Big changes mostly caused by Cloudflare's Universal SSL and aftermatch of POODLE.
Detailed analysys on my blog:
http://securitypitfalls.wordpress.com/2014/10/25/october-2014-results-big...
SSL/TLS survey of 435987 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 377229 86.523
3DES Only 168 0.0385
AES 409388 93.8991
AES Only 2002 0.4592
AES-CBC Only 877 0.2012
AES-GCM 210554 48.2936
AES-GCM Only 17 0.0039
CAMELLIA 171200 39.2672
CHACHA20 14611 3.3512
Insecure 88343 20.2628
RC4 375776 86.1897
RC4 Only 3595 0.8246
RC4 Preferred 67695 15.5268
RC4 forced in TLS1.1+ 47943 10.9964
x:FF 29 RC4 Only 5814 1.3335
x:FF 29 RC4 Preferred 79458 18.2249
x:FF 29 incompatible 164 0.0376
y:DHE-RSA-SEED-SHA 80620 18.4914
y:IDEA-CBC-MD5 3756 0.8615
y:IDEA-CBC-SHA 67532 15.4895
y:SEED-SHA 86784 19.9052
z:ADH-AES128-GCM-SHA256 338 0.0775
z:ADH-AES128-SHA 1197 0.2745
z:ADH-AES128-SHA256 317 0.0727
z:ADH-AES256-GCM-SHA384 338 0.0775
z:ADH-AES256-SHA 1202 0.2757
z:ADH-AES256-SHA256 317 0.0727
z:ADH-CAMELLIA128-SHA 559 0.1282
z:ADH-CAMELLIA256-SHA 567 0.13
z:ADH-DES-CBC-SHA 530 0.1216
z:ADH-DES-CBC3-SHA 1250 0.2867
z:ADH-RC4-MD5 1059 0.2429
z:ADH-SEED-SHA 393 0.0901
z:AECDH-AES128-SHA 14245 3.2673
z:AECDH-AES256-SHA 14255 3.2696
z:AECDH-DES-CBC3-SHA 14216 3.2606
z:AECDH-NULL-SHA 30 0.0069
z:AECDH-RC4-SHA 13277 3.0453
z:DES-CBC-MD5 24072 5.5213
z:DES-CBC-SHA 66848 15.3326
z:ECDHE-RSA-NULL-SHA 36 0.0083
z:EDH-RSA-DES-CBC-SHA 58599 13.4405
z:EXP-ADH-DES-CBC-SHA 435 0.0998
z:EXP-ADH-RC4-MD5 438 0.1005
z:EXP-DES-CBC-SHA 52036 11.9352
z:EXP-EDH-RSA-DES-CBC-SHA 40390 9.264
z:EXP-RC2-CBC-MD5 56308 12.9151
z:NULL-MD5 359 0.0823
z:NULL-SHA 361 0.0828
z:NULL-SHA256 19 0.0044
z:RC2-CBC-MD5 28014 6.4254
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 170342 39.0704
Server side 265645 60.9296
FF 29 selected ciphers Count Percent
-----------------------------+---------+------
AES128-SHA 41722 9.5696
AES256-SHA 25362 5.8171
CAMELLIA128-SHA 132 0.0303
CAMELLIA256-SHA 45 0.0103
DES-CBC3-SHA 1046 0.2399
DHE-RSA-AES128-SHA 98725 22.644
DHE-RSA-AES256-SHA 14490 3.3235
DHE-RSA-CAMELLIA128-SHA 34 0.0078
DHE-RSA-CAMELLIA256-SHA 540 0.1239
ECDHE-ECDSA-AES128-GCM-SHA256 28993 6.65
ECDHE-ECDSA-AES128-SHA 33 0.0076
ECDHE-ECDSA-AES256-SHA 1 0.0002
ECDHE-RSA-AES128-GCM-SHA256 115469 26.4845
ECDHE-RSA-AES128-SHA 3024 0.6936
ECDHE-RSA-AES256-SHA 26483 6.0743
ECDHE-RSA-DES-CBC3-SHA 41 0.0094
ECDHE-RSA-RC4-SHA 22083 5.0651
EDH-RSA-DES-CBC3-SHA 234 0.0537
RC4-MD5 14117 3.2379
RC4-SHA 43249 9.9198
x:DHE 114023 26.1528
x:ECDHE 196127 44.9846
x:kRSA 125673 28.8249
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 1316 0.3018
AECDH 14284 3.2762
DHE 211473 48.5044
ECDHE 234954 53.8901
ECDHE and DHE 88609 20.3238
RSA 418706 96.0363
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 191816 43.9958 90.7047
DH,1536bits 1 0.0002 0.0005
DH,2048bits 17701 4.06 8.3703
DH,2226bits 1 0.0002 0.0005
DH,2236bits 2 0.0005 0.0009
DH,2430bits 1 0.0002 0.0005
DH,3072bits 9 0.0021 0.0043
DH,3247bits 1 0.0002 0.0005
DH,3248bits 2 0.0005 0.0009
DH,4096bits 1006 0.2307 0.4757
DH,512bits 40546 9.2998 19.1731
DH,768bits 779 0.1787 0.3684
DH,8192bits 1 0.0002 0.0005
ECDH,B-163,163bits 15 0.0034 0.0064
ECDH,B-571,570bits 456 0.1046 0.1941
ECDH,P-224,224bits 6 0.0014 0.0026
ECDH,P-256,256bits 233089 53.4624 99.2062
ECDH,P-384,384bits 675 0.1548 0.2873
ECDH,P-521,521bits 1259 0.2888 0.5358
Prefer DH,1024bits 111225 25.5111 52.5954
Prefer DH,1536bits 1 0.0002 0.0005
Prefer DH,2048bits 1875 0.4301 0.8866
Prefer DH,2236bits 1 0.0002 0.0005
Prefer DH,3072bits 1 0.0002 0.0005
Prefer DH,4096bits 61 0.014 0.0288
Prefer DH,512bits 6 0.0014 0.0028
Prefer DH,768bits 443 0.1016 0.2095
Prefer ECDH,B-163,163bits 15 0.0034 0.0064
Prefer ECDH,B-571,570bits 357 0.0819 0.1519
Prefer ECDH,P-224,224bits 4 0.0009 0.0017
Prefer ECDH,P-256,256bits 183233 42.0272 77.9868
Prefer ECDH,P-384,384bits 616 0.1413 0.2622
Prefer ECDH,P-521,521bits 1191 0.2732 0.5069
Prefer PFS 299029 68.5867 0
Support PFS 357818 82.0708 0
TLS session ticket hint Count Percent
-------------------------+---------+--------
3 2 0.0005
3 only 2 0.0005
5 1 0.0002
5 only 1 0.0002
10 1 0.0002
10 only 1 0.0002
30 10 0.0023
30 only 3 0.0007
60 57 0.0131
60 only 50 0.0115
64 1 0.0002
100 17 0.0039
100 only 17 0.0039
120 14 0.0032
120 only 14 0.0032
128 2 0.0005
128 only 2 0.0005
180 27 0.0062
180 only 27 0.0062
240 3 0.0007
240 only 3 0.0007
300 168875 38.734
300 only 151039 34.643
360 1 0.0002
360 only 1 0.0002
400 1 0.0002
400 only 1 0.0002
420 22 0.005
420 only 13 0.003
480 10 0.0023
480 only 10 0.0023
600 9358 2.1464
600 only 9103 2.0879
900 289 0.0663
900 only 266 0.061
960 2 0.0005
960 only 2 0.0005
1000 1 0.0002
1000 only 1 0.0002
1200 64 0.0147
1200 only 61 0.014
1500 9 0.0021
1500 only 8 0.0018
1800 211 0.0484
1800 only 204 0.0468
2100 1 0.0002
2100 only 1 0.0002
2400 1 0.0002
2400 only 1 0.0002
2700 5 0.0011
2700 only 5 0.0011
3000 11 0.0025
3000 only 11 0.0025
3600 296 0.0679
3600 only 281 0.0645
5400 2 0.0005
7200 11402 2.6152
7200 only 8697 1.9948
10800 15 0.0034
10800 only 8 0.0018
14400 929 0.2131
14400 only 927 0.2126
21600 723 0.1658
21600 only 722 0.1656
28800 8 0.0018
28800 only 8 0.0018
36000 409 0.0938
36000 only 408 0.0936
43200 5170 1.1858
43200 only 5170 1.1858
64800 37708 8.6489
64800 only 33313 7.6408
72000 8 0.0018
72000 only 8 0.0018
86000 27 0.0062
86000 only 23 0.0053
86400 168 0.0385
86400 only 167 0.0383
100800 14357 3.293
100800 only 17 0.0039
115200 1 0.0002
115200 only 1 0.0002
129600 11 0.0025
129600 only 11 0.0025
604800 1 0.0002
604800 only 1 0.0002
864000 4 0.0009
864000 only 4 0.0009
None 225373 51.6926
None only 185753 42.6052
Certificate sig alg Count Percent
-------------------------+---------+--------
None 15401 3.5324
ecdsa-with-SHA256 20950 4.8052
sha1WithRSAEncryption 330148 75.7243
sha256WithRSAEncryption 89341 20.4917
sha512WithRSAEncryption 1 0.0002
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 29029 6.6582
ECDSA 384 2 0.0005
ECDSA 521 1 0.0002
RSA 1024 1672 0.3835
RSA 2028 1 0.0002
RSA 2047 2 0.0005
RSA 2048 403610 92.5739
RSA 2049 1 0.0002
RSA 2056 5 0.0011
RSA 2058 2 0.0005
RSA 2064 1 0.0002
RSA 2080 2 0.0005
RSA 2084 8 0.0018
RSA 2345 1 0.0002
RSA 2408 2 0.0005
RSA 2432 11 0.0025
RSA 2536 1 0.0002
RSA 3050 1 0.0002
RSA 3072 61 0.014
RSA 3096 1 0.0002
RSA 3248 3 0.0007
RSA 3600 1 0.0002
RSA 4046 2 0.0005
RSA 4048 2 0.0005
RSA 4056 4 0.0009
RSA 4069 1 0.0002
RSA 4086 2 0.0005
RSA 4092 4 0.0009
RSA 4096 14038 3.2198
RSA 4098 2 0.0005
RSA 4192 1 0.0002
RSA 8192 5 0.0011
RSA/ECDSA Dual Stack 12472 2.8606
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 60520 13.8811
Unsupported 375467 86.1189
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 44800 10.2755
SSL2 Only 5536 1.2698
SSL3 302890 69.4723
SSL3 Only 2971 0.6814
SSL3 or TLS1 Only 109447 25.1033
TLS1 426128 97.7387
TLS1 Only 22838 5.2382
TLS1.1 270662 62.0803
TLS1.1 Only 25 0.0057
TLS1.1 or up Only 610 0.1399
TLS1.2 279090 64.0134
TLS1.2 Only 441 0.1011
TLS1.2, 1.0 but not 1.1 12266 2.8134
Statistics from 484280 chains provided by 627529 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 403421 64.2872
incomplete 30809 4.9096
untrusted 193299 30.8032
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 2084 0.4303
3 460867 95.1654
4 21301 4.3985
5 28 0.0058
CA key size in chains Count
-------------------------+---------
ECDSA 256 20950
ECDSA 384 20950
RSA 1024 1362
RSA 2045 1
RSA 2048 915053
RSA 4096 29517
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 20950 4.326
ECDSA 384 20950 4.326
RSA 1024 1357 0.2802
RSA 2045 1 0.0002
RSA 2048 461970 95.3932
RSA 4096 29113 6.0116
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 20950
sha1WithRSAEncryption 377133
sha256WithRSAEncryption 68752
sha384WithRSAEncryption 36708
sha512WithRSAEncryption 10
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 377698 77.9917
112 85631 17.6821
128 20951 4.3262
Common Root CAs Count Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA 118634 24.497
(157753a5) AddTrust External CA Root 75645 15.6201
(5ad8a5d6) GlobalSign Root CA 56056 11.5751
(cbf06781) Go Daddy Root Certificate Authorit 34301 7.0829
(2e4eed3c) thawte Primary Root CA 27922 5.7657
(b204d74a) VeriSign Class 3 Public Primary Ce 27262 5.6294
(244b5494) DigiCert High Assurance EV Root CA 23640 4.8815
(eed8c118) COMODO ECC Certification Authority 20947 4.3254
(f081611a) The Go Daddy Group, Inc. 21077 4.3522
(b13cc6df) UTN-USERFirst-Hardware 13019 2.6883
(653b494a) Baltimore CyberTrust Root 11115 2.2952
(40547a79) COMODO Certification Authority 10071 2.0796
(ae8153b9) StartCom Certification Authority 8762 1.8093
(f387163d) Starfield Technologies, Inc. 8273 1.7083
The scan was performed between 13th and 24th of October 2014.
--
Regards,
Hubert Kario