Mostly continuation of established trends.
The number of TLS enabled websites has rebound since last month, going back
above 50% level, but still below the May watermark.
Detailed analysis on my blog:
https://securitypitfalls.wordpress.com/2015/07/29/july-2015-scan-results/
SSL/TLS survey of 501992 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 424054 84.4743
3DES Only 812 0.1618
AES 492491 98.1073
AES Only 17862 3.5582
AES-CBC 492390 98.0872
AES-CBC Only 9258 1.8443
AES-GCM 347128 69.1501
AES-GCM Only 41 0.0082
CAMELLIA 223605 44.5435
CAMELLIA Only 1 0.0002
CHACHA20 60925 12.1366
Insecure 74098 14.7608
RC4 254399 50.6779
RC4 Only 1484 0.2956
RC4 Preferred 31098 6.1949
RC4 forced in TLS1.1+ 17264 3.4391
x:FF 29 RC4 Only 1823 0.3632
x:FF 29 RC4 Preferred 35210 7.0141
x:FF 29 incompatible 101 0.0201
x:FF 35 RC4 Only 2132 0.4247
x:FF 35 RC4 Preferred 35335 7.039
x:FF 35 incompatible 103 0.0205
y:DHE-RSA-SEED-SHA 90992 18.1262
y:IDEA-CBC-SHA 79674 15.8716
y:SEED-SHA 97028 19.3286
z:ADH-AES128-GCM-SHA256 289 0.0576
z:ADH-AES128-SHA 1315 0.262
z:ADH-AES128-SHA256 198 0.0394
z:ADH-AES256-GCM-SHA384 302 0.0602
z:ADH-AES256-SHA 1320 0.263
z:ADH-AES256-SHA256 200 0.0398
z:ADH-CAMELLIA128-SHA 897 0.1787
z:ADH-CAMELLIA256-SHA 902 0.1797
z:ADH-DES-CBC-SHA 338 0.0673
z:ADH-DES-CBC3-SHA 1333 0.2655
z:ADH-RC4-MD5 1206 0.2402
z:ADH-SEED-SHA 827 0.1647
z:AECDH-AES128-SHA 17845 3.5548
z:AECDH-AES256-SHA 17865 3.5588
z:AECDH-DES-CBC3-SHA 17799 3.5457
z:AECDH-NULL-SHA 50 0.01
z:AECDH-RC4-SHA 17077 3.4018
z:DES-CBC-MD5 13569 2.703
z:DES-CBC-SHA 40067 7.9816
z:DES-CBC3-MD5 26983 5.3752
z:ECDHE-RSA-NULL-SHA 61 0.0122
z:EDH-RSA-DES-CBC-SHA 34341 6.8409
z:EXP-ADH-DES-CBC-SHA 240 0.0478
z:EXP-ADH-RC4-MD5 240 0.0478
z:EXP-DES-CBC-SHA 18671 3.7194
z:EXP-EDH-RSA-DES-CBC-SHA 15391 3.066
z:EXP-RC2-CBC-MD5 22650 4.512
z:EXP-RC4-MD5 23797 4.7405
z:EXP1024-DES-CBC-SHA 5785 1.1524
z:EXP1024-RC4-SHA 5862 1.1677
z:IDEA-CBC-MD5 2484 0.4948
z:NULL-MD5 265 0.0528
z:NULL-SHA 267 0.0532
z:NULL-SHA256 19 0.0038
z:RC2-CBC-MD5 13857 2.7604
z:RC4-64-MD5 1138 0.2267
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 130910 26.0781
Server side 371082 73.9219
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 1436 0.2861
AECDH 17905 3.5668
DHE 283230 56.4212
ECDH 1 0.0002
ECDHE 373639 74.4313
ECDHE and DHE 201985 40.2367
RSA 459592 91.5537
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 204984 40.8341 72.3737
DH,1536bits 2 0.0004 0.0007
DH,2048bits 70215 13.9873 24.7908
DH,2236bits 3 0.0006 0.0011
DH,2430bits 1 0.0002 0.0004
DH,2432bits 1 0.0002 0.0004
DH,3072bits 2679 0.5337 0.9459
DH,4096bits 4693 0.9349 1.657
DH,512bits 76 0.0151 0.0268
DH,768bits 622 0.1239 0.2196
DH,8192bits 1 0.0002 0.0004
ECDH,B-163,163bits 1 0.0002 0.0003
ECDH,B-571,570bits 1404 0.2797 0.3758
ECDH,K-571,570bits 1 0.0002 0.0003
ECDH,P-192,192bits 2 0.0004 0.0005
ECDH,P-224,224bits 72 0.0143 0.0193
ECDH,P-256,256bits 363944 72.5 97.4052
ECDH,P-384,384bits 3765 0.75 1.0077
ECDH,P-521,521bits 6951 1.3847 1.8604
Prefer DH,1024bits 78380 15.6138 27.6736
Prefer DH,1536bits 1 0.0002 0.0004
Prefer DH,2048bits 3926 0.7821 1.3862
Prefer DH,2236bits 1 0.0002 0.0004
Prefer DH,3072bits 31 0.0062 0.0109
Prefer DH,4096bits 150 0.0299 0.053
Prefer DH,768bits 228 0.0454 0.0805
Prefer ECDH,B-163,163bits 1 0.0002 0.0003
Prefer ECDH,B-571,570bits 1210 0.241 0.3238
Prefer ECDH,K-571,570bits 1 0.0002 0.0003
Prefer ECDH,P-224,224bits 42 0.0084 0.0112
Prefer ECDH,P-256,256bits 308148 61.385 82.4721
Prefer ECDH,P-384,384bits 2291 0.4564 0.6132
Prefer ECDH,P-521,521bits 6402 1.2753 1.7134
Prefer PFS 400812 79.8443 0
Support PFS 454884 90.6158 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 405 0.0807
brainpoolP384r1 405 0.0807
brainpoolP512r1 405 0.0807
prime192v1 1373 0.2735
prime256v1 372791 74.2623
prime256v1 Only 323403 64.4239
secp160k1 1334 0.2657
secp160r1 1338 0.2665
secp160r2 1334 0.2657
secp192k1 1358 0.2705
secp224k1 1414 0.2817
secp224r1 2898 0.5773
secp224r1 Only 2 0.0004
secp256k1 1708 0.3402
secp384r1 49700 9.9006
secp384r1 Only 314 0.0626
secp521r1 17736 3.5331
secp521r1 Only 116 0.0231
sect163k1 1337 0.2663
sect163k1 Only 2 0.0004
sect163r1 1335 0.2659
sect163r2 1336 0.2661
sect163r2 Only 1 0.0002
sect193r1 1334 0.2657
sect193r2 1333 0.2655
sect233k1 1402 0.2793
sect233r1 1402 0.2793
sect239k1 1401 0.2791
sect283k1 1678 0.3343
sect283r1 1678 0.3343
sect409k1 1678 0.3343
sect409r1 1678 0.3343
sect571k1 1692 0.3371
sect571r1 1691 0.3369
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 83042 16.5425
True 242989 48.405
order-specific 27 0.0054
unknown 175934 35.0472
ECC curve ordering Count Percent
-------------------------+---------+--------
client 3093 0.6161
inconclusive-noecc 24 0.0048
server 370124 73.7311
unknown 128751 25.648
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 33890 6.7511
ECDSA-SHA1 Only 2 0.0004
ECDSA-SHA224 33884 6.7499
ECDSA-SHA256 33890 6.7511
ECDSA-SHA384 33889 6.7509
ECDSA-SHA512 33893 6.7517
ECDSA-SHA512 Only 4 0.0008
RSA-MD5 157874 31.4495
RSA-SHA1 329494 65.6373
RSA-SHA1 Only 48447 9.651
RSA-SHA224 265179 52.8253
RSA-SHA256 286453 57.0633
RSA-SHA256 Only 4521 0.9006
RSA-SHA384 266091 53.007
RSA-SHA512 266166 53.022
RSA-SHA512 Only 71 0.0141
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 233019 46.4189
indeterminate 10 0.002
intolerant 3229 0.6432
order-fallback 23 0.0046
server 132720 26.4387
unsupported 23607 4.7027
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 33882 6.7495
ECDSA intolerant 21 0.0042
RSA False 153463 30.5708
RSA SHA1 148645 29.611
RSA intolerant 28673 5.7118
RSA pfs-ecdsa-SHA512 1 0.0002
RSA soft-nopfs 4517 0.8998
Renegotiation Count Percent
-------------------------+---------+--------
False 7266 1.4474
insecure 21303 4.2437
secure 473423 94.3089
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 11567 2.3042
False 7266 1.4474
NONE 483159 96.2483
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 2 0.0004
1 only 2 0.0004
2 2 0.0004
2 only 2 0.0004
5 2 0.0004
5 only 2 0.0004
10 7 0.0014
10 only 7 0.0014
15 9 0.0018
15 only 9 0.0018
30 12 0.0024
30 only 12 0.0024
60 106 0.0211
60 only 99 0.0197
70 7 0.0014
100 12 0.0024
100 only 12 0.0024
120 28 0.0056
120 only 28 0.0056
128 3 0.0006
128 only 3 0.0006
150 2 0.0004
180 47 0.0094
180 only 45 0.009
240 10 0.002
240 only 10 0.002
300 220792 43.9832
300 only 215544 42.9377
400 8 0.0016
400 only 8 0.0016
420 117 0.0233
420 only 79 0.0157
480 13 0.0026
480 only 13 0.0026
500 5 0.001
500 only 5 0.001
540 1 0.0002
540 only 1 0.0002
600 22097 4.4019
600 only 21925 4.3676
720 3 0.0006
720 only 2 0.0004
900 597 0.1189
900 only 577 0.1149
960 2 0.0004
960 only 2 0.0004
1200 1891 0.3767
1200 only 1887 0.3759
1440 1 0.0002
1440 only 1 0.0002
1500 9 0.0018
1500 only 8 0.0016
1800 414 0.0825
1800 only 407 0.0811
2400 6 0.0012
2400 only 5 0.001
2700 6 0.0012
2700 only 6 0.0012
3000 21 0.0042
3000 only 21 0.0042
3300 1 0.0002
3300 only 1 0.0002
3600 428 0.0853
3600 only 415 0.0827
3900 2 0.0004
3900 only 2 0.0004
4200 1 0.0002
5400 18 0.0036
5400 only 3 0.0006
6000 4 0.0008
6000 only 4 0.0008
7200 15459 3.0795
7200 only 12872 2.5642
10800 2078 0.414
10800 only 2074 0.4132
14400 77 0.0153
14400 only 77 0.0153
18000 17 0.0034
18000 only 17 0.0034
21600 5026 1.0012
21600 only 5024 1.0008
28800 2346 0.4673
28800 only 1578 0.3143
36000 1236 0.2462
36000 only 1230 0.245
43200 26 0.0052
43200 only 26 0.0052
60000 1 0.0002
60000 only 1 0.0002
64800 47900 9.542
64800 only 47888 9.5396
72000 12 0.0024
72000 only 12 0.0024
86000 41 0.0082
86000 only 41 0.0082
86400 3432 0.6837
86400 only 3430 0.6833
100800 12605 2.511
100800 only 12595 2.509
115200 1 0.0002
115200 only 1 0.0002
129600 7 0.0014
129600 only 7 0.0014
172800 8 0.0016
172800 only 8 0.0016
604800 2 0.0004
604800 only 2 0.0004
864000 2 0.0004
864000 only 2 0.0004
None 173956 34.6531
None only 165035 32.876
Certificate sig alg Count Percent
-------------------------+---------+--------
None 18593 3.7038
ecdsa-with-SHA256 33851 6.7433
sha1WithRSAEncryption 147349 29.3529
sha256WithRSAEncryption 320910 63.9273
sha384WithRSAEncryption 4 0.0008
sha512WithRSAEncryption 9 0.0018
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 33898 6.7527
ECDSA 384 7 0.0014
RSA 1024 106 0.0211
RSA 10240 5 0.001
RSA 2047 1 0.0002
RSA 2048 450327 89.708
RSA 2049 3 0.0006
RSA 2056 2 0.0004
RSA 2058 2 0.0004
RSA 2064 1 0.0002
RSA 2080 2 0.0004
RSA 2084 6 0.0012
RSA 2096 1 0.0002
RSA 2408 1 0.0002
RSA 2432 4 0.0008
RSA 2612 2 0.0004
RSA 2848 1 0.0002
RSA 3024 1 0.0002
RSA 3071 1 0.0002
RSA 3072 118 0.0235
RSA 3096 1 0.0002
RSA 3102 1 0.0002
RSA 3248 3 0.0006
RSA 4042 1 0.0002
RSA 4048 1 0.0002
RSA 4056 22 0.0044
RSA 4069 1 0.0002
RSA 4086 1 0.0002
RSA 4092 6 0.0012
RSA 4094 1 0.0002
RSA 4096 17521 3.4903
RSA 8192 7 0.0014
RSA/ECDSA Dual Stack 56 0.0112
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 101152 20.1501
Unsupported 400840 79.8499
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 27268 5.432
SSL2 Only 24 0.0048
SSL3 136796 27.2506
SSL3 Only 707 0.1408
SSL3 or TLS1 Only 80735 16.0829
SSL3 or lower Only 735 0.1464
TLS1 498809 99.3659
TLS1 Only 47086 9.3798
TLS1 or lower Only 106223 21.1603
TLS1.1 382607 76.2177
TLS1.1 Only 28 0.0056
TLS1.1 or up Only 2220 0.4422
TLS1.2 392594 78.2072
TLS1.2 Only 994 0.198
TLS1.2, 1.0 but not 1.1 11334 2.2578
Statistics from 526034 chains provided by 685991 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 475051 69.2503
incomplete 24873 3.6258
untrusted 186067 27.1238
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 327 0.0622
3 523536 99.5251
4 2138 0.4064
5 33 0.0063
CA key size in chains Count
-------------------------+---------
ECDSA 256 33853
ECDSA 384 33855
RSA 1024 308
RSA 2045 1
RSA 2048 866336
RSA 4096 119592
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 33853 6.4355
ECDSA 384 33855 6.4359
RSA 1024 306 0.0582
RSA 2045 1 0.0002
RSA 2048 491599 93.4538
RSA 4096 119050 22.6316
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 33853
sha1WithRSAEncryption 162869
sha256WithRSAEncryption 225699
sha384WithRSAEncryption 105464
sha512WithRSAEncryption 26
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 163116 31.0086
112 329059 62.5547
128 33859 6.4367
Root CAs Count Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA 112037 21.2984
(d6325660) COMODO RSA Certification Authority 98541 18.7328
(5ad8a5d6) GlobalSign Root CA 51559 9.8015
(cbf06781) Go Daddy Root Certificate Authorit 47005 8.9357
(eed8c118) COMODO ECC Certification Authority 33844 6.4338
(b204d74a) VeriSign Class 3 Public Primary Ce 30749 5.8454
(2e4eed3c) thawte Primary Root CA 25383 4.8254
(244b5494) DigiCert High Assurance EV Root CA 25365 4.8219
(157753a5) AddTrust External CA Root 15024 2.8561
(653b494a) Baltimore CyberTrust Root 11832 2.2493
(ae8153b9) StartCom Certification Authority 9405 1.7879
(3513523f) DigiCert Global Root CA 6987 1.3282
(fc5a8f99) USERTrust RSA Certification Author 6820 1.2965
(f081611a) The Go Daddy Group, Inc. 6456 1.2273
(480720ec) GeoTrust Primary Certification Aut 5857 1.1134
(f387163d) Starfield Technologies, Inc. 5842 1.1106
(4bfab552) Starfield Root Certificate Authori 5499 1.0454
Scan performed between 14th and 24th of July 2015.
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic