sign the message with MD5 if the client “doesn’t leave them any choice”. Few (3 in total) will sign the key exchange only using MD5! The situation with the weak-but-no-broken-yet SHA1 is not much better as 8% of servers will use only it for signing.

On many servers support for SHA2 family of functions is still lagging a bit behind after SHA1 (respectively at around 42% and 51% of all).

Majority of servers will honour the client preferred signature mechanism (38% of TLS-enabled) while minority will take only its preference of it (18%).

In case the client doesn’t advertise any signature algorithm supported by server the behaviour is rather diverse. Most common is just forcing the client to accept SHA-1 signatures (at 23.9%), close second (at 23.7%) is aborting the connection if the client doesn’t advertise any RSA based signature algorithms. Less common still is aborting as soon as the client advertises only the unsupported signature algorithms (at 3.47%). Very few servers opt out to select ciphers that don’t require negotiation of signature algorithms (at 0.3%).

For servers with ECDSA keys, the situation is more uniform, where 5.5% of all TLS enabled servers will just force the SHA-1 signature algorithm, 20 servers will abort the connection while just one will drop down to RSA based, but still PFS-enabled cipher suite.

Cipher suites

Going back to our usual programming, use of cipher suites didn’t see much changes.

3DES ciphers have decreased a bit (2%) while AES-GCM have increased by a bit (also ~2%). While servers that support RC4 have decreased slightly (~1.5%) the amount of servers that force the use of RC4 remained essentially the same.

Amount of servers that will negotiate insecure cipher suites has grown by just under 2%, but this may be caused by addition of DES-CBC3-MD5 (at 8.7%), EXP-RC4-MD5 (at 11.7%), EXP1024-DES-CBC-SHA (at 2.3%), EXP1024-RC4-SHA (at 2.3%) and RC4-64-MD5 (at 0.39%) ciphers to the list of insecure ciphers which previously either were counted towards the RC4 and 3DES numbers or not tested at all (the EXP1024 ciphers).

It’s nice to see that more servers still use server side cipher ordering, this month at 66.7% (up by just under 6%).

We’ve also seen a 1.5% growth in servers that prefer PFS capable cipher suites, caused nearly entirely by servers that prefer the P-256 NIST curve for ECDHE key exchange.

Server certificates

A slight increase in the number of servers that have certificates signed by ECDSA keys, by 0.7%.

The other good news is that SHA-1 keeps on loosing, this month by 7.6% to a level of 68%.

The key sizes haven’t seen much changes, 2048bit is still dominant at 90.7% for RSA while 256 bit is dominant at 5.5% for ECDSA.

Looks like google have once again modified their Apple clients detection, as the number of servers that report support for both RSA and ECDSA ciphersuites have gone back to nearly 0 (and the scanning script once again doesn’t report support of ECDHE-ECDSA ciphers for sites like youtube.com).

Protocols

Administrators keep on updating their configurations, SSLv2 support has gone down by 1.5% to 8.8% while SSLv3 support has gone down by 23% to a level of 46% making it the first month when SSLv3 is supported by less than half the web servers.

A bit surprisingly, TLSv1.0 has gained a bit of market, from the previous 97.7% to current 99.2% making it virtually ubiquitous.

TLSv1.1 and TLSv1.2 have gained a bit less, at around 1.5% and 2% respectively.

Vulnerabilities

Some of the servers are still vulnerable to long known attacks requiring support for compression (at 4.3%) and lack of implementation of RFC 5746 (secure renegotiation) which is missing on nearly 6.5% of servers. This facilitates the CRIME and renegotiation attacks respectively.

Trust chains

The changes for individual certificates or trust chains in general are not significant, all are below the 1% mark, but they all go in the right direction – for higher security.

Detailed cipher scan results

SSL/TLS survey of 441636 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      374355    84.7655
3DES Only                 402       0.091
AES                       413509    93.6312
AES Only                  3628      0.8215
AES-CBC Only              2370      0.5366
AES-GCM                   226553    51.2986
AES-GCM Only              11        0.0025
CAMELLIA                  169951    38.4821
CAMELLIA Only             1         0.0002
CHACHA20                  14060     3.1836
Insecure                  97652     22.1114
RC4                       370269    83.8403
RC4 Only                  3694      0.8364
RC4 Preferred             72316     16.3746
RC4 forced in TLS1.1+     44600     10.0988
x:FF 29 RC4 Only          521       0.118
x:FF 29 RC4 Preferred     77977     17.6564
x:FF 29 incompatible      152       0.0344
y:DHE-RSA-SEED-SHA        81413     18.4344
y:IDEA-CBC-MD5            3271      0.7407
y:IDEA-CBC-SHA            66611     15.0828
y:SEED-SHA                83866     18.9898
z:ADH-AES128-GCM-SHA256   297       0.0672
z:ADH-AES128-SHA          1093      0.2475
z:ADH-AES128-SHA256       258       0.0584
z:ADH-AES256-GCM-SHA384   298       0.0675
z:ADH-AES256-SHA          1105      0.2502
z:ADH-AES256-SHA256       258       0.0584
z:ADH-CAMELLIA128-SHA     461       0.1044
z:ADH-CAMELLIA256-SHA     471       0.1066
z:ADH-DES-CBC-SHA         457       0.1035
z:ADH-DES-CBC3-SHA        1145      0.2593
z:ADH-RC4-MD5             929       0.2104
z:ADH-SEED-SHA            327       0.074
z:AECDH-AES128-SHA        13449     3.0453
z:AECDH-AES256-SHA        13444     3.0441
z:AECDH-DES-CBC3-SHA      13404     3.0351
z:AECDH-NULL-SHA          32        0.0072
z:AECDH-RC4-SHA           12431     2.8148
z:DES-CBC-MD5             21586     4.8877
z:DES-CBC-SHA             57810     13.09
z:DES-CBC3-MD5            38510     8.7199
z:ECDHE-RSA-NULL-SHA      40        0.0091
z:EDH-RSA-DES-CBC-SHA     50046     11.332
z:EXP-ADH-DES-CBC-SHA     370       0.0838
z:EXP-ADH-RC4-MD5         375       0.0849
z:EXP-DES-CBC-SHA         43742     9.9045
z:EXP-EDH-RSA-DES-CBC-SHA 32332     7.321
z:EXP-RC2-CBC-MD5         48992     11.0933
z:EXP-RC4-MD5             51816     11.7327
z:EXP1024-DES-CBC-SHA     10301     2.3325
z:EXP1024-RC4-SHA         10439     2.3637
z:NULL-MD5                308       0.0697
z:NULL-SHA                310       0.0702
z:NULL-SHA256             21        0.0048
z:RC2-CBC-MD5             21992     4.9797
z:RC4-64-MD5              1761      0.3987

Cipher ordering           Count     Percent
-------------------------+---------+-------
Client side               146876    33.2573
Server side               294760    66.7427

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1219      0.276
AECDH                     13477     3.0516
DHE                       218697    49.5197
ECDHE                     250523    56.7261
ECDHE and DHE             107307    24.2976
RSA                       416216    94.2441

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               194241    43.9821  88.8174
DH,1536bits               1         0.0002   0.0005
DH,2047bits               1         0.0002   0.0005
DH,2048bits               22093     5.0025   10.1021
DH,2226bits               1         0.0002   0.0005
DH,2236bits               2         0.0005   0.0009
DH,3072bits               11        0.0025   0.005
DH,3248bits               2         0.0005   0.0009
DH,4096bits               1313      0.2973   0.6004
DH,512bits                32507     7.3606   14.8639
DH,768bits                866       0.1961   0.396
DH,8192bits               1         0.0002   0.0005
ECDH,B-163,163bits        12        0.0027   0.0048
ECDH,B-571,570bits        565       0.1279   0.2255
ECDH,P-224,224bits        15        0.0034   0.006
ECDH,P-256,256bits        244052    55.2609  97.417
ECDH,P-384,384bits        717       0.1624   0.2862
ECDH,P-521,521bits        6141      1.3905   2.4513
Prefer DH,1024bits        102473    23.203   46.8562
Prefer DH,2048bits        2729      0.6179   1.2478
Prefer DH,2236bits        1         0.0002   0.0005
Prefer DH,3072bits        1         0.0002   0.0005
Prefer DH,4096bits        87        0.0197   0.0398
Prefer DH,512bits         23        0.0052   0.0105
Prefer DH,768bits         459       0.1039   0.2099
Prefer ECDH,B-163,163bits 12        0.0027   0.0048
Prefer ECDH,B-571,570bits 394       0.0892   0.1573
Prefer ECDH,P-224,224bits 14        0.0032   0.0056
Prefer ECDH,P-256,256bits 196706    44.5403  78.5181
Prefer ECDH,P-384,384bits 660       0.1494   0.2634
Prefer ECDH,P-521,521bits 5660      1.2816   2.2593
Prefer PFS                309219    70.0167  0
Support PFS               361913    81.9483  0

Supported ECC curves      Count     Percent 
-------------------------+---------+--------
brainpoolP256r1           19        0.0043   
brainpoolP384r1           19        0.0043   
brainpoolP512r1           19        0.0043   
prime192v1                573       0.1297   
prime256v1                245656    55.6241  
prime256v1 Only           213263    48.2893  
secp160k1                 554       0.1254   
secp160r1                 554       0.1254   
secp160r2                 554       0.1254   
secp192k1                 565       0.1279   
secp224k1                 576       0.1304   
secp224r1                 714       0.1617   
secp256k1                 579       0.1311   
secp384r1                 32501     7.3592   
secp384r1 Only            109       0.0247   
secp521r1                 7817      1.77     
secp521r1 Only            69        0.0156   
sect163k1                 559       0.1266   
sect163k1 Only            1         0.0002   
sect163r1                 557       0.1261   
sect163r2                 570       0.1291   
sect163r2 Only            12        0.0027   
sect193r1                 557       0.1261   
sect193r2                 557       0.1261   
sect233k1                 573       0.1297   
sect233r1                 573       0.1297   
sect239k1                 572       0.1295   
sect283k1                 573       0.1297   
sect283r1                 572       0.1295   
sect409k1                 570       0.1291   
sect409r1                 570       0.1291   
sect571k1                 574       0.13     
sect571r1                 574       0.13     

Unsupported curve fallback     Count     Percent 
------------------------------+---------+--------
False                          52248     11.8306  
True                           161110    36.4803  
order-specific                 10        0.0023   
unknown                        228268    51.6869  

ECC curve ordering        Count     Percent 
-------------------------+---------+--------
client                    577       0.1307   
inconclusive-noecc        2         0.0005   
server                    245280    55.539   
unknown                   195777    44.3299  

TLSv1.2 PFS supported sigalgs  Count     Percent 
------------------------------+---------+--------
ECDSA-SHA1                     24443     5.5346   
ECDSA-SHA224                   24448     5.5358   
ECDSA-SHA256                   24449     5.536    
ECDSA-SHA384                   24451     5.5365   
ECDSA-SHA512                   24454     5.5371   
ECDSA-SHA512 Only              3         0.0007   
RSA-MD5                        106330    24.0764  
RSA-MD5 Only                   3         0.0007   
RSA-SHA1                       225736    51.1136  
RSA-SHA1 Only                  35561     8.0521   
RSA-SHA224                     186614    42.2552  
RSA-SHA256                     191459    43.3522  
RSA-SHA256 Only                926       0.2097   
RSA-SHA384                     186997    42.3419  
RSA-SHA512                     187037    42.3509  
RSA-SHA512 Only                37        0.0084   

TLSv1.2 PFS ordering           Count     Percent 
------------------------------+---------+--------
client                         170553    38.6185  
indeterminate                  8         0.0018   
intolerant                     661       0.1497   
order-fallback                 5         0.0011   
server                         80372     18.1987  
unsupported                    40930     9.2678   

TLSv1.2 PFS sigalg fallback    Count     Percent 
------------------------------+---------+--------
ECDSA SHA1                     24438     5.5335   
ECDSA intolerant               20        0.0045   
ECDSA pfs-rsa-SHA512           1         0.0002   
RSA False                      104894    23.7512  
RSA SHA1                       105580    23.9066  
RSA intolerant                 15354     3.4766   
RSA pfs-ecdsa-SHA512           2         0.0005   
RSA soft-nopfs                 1464      0.3315   

Renegotiation             Count     Percent 
-------------------------+---------+--------
False                     11218     2.5401   
insecure                  28271     6.4014   
secure                    402147    91.0585  

Compression               Count     Percent 
-------------------------+---------+--------
1 (zlib compression)      19036     4.3103   
False                     11218     2.5401   
NONE                      411382    93.1496  

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
1                         1         0.0002   
1 only                    1         0.0002   
3                         2         0.0005   
3 only                    2         0.0005   
5                         1         0.0002   
5 only                    1         0.0002   
10                        3         0.0007   
10 only                   3         0.0007   
15                        7         0.0016   
15 only                   7         0.0016   
30                        9         0.002    
30 only                   9         0.002    
45                        1         0.0002   
45 only                   1         0.0002   
60                        71        0.0161   
60 only                   67        0.0152   
65                        1         0.0002   
65 only                   1         0.0002   
70                        1         0.0002   
75                        1         0.0002   
75 only                   1         0.0002   
100                       16        0.0036   
100 only                  16        0.0036   
120                       15        0.0034   
120 only                  15        0.0034   
128                       1         0.0002   
128 only                  1         0.0002   
180                       35        0.0079   
180 only                  35        0.0079   
240                       2         0.0005   
240 only                  2         0.0005   
300                       169526    38.3859  
300 only                  156066    35.3382  
360                       1         0.0002   
360 only                  1         0.0002   
400                       2         0.0005   
400 only                  2         0.0005   
420                       25        0.0057   
420 only                  17        0.0038   
480                       11        0.0025   
480 only                  10        0.0023   
600                       12859     2.9117   
600 only                  12605     2.8542   
660                       1         0.0002   
660 only                  1         0.0002   
900                       355       0.0804   
900 only                  337       0.0763   
960                       2         0.0005   
960 only                  2         0.0005   
1000                      1         0.0002   
1000 only                 1         0.0002   
1200                      253       0.0573   
1200 only                 249       0.0564   
1500                      11        0.0025   
1500 only                 10        0.0023   
1800                      258       0.0584   
1800 only                 254       0.0575   
2100                      1         0.0002   
2100 only                 1         0.0002   
2400                      1         0.0002   
2400 only                 1         0.0002   
2700                      5         0.0011   
2700 only                 5         0.0011   
3000                      8         0.0018   
3000 only                 8         0.0018   
3600                      336       0.0761   
3600 only                 309       0.07     
5400                      2         0.0005   
6000                      4         0.0009   
6000 only                 4         0.0009   
7200                      11602     2.6271   
7200 only                 8915      2.0186   
10800                     16        0.0036   
10800 only                8         0.0018   
14400                     1087      0.2461   
14400 only                1086      0.2459   
18000                     1         0.0002   
18000 only                1         0.0002   
21600                     3246      0.735    
21600 only                3244      0.7345   
28800                     13        0.0029   
28800 only                12        0.0027   
36000                     420       0.0951   
36000 only                412       0.0933   
43200                     2089      0.473    
43200 only                2089      0.473    
64800                     40233     9.11     
64800 only                40222     9.1075   
72000                     5         0.0011   
72000 only                5         0.0011   
86000                     37        0.0084   
86000 only                37        0.0084   
86400                     176       0.0399   
86400 only                174       0.0394   
100800                    13809     3.1268   
100800 only               13809     3.1268   
115200                    1         0.0002   
115200 only               1         0.0002   
129600                    13        0.0029   
129600 only               13        0.0029   
604800                    1         0.0002   
604800 only               1         0.0002   
864000                    6         0.0014   
864000 only               6         0.0014   
None                      201554    45.638   
None only                 185054    41.9019  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      14532     3.2905   
ecdsa-with-SHA256         24424     5.5303   
sha1WithRSAEncryption     300669    68.0807  
sha256WithRSAEncryption   116628    26.4082  
sha512WithRSAEncryption   1         0.0002   

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 24452     5.5367   
ECDSA 384                 5         0.0011   
ECDSA 521                 1         0.0002   
RSA 1024                  1689      0.3824   
RSA 2028                  1         0.0002   
RSA 2047                  2         0.0005   
RSA 2048                  400697    90.7301  
RSA 2049                  1         0.0002   
RSA 2056                  6         0.0014   
RSA 2058                  2         0.0005   
RSA 2064                  1         0.0002   
RSA 2080                  2         0.0005   
RSA 2084                  10        0.0023   
RSA 2096                  1         0.0002   
RSA 2345                  1         0.0002   
RSA 2408                  3         0.0007   
RSA 2432                  8         0.0018   
RSA 2536                  1         0.0002   
RSA 2612                  1         0.0002   
RSA 3071                  1         0.0002   
RSA 3072                  54        0.0122   
RSA 3248                  3         0.0007   
RSA 3600                  1         0.0002   
RSA 4046                  1         0.0002   
RSA 4048                  2         0.0005   
RSA 4056                  33        0.0075   
RSA 4086                  3         0.0007   
RSA 4092                  2         0.0005   
RSA 4096                  14699     3.3283   
RSA 4098                  2         0.0005   
RSA 8192                  4         0.0009   
RSA/ECDSA Dual Stack      40        0.0091

OCSP stapling             Count     Percent 
-------------------------+---------+--------
Supported                 73634     16.673   
Unsupported               368002    83.327   

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      38835     8.7934
SSL2 Only                 100       0.0226
SSL3                      204062    46.2059
SSL3 Only                 2195      0.497
SSL3 or TLS1 Only         108575    24.5847
TLS1                      438481    99.2856
TLS1 Only                 46428     10.5127
TLS1.1                    281522    63.7453
TLS1.1 Only               25        0.0057
TLS1.1 or up Only         443       0.1003
TLS1.2                    292517    66.2349
TLS1.2 Only               337       0.0763
TLS1.2, 1.0 but not 1.1   13585     3.0761

Scan performed between 11th and 19th of November 2014.

Detail trust chain results

Statistics from 477473 chains provided by 632817 hosts

Server provided chains    Count     Percent
-------------------------+---------+-------
complete                  413143    65.2863
incomplete                27529     4.3502
untrusted                 192145    30.3634

Trusted chain statistics
========================

Chain length              Count     Percent
-------------------------+---------+-------
2                         2158      0.452
3                         444774    93.1517
4                         30513     6.3905
5                         28        0.0059

CA key size in chains     Count
-------------------------+---------
ECDSA 256                 24427     
ECDSA 384                 24427     
RSA 1024                  1337      
RSA 2045                  1         
RSA 2048                  893943    
RSA 4096                  39222     

Chains with CA key        Count     Percent
-------------------------+---------+-------
ECDSA 256                 24427     5.1159
ECDSA 384                 24427     5.1159
RSA 1024                  1333      0.2792
RSA 2045                  1         0.0002
RSA 2048                  451667    94.5953
RSA 4096                  38725     8.1104

Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384              24427     
sha1WithRSAEncryption          336966    
sha256WithRSAEncryption        90026     
sha384WithRSAEncryption        54445     
sha512WithRSAEncryption        20        

Eff. host cert chain LoS  Count     Percent
-------------------------+---------+-------
80                        337471    70.6786
112                       115573    24.2051
128                       24429     5.1163

Most popular root CAs                         Count     Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA                 112050    23.4673
(157753a5) AddTrust External CA Root          76553     16.0329
(5ad8a5d6) GlobalSign Root CA                 48090     10.0718
(cbf06781) Go Daddy Root Certificate Authorit 37124     7.7751
(b204d74a) VeriSign Class 3 Public Primary Ce 30047     6.2929
(2e4eed3c) thawte Primary Root CA             28036     5.8717
(eed8c118) COMODO ECC Certification Authority 24425     5.1155
(244b5494) DigiCert High Assurance EV Root CA 23682     4.9599
(f081611a) The Go Daddy Group, Inc.           17028     3.5663
(b13cc6df) UTN-USERFirst-Hardware             12816     2.6841
(653b494a) Baltimore CyberTrust Root          11357     2.3786
(40547a79) COMODO Certification Authority     9670      2.0252
(ae8153b9) StartCom Certification Authority   9305      1.9488
(f387163d) Starfield Technologies, Inc.       7652      1.6026