no analysis this time, I've been too busy, sorry
SSL/TLS survey of 536563 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 459320 85.6041
AES 530014 98.7795
AES Only 45794 8.5347
AES-CBC 529364 98.6583
AES-CBC Only 10074 1.8775
AES-GCM 412370 76.854
AES-GCM Only 538 0.1003
CAMELLIA 222494 41.4665
CAMELLIA Only 3 0.0006
CHACHA20 69686 12.9875
CHACHA20 Only 6 0.0011
Insecure 57699 10.7534
RC4 183979 34.2884
RC4 Only 864 0.161
RC4 Preferred 19979 3.7235
RC4 forced in TLS1.1+ 10502 1.9573
x:FF 29 RC4 Only 1093 0.2037
x:FF 29 RC4 Preferred 22208 4.1389
x:FF 29 incompatible 391 0.0729
x:FF 35 RC4 Only 1327 0.2473
x:FF 35 RC4 Preferred 22286 4.1535
x:FF 35 incompatible 395 0.0736
y:DHE-RSA-SEED-SHA 66508 12.3952
y:IDEA-CBC-SHA 61454 11.4533
y:SEED-SHA 77575 14.4578
z:ADH-AES128-GCM-SHA256 397 0.074
z:ADH-AES128-SHA 727 0.1355
z:ADH-AES128-SHA256 282 0.0526
z:ADH-AES256-GCM-SHA384 407 0.0759
z:ADH-AES256-SHA 745 0.1388
z:ADH-AES256-SHA256 282 0.0526
z:ADH-CAMELLIA128-SHA 367 0.0684
z:ADH-CAMELLIA256-SHA 379 0.0706
z:ADH-DES-CBC-SHA 309 0.0576
z:ADH-DES-CBC3-SHA 744 0.1387
z:ADH-RC4-MD5 597 0.1113
z:ADH-SEED-SHA 296 0.0552
z:AECDH-AES128-SHA 9967 1.8576
z:AECDH-AES256-SHA 10016 1.8667
z:AECDH-DES-CBC3-SHA 9935 1.8516
z:AECDH-NULL-SHA 60 0.0112
z:AECDH-RC4-SHA 9381 1.7484
z:DES-CBC-MD5 10532 1.9629
z:DES-CBC-SHA 35384 6.5946
z:DES-CBC3-MD5 21789 4.0608
z:ECDHE-RSA-NULL-SHA 64 0.0119
z:EDH-RSA-DES-CBC-SHA 30143 5.6178
z:EXP-ADH-DES-CBC-SHA 206 0.0384
z:EXP-ADH-RC4-MD5 201 0.0375
z:EXP-DES-CBC-SHA 13685 2.5505
z:EXP-EDH-RSA-DES-CBC-SHA 10941 2.0391
z:EXP-RC2-CBC-MD5 16617 3.0969
z:EXP-RC4-MD5 17371 3.2375
z:EXP1024-DES-CBC-SHA 4273 0.7964
z:EXP1024-RC4-SHA 4354 0.8115
z:IDEA-CBC-MD5 2139 0.3986
z:NULL-MD5 227 0.0423
z:NULL-SHA 227 0.0423
z:NULL-SHA256 28 0.0052
z:RC2-CBC-MD5 10751 2.0037
z:RC4-64-MD5 880 0.164
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 132599 24.7127
Server side 403964 75.2873
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 892 0.1662
AECDH 10038 1.8708
DHE 290879 54.2115
ECDH 3 0.0006
ECDHE 438449 81.7144
ECDHE and DHE 230817 43.0177
RSA 462690 86.2322
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 156486 29.1645 53.7976
DH,1338bits 1 0.0002 0.0003
DH,1536bits 1 0.0002 0.0003
DH,2048bits 125695 23.426 43.2121
DH,2236bits 13 0.0024 0.0045
DH,2432bits 2 0.0004 0.0007
DH,2560bits 1 0.0002 0.0003
DH,3072bits 96 0.0179 0.033
DH,3092bits 1 0.0002 0.0003
DH,4094bits 1 0.0002 0.0003
DH,4096bits 8225 1.5329 2.8276
DH,4098bits 1 0.0002 0.0003
DH,512bits 39 0.0073 0.0134
DH,6144bits 2 0.0004 0.0007
DH,768bits 413 0.077 0.142
DH,8192bits 2 0.0004 0.0007
ECDH,B-571,570bits 1680 0.3131 0.3832
ECDH,K-163,163bits 1 0.0002 0.0002
ECDH,P-192,192bits 13 0.0024 0.003
ECDH,P-224,224bits 85 0.0158 0.0194
ECDH,P-256,256bits 424488 79.1124 96.8158
ECDH,P-384,384bits 3868 0.7209 0.8822
ECDH,P-521,521bits 9879 1.8412 2.2532
Prefer DH,1024bits 55460 10.3362 19.0663
Prefer DH,1536bits 1 0.0002 0.0003
Prefer DH,2048bits 7764 1.447 2.6692
Prefer DH,3072bits 10 0.0019 0.0034
Prefer DH,4096bits 364 0.0678 0.1251
Prefer DH,768bits 48 0.0089 0.0165
Prefer ECDH,B-571,570bits 1483 0.2764 0.3382
Prefer ECDH,K-163,163bits 1 0.0002 0.0002
Prefer ECDH,P-224,224bits 82 0.0153 0.0187
Prefer ECDH,P-256,256bits 386031 71.9451 88.0447
Prefer ECDH,P-384,384bits 2985 0.5563 0.6808
Prefer ECDH,P-521,521bits 8928 1.6639 2.0363
Prefer PFS 463157 86.3192 0
Support PFS 498511 92.9082 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 2250 0.4193
brainpoolP384r1 2253 0.4199
brainpoolP512r1 2257 0.4206
prime192v1 1426 0.2658
prime256v1 435505 81.1657
prime256v1 Only 381299 71.0632
secp160k1 1377 0.2566
secp160r1 1382 0.2576
secp160r2 1376 0.2564
secp192k1 1394 0.2598
secp224k1 1465 0.273
secp224r1 4037 0.7524
secp224r1 Only 1 0.0002
secp256k1 3628 0.6762
secp384r1 54625 10.1805
secp384r1 Only 479 0.0893
secp521r1 24462 4.559
secp521r1 Only 129 0.024
sect163k1 1388 0.2587
sect163k1 Only 1 0.0002
sect163r1 1387 0.2585
sect163r2 1387 0.2585
sect193r1 1385 0.2581
sect193r2 1384 0.2579
sect233k1 1466 0.2732
sect233r1 1464 0.2728
sect239k1 1461 0.2723
sect283k1 3583 0.6678
sect283r1 3581 0.6674
sect409k1 3584 0.668
sect409r1 3584 0.668
sect571k1 3594 0.6698
sect571r1 3596 0.6702
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 67862 12.6475
True 312481 58.2375
order-specific 96 0.0179
unknown 156124 29.097
ECC curve ordering Count Percent
-------------------------+---------+--------
client 5459 1.0174
inconclusive-noecc 12 0.0022
server 430685 80.2674
unknown 100407 18.713
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 41280 7.6934
ECDSA-SHA1 Only 2 0.0004
ECDSA-SHA224 41274 7.6923
ECDSA-SHA256 55318 10.3097
ECDSA-SHA384 55314 10.3089
ECDSA-SHA512 55315 10.3091
ECDSA-SHA512 Only 1 0.0002
RSA-MD5 156847 29.2318
RSA-SHA1 379786 70.7813
RSA-SHA1 Only 42067 7.8401
RSA-SHA224 314857 58.6803
RSA-SHA256 345177 64.3311
RSA-SHA256 Only 6253 1.1654
RSA-SHA384 316545 58.9949
RSA-SHA384 Only 1 0.0002
RSA-SHA512 316760 59.035
RSA-SHA512 Only 293 0.0546
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 241325 44.9761
indeterminate 115 0.0214
intolerant 4940 0.9207
order-fallback 4 0.0007
server 182715 34.0529
unsupported 21177 3.9468
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 41260 7.6897
ECDSA intolerant 48 0.0089
ECDSA pfs-rsa-SHA512 14029 2.6146
ECDSA soft-nopfs 2 0.0004
RSA False 155749 29.0272
RSA SHA1 196182 36.5627
RSA intolerant 36096 6.7273
RSA pfs-ecdsa-SHA512 8 0.0015
RSA soft-nopfs 1168 0.2177
Renegotiation Count Percent
-------------------------+---------+--------
False 6429 1.1982
insecure 17943 3.3441
secure 512191 95.4578
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 9264 1.7265
False 6429 1.1982
NONE 520870 97.0753
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 5 0.0009
1 only 5 0.0009
2 2 0.0004
2 only 2 0.0004
5 1 0.0002
5 only 1 0.0002
10 12 0.0022
10 only 12 0.0022
15 8 0.0015
15 only 8 0.0015
30 17 0.0032
30 only 15 0.0028
60 98 0.0183
60 only 93 0.0173
65 2 0.0004
65 only 2 0.0004
70 6 0.0011
100 16 0.003
100 only 16 0.003
120 29 0.0054
120 only 29 0.0054
128 3 0.0006
128 only 3 0.0006
150 2 0.0004
180 48 0.0089
180 only 45 0.0084
240 8 0.0015
240 only 8 0.0015
300 254800 47.4874
300 only 250537 46.6929
302 3 0.0006
302 only 3 0.0006
360 2 0.0004
360 only 1 0.0002
400 6 0.0011
400 only 6 0.0011
420 133 0.0248
420 only 105 0.0196
480 15 0.0028
480 only 15 0.0028
500 4 0.0007
500 only 4 0.0007
540 1 0.0002
540 only 1 0.0002
600 27913 5.2022
600 only 27746 5.1711
700 1 0.0002
700 only 1 0.0002
840 1 0.0002
840 only 1 0.0002
900 923 0.172
900 only 896 0.167
960 1 0.0002
960 only 1 0.0002
1200 2345 0.437
1200 only 2339 0.4359
1320 1 0.0002
1320 only 1 0.0002
1500 11 0.0021
1500 only 10 0.0019
1800 536 0.0999
1800 only 528 0.0984
1980 1 0.0002
1980 only 1 0.0002
2100 1 0.0002
2100 only 1 0.0002
2400 8 0.0015
2400 only 8 0.0015
2700 10 0.0019
2700 only 10 0.0019
3000 26 0.0048
3000 only 26 0.0048
3300 1 0.0002
3300 only 1 0.0002
3600 614 0.1144
3600 only 602 0.1122
3900 1 0.0002
3900 only 1 0.0002
4100 1 0.0002
4100 only 1 0.0002
5160 1 0.0002
5160 only 1 0.0002
5400 14 0.0026
5400 only 7 0.0013
6000 200 0.0373
6000 only 200 0.0373
7200 15561 2.9001
7200 only 15539 2.896
10800 3493 0.651
10800 only 3481 0.6488
14400 98 0.0183
14400 only 98 0.0183
18000 8 0.0015
18000 only 8 0.0015
21600 4783 0.8914
21600 only 4783 0.8914
25200 1 0.0002
25200 only 1 0.0002
28800 2385 0.4445
28800 only 2380 0.4436
36000 1170 0.2181
36000 only 1163 0.2167
43200 39 0.0073
43200 only 39 0.0073
60000 1 0.0002
60000 only 1 0.0002
64800 4661 0.8687
64800 only 4660 0.8685
72000 31 0.0058
72000 only 31 0.0058
79200 1 0.0002
79200 only 1 0.0002
86000 46 0.0086
86000 only 46 0.0086
86400 3553 0.6622
86400 only 3545 0.6607
100800 10783 2.0096
100800 only 10771 2.0074
115200 1 0.0002
115200 only 1 0.0002
129600 8 0.0015
129600 only 8 0.0015
172800 9 0.0017
172800 only 9 0.0017
216000 1 0.0002
216000 only 1 0.0002
432000 2 0.0004
432000 only 2 0.0004
604800 2 0.0004
604800 only 1 0.0002
None 206697 38.5224
None only 202099 37.6655
Certificate sig alg Count Percent
-------------------------+---------+--------
None 10673 1.9891
ecdsa-with-SHA256 55263 10.2994
sha1WithRSAEncryption 66180 12.3341
sha256WithRSAEncryption 429902 80.1214
sha384WithRSAEncryption 5 0.0009
sha512WithRSAEncryption 37 0.0069
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 55328 10.3116
ECDSA 384 15 0.0028
RSA 1024 33 0.0062
RSA 2048 474602 88.4522
RSA 2049 2 0.0004
RSA 2058 3 0.0006
RSA 2064 1 0.0002
RSA 2084 4 0.0007
RSA 2096 2 0.0004
RSA 2408 1 0.0002
RSA 2480 1 0.0002
RSA 3071 1 0.0002
RSA 3072 127 0.0237
RSA 3096 2 0.0004
RSA 3248 3 0.0006
RSA 4042 1 0.0002
RSA 4048 1 0.0002
RSA 4056 24 0.0045
RSA 4069 1 0.0002
RSA 4092 6 0.0011
RSA 4094 2 0.0004
RSA 4095 1 0.0002
RSA 4096 20517 3.8238
RSA 4098 1 0.0002
RSA 4196 2 0.0004
RSA 8192 6 0.0011
RSA/ECDSA Dual Stack 14112 2.6301
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 122156 22.7664
Unsupported 414407 77.2336
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 22019 4.1037
SSL2 Only 16 0.003
SSL3 114551 21.349
SSL3 Only 451 0.0841
SSL3 or TLS1 Only 62546 11.6568
SSL3 or lower Only 465 0.0867
TLS1 530535 98.8766
TLS1 Only 38783 7.228
TLS1 or lower Only 83051 15.4783
TLS1.1 440269 82.0536
TLS1.1 Only 341 0.0636
TLS1.1 or up Only 5269 0.982
TLS1.2 450259 83.9154
TLS1.2 Only 2150 0.4007
TLS1.2, 1.0 but not 1.1 10510 1.9588
Statistics from 571668 chains provided by 706831 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 509502 72.0826
incomplete 25925 3.6678
untrusted 171404 24.2496
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 33 0.0058
3 569492 99.6194
4 2129 0.3724
5 14 0.0024
CA key size in chains Count
-------------------------+---------
ECDSA 256 55261
ECDSA 384 55264
RSA 1024 33
RSA 2045 3
RSA 2048 886633
RSA 4096 148266
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 55261 9.6666
ECDSA 384 55264 9.6671
RSA 1024 31 0.0054
RSA 2045 3 0.0005
RSA 2048 516046 90.2702
RSA 4096 147728 25.8416
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 55257
sha1WithRSAEncryption 74114
sha256WithRSAEncryption 311465
sha384WithRSAEncryption 132882
sha512WithRSAEncryption 74
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 74154 12.9715
112 442237 77.3591
128 55277 9.6694
Most common root CAs Count Percent
---------------------------------------------+---------+-------
(157753a5) AddTrust External CA Root 21173 3.7037
(244b5494) DigiCert High Assurance EV Root CA 22796 3.9876
(2c543cd1) GeoTrust Global CA 103983 18.1894
(2e4eed3c) thawte Primary Root CA 22155 3.8755
(3513523f) DigiCert Global Root CA 8921 1.5605
(4bfab552) Starfield Root Certificate Authori 7786 1.362
(5ad8a5d6) GlobalSign Root CA 49934 8.7348
(653b494a) Baltimore CyberTrust Root 11652 2.0382
(ae8153b9) StartCom Certification Authority 9075 1.5875
(b204d74a) VeriSign Class 3 Public Primary Ce 33097 5.7895
(cbf06781) Go Daddy Root Certificate Authorit 50135 8.77
(d6325660) COMODO RSA Certification Authority 118944 20.8065
(eed8c118) COMODO ECC Certification Authority 55250 9.6647
(fc5a8f99) USERTrust RSA Certification Author 13826 2.4185
Scan performed between 15th of December and 26 of December 2015.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic