Sorry for being a bit late with the scan results.
The bad news that there have been few changes, the bad news is that there have
been few changes :)
more detailed analysis on my blog:
https://securitypitfalls.wordpress.com/2015/03/13/february-2015-scan-resu...
SSL/TLS survey of 478847 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)
Supported Ciphers Count Percent
-------------------------+---------+-------
3DES 389395 81.3193
3DES Only 446 0.0931
AES 452703 94.5402
AES Only 7959 1.6621
AES-CBC Only 4111 0.8585
AES-GCM 275395 57.5121
AES-GCM Only 21 0.0044
CAMELLIA 201517 42.0838
CAMELLIA Only 1 0.0002
CHACHA20 27231 5.6868
Insecure 88014 18.3804
RC4 362499 75.7025
RC4 Only 3578 0.7472
RC4 Preferred 63514 13.2639
RC4 forced in TLS1.1+ 40750 8.51
x:FF 29 RC4 Only 545 0.1138
x:FF 29 RC4 Preferred 68531 14.3117
x:FF 29 incompatible 135 0.0282
y:DHE-RSA-SEED-SHA 106333 22.206
y:IDEA-CBC-MD5 2911 0.6079
y:IDEA-CBC-SHA 85651 17.8869
y:SEED-SHA 103273 21.567
z:ADH-AES128-GCM-SHA256 352 0.0735
z:ADH-AES128-SHA 983 0.2053
z:ADH-AES128-SHA256 278 0.0581
z:ADH-AES256-GCM-SHA384 367 0.0766
z:ADH-AES256-SHA 995 0.2078
z:ADH-AES256-SHA256 282 0.0589
z:ADH-CAMELLIA128-SHA 440 0.0919
z:ADH-CAMELLIA256-SHA 449 0.0938
z:ADH-DES-CBC-SHA 378 0.0789
z:ADH-DES-CBC3-SHA 1011 0.2111
z:ADH-RC4-MD5 787 0.1644
z:ADH-SEED-SHA 293 0.0612
z:AECDH-AES128-SHA 14530 3.0344
z:AECDH-AES256-SHA 14530 3.0344
z:AECDH-DES-CBC3-SHA 14487 3.0254
z:AECDH-NULL-SHA 38 0.0079
z:AECDH-RC4-SHA 13507 2.8207
z:DES-CBC-MD5 18469 3.857
z:DES-CBC-SHA 49506 10.3386
z:DES-CBC3-MD5 33718 7.0415
z:ECDHE-RSA-NULL-SHA 43 0.009
z:EDH-RSA-DES-CBC-SHA 42281 8.8298
z:EXP-ADH-DES-CBC-SHA 302 0.0631
z:EXP-ADH-RC4-MD5 306 0.0639
z:EXP-DES-CBC-SHA 35244 7.3602
z:EXP-EDH-RSA-DES-CBC-SHA 24614 5.1403
z:EXP-RC2-CBC-MD5 40047 8.3632
z:EXP-RC4-MD5 42873 8.9534
z:EXP1024-DES-CBC-SHA 9396 1.9622
z:EXP1024-RC4-SHA 9557 1.9958
z:NULL-MD5 292 0.061
z:NULL-SHA 292 0.061
z:NULL-SHA256 12 0.0025
z:RC2-CBC-MD5 18829 3.9322
z:RC4-64-MD5 1529 0.3193
Cipher ordering Count Percent
-------------------------+---------+-------
Client side 141265 29.5011
Server side 337582 70.4989
Supported Handshakes Count Percent
-------------------------+---------+-------
ADH 1120 0.2339
AECDH 14557 3.04
DHE 256190 53.5014
ECDHE 305994 63.9022
ECDHE and DHE 154553 32.2761
RSA 446580 93.2615
Supported PFS Count Percent PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits 214103 44.7122 83.572
DH,1536bits 1 0.0002 0.0004
DH,2048bits 39131 8.1719 15.2742
DH,2226bits 1 0.0002 0.0004
DH,2236bits 1 0.0002 0.0004
DH,3072bits 19 0.004 0.0074
DH,3248bits 2 0.0004 0.0008
DH,4094bits 1 0.0002 0.0004
DH,4096bits 2115 0.4417 0.8256
DH,512bits 87 0.0182 0.034
DH,768bits 759 0.1585 0.2963
DH,8192bits 1 0.0002 0.0004
ECDH,B-163,163bits 7 0.0015 0.0023
ECDH,B-571,570bits 707 0.1476 0.2311
ECDH,K-163,163bits 1 0.0002 0.0003
ECDH,P-224,224bits 51 0.0107 0.0167
ECDH,P-256,256bits 299807 62.6102 97.9781
ECDH,P-384,384bits 3156 0.6591 1.0314
ECDH,P-521,521bits 4454 0.9302 1.4556
Prefer DH,1024bits 99375 20.753 38.7896
Prefer DH,2048bits 2882 0.6019 1.1249
Prefer DH,2236bits 1 0.0002 0.0004
Prefer DH,4096bits 90 0.0188 0.0351
Prefer DH,512bits 3 0.0006 0.0012
Prefer DH,768bits 420 0.0877 0.1639
Prefer ECDH,B-163,163bits 7 0.0015 0.0023
Prefer ECDH,B-571,570bits 521 0.1088 0.1703
Prefer ECDH,K-163,163bits 1 0.0002 0.0003
Prefer ECDH,P-224,224bits 18 0.0038 0.0059
Prefer ECDH,P-256,256bits 243201 50.7889 79.479
Prefer ECDH,P-384,384bits 3079 0.643 1.0062
Prefer ECDH,P-521,521bits 4146 0.8658 1.3549
Prefer PFS 353744 73.8741 0
Support PFS 407631 85.1276 0
Supported ECC curves Count Percent
-------------------------+---------+--------
brainpoolP256r1 77 0.0161
brainpoolP384r1 77 0.0161
brainpoolP512r1 77 0.0161
prime192v1 721 0.1506
prime256v1 305466 63.792
prime256v1 Only 265378 55.4202
secp160k1 689 0.1439
secp160r1 688 0.1437
secp160r2 688 0.1437
secp192k1 716 0.1495
secp224k1 747 0.156
secp224r1 1221 0.255
secp224r1 Only 1 0.0002
secp256k1 766 0.16
secp384r1 40252 8.406
secp384r1 Only 166 0.0347
secp521r1 9985 2.0852
secp521r1 Only 86 0.018
sect163k1 688 0.1437
sect163r1 688 0.1437
sect163r2 695 0.1451
sect163r2 Only 7 0.0015
sect193r1 688 0.1437
sect193r2 688 0.1437
sect233k1 738 0.1541
sect233r1 738 0.1541
sect239k1 737 0.1539
sect283k1 737 0.1539
sect283r1 737 0.1539
sect409k1 737 0.1539
sect409r1 737 0.1539
sect571k1 756 0.1579
sect571r1 756 0.1579
Unsupported curve fallback Count Percent
------------------------------+---------+--------
False 75947 15.8604
True 188432 39.3512
order-specific 12 0.0025
unknown 214456 44.7859
ECC curve ordering Count Percent
-------------------------+---------+--------
client 1661 0.3469
inconclusive-noecc 4 0.0008
server 304074 63.5013
unknown 173108 36.151
TLSv1.2 PFS supported sigalgs Count Percent
------------------------------+---------+--------
ECDSA-SHA1 27872 5.8206
ECDSA-SHA224 27873 5.8209
ECDSA-SHA256 27873 5.8209
ECDSA-SHA384 27874 5.8211
ECDSA-SHA512 27874 5.8211
RSA-MD5 132832 27.74
RSA-MD5 Only 1 0.0002
RSA-SHA1 275469 57.5276
RSA-SHA1 Only 42560 8.888
RSA-SHA224 224806 46.9474
RSA-SHA256 235988 49.2825
RSA-SHA256 Only 2701 0.5641
RSA-SHA384 225210 47.0317
RSA-SHA512 225254 47.0409
RSA-SHA512 Only 39 0.0081
TLSv1.2 PFS ordering Count Percent
------------------------------+---------+--------
client 206251 43.0724
indeterminate 7 0.0015
intolerant 1409 0.2942
order-fallback 2 0.0004
server 98943 20.6628
unsupported 37273 7.7839
TLSv1.2 PFS sigalg fallback Count Percent
------------------------------+---------+--------
ECDSA SHA1 27871 5.8204
ECDSA intolerant 4 0.0008
ECDSA pfs-rsa-SHA512 1 0.0002
RSA False 131264 27.4125
RSA SHA1 125024 26.1094
RSA intolerant 20874 4.3592
RSA pfs-ecdsa-SHA512 1 0.0002
RSA soft-nopfs 1609 0.336
Renegotiation Count Percent
-------------------------+---------+--------
False 9764 2.0391
insecure 25819 5.3919
secure 443264 92.569
Compression Count Percent
-------------------------+---------+--------
1 (zlib compression) 15459 3.2284
False 9764 2.0391
NONE 453624 94.7326
TLS session ticket hint Count Percent
-------------------------+---------+--------
1 2 0.0004
1 only 2 0.0004
2 2 0.0004
2 only 2 0.0004
5 1 0.0002
5 only 1 0.0002
10 4 0.0008
10 only 4 0.0008
15 8 0.0017
15 only 8 0.0017
30 10 0.0021
30 only 10 0.0021
60 71 0.0148
60 only 64 0.0134
65 1 0.0002
65 only 1 0.0002
70 4 0.0008
75 1 0.0002
75 only 1 0.0002
100 11 0.0023
100 only 11 0.0023
120 24 0.005
120 only 23 0.0048
128 3 0.0006
128 only 3 0.0006
180 47 0.0098
180 only 45 0.0094
240 11 0.0023
240 only 11 0.0023
300 201017 41.9794
300 only 192323 40.1638
360 2 0.0004
360 only 1 0.0002
400 4 0.0008
400 only 4 0.0008
420 37 0.0077
420 only 26 0.0054
480 16 0.0033
480 only 14 0.0029
500 4 0.0008
500 only 4 0.0008
600 14965 3.1252
600 only 14676 3.0649
720 1 0.0002
720 only 1 0.0002
840 1 0.0002
840 only 1 0.0002
900 520 0.1086
900 only 500 0.1044
960 2 0.0004
960 only 2 0.0004
1000 1 0.0002
1000 only 1 0.0002
1200 286 0.0597
1200 only 283 0.0591
1500 9 0.0019
1500 only 8 0.0017
1800 343 0.0716
1800 only 334 0.0698
2100 1 0.0002
2100 only 1 0.0002
2400 2 0.0004
2400 only 2 0.0004
2700 5 0.001
2700 only 5 0.001
3000 11 0.0023
3000 only 11 0.0023
3600 329 0.0687
3600 only 312 0.0652
5400 10 0.0021
6000 3 0.0006
6000 only 3 0.0006
7200 14085 2.9414
7200 only 11423 2.3855
10800 1006 0.2101
10800 only 1001 0.209
14400 1416 0.2957
14400 only 1415 0.2955
18000 1 0.0002
18000 only 1 0.0002
21600 4976 1.0392
21600 only 4973 1.0385
28800 12 0.0025
28800 only 11 0.0023
36000 980 0.2047
36000 only 975 0.2036
43200 101 0.0211
43200 only 101 0.0211
60000 1 0.0002
60000 only 1 0.0002
64800 45713 9.5465
64800 only 45710 9.5458
72000 8 0.0017
72000 only 8 0.0017
86000 28 0.0058
86000 only 28 0.0058
86400 225 0.047
86400 only 224 0.0468
93600 1 0.0002
93600 only 1 0.0002
100800 12805 2.6741
100800 only 12805 2.6741
129600 8 0.0017
129600 only 8 0.0017
172800 1 0.0002
172800 only 1 0.0002
604800 1 0.0002
604800 only 1 0.0002
864000 3 0.0006
864000 only 3 0.0006
None 191458 39.9831
None only 179709 37.5295
Certificate sig alg Count Percent
-------------------------+---------+--------
None 15481 3.233
ecdsa-with-SHA256 27852 5.8165
sha1WithRSAEncryption 247414 51.6687
sha256WithRSAEncryption 203665 42.5324
sha512WithRSAEncryption 10 0.0021
Certificate key size Count Percent
-------------------------+---------+--------
ECDSA 256 27873 5.8209
ECDSA 384 4 0.0008
RSA 1024 586 0.1224
RSA 10240 4 0.0008
RSA 2028 1 0.0002
RSA 2047 1 0.0002
RSA 2048 434653 90.7707
RSA 2049 2 0.0004
RSA 2056 3 0.0006
RSA 2058 4 0.0008
RSA 2064 1 0.0002
RSA 2080 2 0.0004
RSA 2084 14 0.0029
RSA 2096 1 0.0002
RSA 2408 3 0.0006
RSA 2432 5 0.001
RSA 2612 1 0.0002
RSA 3072 81 0.0169
RSA 3102 1 0.0002
RSA 3248 3 0.0006
RSA 3600 1 0.0002
RSA 4042 1 0.0002
RSA 4048 2 0.0004
RSA 4056 32 0.0067
RSA 4069 1 0.0002
RSA 4086 2 0.0004
RSA 4092 2 0.0004
RSA 4096 15597 3.2572
RSA 4098 2 0.0004
RSA 8192 4 0.0008
RSA/ECDSA Dual Stack 30 0.0063
OCSP stapling Count Percent
-------------------------+---------+--------
Supported 79626 16.6287
Unsupported 399221 83.3713
Supported Protocols Count Percent
-------------------------+---------+-------
SSL2 34004 7.1012
SSL2 Only 83 0.0173
SSL3 160049 33.4238
SSL3 Only 1554 0.3245
SSL3 or TLS1 Only 99562 20.792
SSL3 or lower Only 1597 0.3335
TLS1 476217 99.4508
TLS1 Only 53875 11.251
TLS1 or lower Only 130773 27.31
TLS1.1 333272 69.5988
TLS1.1 Only 6 0.0013
TLS1.1 or up Only 690 0.1441
TLS1.2 343871 71.8123
TLS1.2 Only 495 0.1034
TLS1.2, 1.0 but not 1.1 12594 2.6301
Statistics from 506677 chains provided by 663743 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 445855 67.1728
incomplete 28915 4.3564
untrusted 188973 28.4708
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 1250 0.2467
3 435699 85.9915
4 69697 13.7557
5 31 0.0061
CA key size in chains Count
-------------------------+---------
ECDSA 256 27724
ECDSA 384 27724
RSA 1024 1237
RSA 2045 1
RSA 2048 945864
RSA 4096 79313
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 27724 5.4717
ECDSA 384 27724 5.4717
RSA 1024 1233 0.2434
RSA 2045 1 0.0002
RSA 2048 477582 94.2577
RSA 4096 78697 15.532
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 27724
sha1WithRSAEncryption 272982
sha256WithRSAEncryption 141436
sha384WithRSAEncryption 133014
sha512WithRSAEncryption 30
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 273108 53.9018
112 205843 40.6261
128 27726 5.4721
Root CAs Count Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA 112003 22.1054
(157753a5) AddTrust External CA Root 103054 20.3392
(5ad8a5d6) GlobalSign Root CA 51402 10.1449
(cbf06781) Go Daddy Root Certificate Authorit 42982 8.4831
(b204d74a) VeriSign Class 3 Public Primary Ce 29072 5.7378
(eed8c118) COMODO ECC Certification Authority 27720 5.4709
(2e4eed3c) thawte Primary Root CA 26917 5.3125
(244b5494) DigiCert High Assurance EV Root CA 23747 4.6868
(653b494a) Baltimore CyberTrust Root 11804 2.3297
(f081611a) The Go Daddy Group, Inc. 11749 2.3188
(b13cc6df) UTN-USERFirst-Hardware 9836 1.9413
(ae8153b9) StartCom Certification Authority 9546 1.884
(f387163d) Starfield Technologies, Inc. 8019 1.5827
(40547a79) COMODO Certification Authority 6997 1.381
(3513523f) DigiCert Global Root CA 5757 1.1362
Scan performed between 19th and 27th of February 2015.
--
Regards,
Hubert Kario