security August 2014

security@lists.fedoraproject.org

8 participants
5 discussions

TLS scan results for August 2014
by Hubert Kario 27 Aug '14

27 Aug '14

Not many exciting changes, just continuation of previous trends. SHA-256 has grown by 2%, RC4 basically unchanged. As always, detailed commentary on my blog: https://securitypitfalls.wordpress.com/2014/08/25/august-2014-scan-results/ SSL/TLS survey of 397695 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 345059 86.7647 3DES Only 209 0.0526 AES 369030 92.7922 AES Only 1951 0.4906 AES-CBC Only 1030 0.259 AES-GCM 162425 40.8416 AES-GCM Only 41 0.0103 CAMELLIA 164197 41.2872 CAMELLIA Only 4 0.001 CHACHA20 14719 3.7011 CHACHA20 Only 6 0.0015 RC4 350479 88.1276 RC4 Only 3807 0.9573 RC4 Preferred 74692 18.7812 RC4 forced in TLS1.1+ 51533 12.9579 x:FF 29 RC4 Only 6327 1.5909 x:FF 29 RC4 Preferred 16784 4.2203 x:FF 29 incompatible 301 0.0757 z:ADH-AES128-GCM-SHA256 348 0.0875 z:ADH-AES128-SHA 1444 0.3631 z:ADH-AES128-SHA256 324 0.0815 z:ADH-AES256-GCM-SHA384 335 0.0842 z:ADH-AES256-SHA 1447 0.3638 z:ADH-AES256-SHA256 328 0.0825 z:ADH-CAMELLIA128-SHA 692 0.174 z:ADH-CAMELLIA256-SHA 699 0.1758 z:ADH-DES-CBC-SHA 699 0.1758 z:ADH-DES-CBC3-SHA 1490 0.3747 z:ADH-RC4-MD5 1297 0.3261 z:ADH-SEED-SHA 514 0.1292 z:AECDH-AES128-SHA 14496 3.645 z:AECDH-AES256-SHA 14533 3.6543 z:AECDH-DES-CBC3-SHA 14471 3.6387 z:AECDH-NULL-SHA 22 0.0055 z:AECDH-RC4-SHA 13603 3.4205 z:DES-CBC-MD5 26778 6.7333 z:DES-CBC-SHA 69202 17.4008 z:DHE-RSA-SEED-SHA 70054 17.615 z:ECDHE-RSA-NULL-SHA 25 0.0063 z:EDH-RSA-DES-CBC-SHA 60963 15.3291 z:EXP-ADH-DES-CBC-SHA 489 0.123 z:EXP-ADH-RC4-MD5 493 0.124 z:EXP-DES-CBC-SHA 54942 13.8151 z:EXP-EDH-RSA-DES-CBC-SHA 43030 10.8198 z:EXP-RC2-CBC-MD5 59737 15.0208 z:IDEA-CBC-MD5 4021 1.0111 z:IDEA-CBC-SHA 64231 16.1508 z:NULL-MD5 353 0.0888 z:NULL-SHA 351 0.0883 z:NULL-SHA256 7 0.0018 z:RC2-CBC-MD5 30955 7.7836 z:SEED-SHA 83118 20.8999 Cipher ordering Count Percent -------------------------+---------+------- Client side 177721 44.6878 Server side 219974 55.3122 Supported Handshakes Count Percent -------------------------+---------+------- ADH 1555 0.391 AECDH 14564 3.6621 DHE 202555 50.9322 ECDHE 184261 46.3322 ECDHE and DHE 73679 18.5265 RSA 396177 99.6183 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 186744 46.9566 92.1942 DH,2048bits 14169 3.5628 6.9951 DH,2226bits 2 0.0005 0.001 DH,3072bits 4 0.001 0.002 DH,3242bits 1 0.0003 0.0005 DH,3248bits 2 0.0005 0.001 DH,4096bits 703 0.1768 0.3471 DH,512bits 43198 10.8621 21.3266 DH,768bits 759 0.1908 0.3747 DH,8192bits 2 0.0005 0.001 ECDH,B-163,163bits 13 0.0033 0.0071 ECDH,B-571,570bits 398 0.1001 0.216 ECDH,P-224,224bits 4 0.001 0.0022 ECDH,P-256,256bits 182896 45.989 99.2592 ECDH,P-384,384bits 232 0.0583 0.1259 ECDH,P-521,521bits 821 0.2064 0.4456 Prefer DH,1024bits 115759 29.1075 57.1494 Prefer DH,2048bits 1154 0.2902 0.5697 Prefer DH,4096bits 50 0.0126 0.0247 Prefer DH,512bits 2 0.0005 0.001 Prefer DH,768bits 87 0.0219 0.043 Prefer ECDH,B-163,163bits 13 0.0033 0.0071 Prefer ECDH,B-571,570bits 318 0.08 0.1726 Prefer ECDH,P-224,224bits 1 0.0003 0.0005 Prefer ECDH,P-256,256bits 134334 33.7781 72.9042 Prefer ECDH,P-384,384bits 157 0.0395 0.0852 Prefer ECDH,P-521,521bits 749 0.1883 0.4065 Prefer PFS 252624 63.522 0 Support PFS 313137 78.738 0 TLS session ticket hint Count Percent -------------------------+---------+-------- 5 1 0.0003 5 only 1 0.0003 10 3 0.0008 10 only 1 0.0003 30 2 0.0005 30 only 2 0.0005 42 1 0.0003 60 46 0.0116 60 only 41 0.0103 100 4 0.001 100 only 4 0.001 120 10 0.0025 120 only 10 0.0025 128 4 0.001 128 only 4 0.001 180 29 0.0073 180 only 29 0.0073 240 4 0.001 240 only 4 0.001 300 155200 39.0249 300 only 135627 34.1033 420 19 0.0048 420 only 10 0.0025 480 6 0.0015 480 only 6 0.0015 600 6888 1.732 600 only 6597 1.6588 900 216 0.0543 900 only 190 0.0478 960 2 0.0005 960 only 2 0.0005 1200 60 0.0151 1200 only 57 0.0143 1500 9 0.0023 1500 only 8 0.002 1800 123 0.0309 1800 only 120 0.0302 2100 1 0.0003 2100 only 1 0.0003 2400 1 0.0003 2400 only 1 0.0003 2700 2 0.0005 2700 only 2 0.0005 3000 5 0.0013 3000 only 4 0.001 3600 234 0.0588 3600 only 227 0.0571 5400 2 0.0005 6000 1 0.0003 6000 only 1 0.0003 7200 10748 2.7026 7200 only 8222 2.0674 10800 11 0.0028 10800 only 6 0.0015 14400 722 0.1815 14400 only 716 0.18 18000 1 0.0003 21600 26 0.0065 21600 only 26 0.0065 28800 3 0.0008 28800 only 3 0.0008 30720 1 0.0003 30720 only 1 0.0003 36000 402 0.1011 36000 only 399 0.1003 43200 6311 1.5869 43200 only 6224 1.565 64800 9640 2.424 64800 only 9602 2.4144 86000 32 0.008 86000 only 29 0.0073 86400 92 0.0231 86400 only 85 0.0214 100800 14758 3.7109 100800 only 57 0.0143 115200 1 0.0003 115200 only 1 0.0003 129600 7 0.0018 129600 only 6 0.0015 604800 1 0.0003 604800 only 1 0.0003 864000 6 0.0015 864000 only 6 0.0015 None 229357 57.6716 None only 192066 48.2948 Certificate sig alg Count Percent -------------------------+---------+-------- None 15912 4.0011 ecdsa-with-SHA256 3 0.0008 sha1WithRSAEncryption 338957 85.2304 sha256WithRSAEncryption 58772 14.7782 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 8235 2.0707 ECDSA 384 1 0.0003 RSA 1024 1880 0.4727 RSA 2028 1 0.0003 RSA 2047 2 0.0005 RSA 2048 381923 96.0341 RSA 2056 5 0.0013 RSA 2058 1 0.0003 RSA 2060 1 0.0003 RSA 2064 1 0.0003 RSA 2080 2 0.0005 RSA 2084 5 0.0013 RSA 2408 3 0.0008 RSA 2432 28 0.007 RSA 2536 1 0.0003 RSA 2612 1 0.0003 RSA 3050 1 0.0003 RSA 3072 37 0.0093 RSA 3096 1 0.0003 RSA 3248 4 0.001 RSA 3600 1 0.0003 RSA 4042 1 0.0003 RSA 4046 2 0.0005 RSA 4048 2 0.0005 RSA 4086 1 0.0003 RSA 4092 2 0.0005 RSA 4096 13721 3.4501 RSA 4098 3 0.0008 RSA 4192 1 0.0003 RSA 8192 6 0.0015 RSA 16384 1 0.0003 RSA/ECDSA Dual Stack 8153 2.0501 OCSP stapling Count Percent -------------------------+---------+-------- Supported 41610 10.4628 Unsupported 356085 89.5372 Supported Protocols Count Percent -------------------------+---------+------- SSL2 48288 12.142 SSL2 Only 6029 1.516 SSL3 379667 95.4669 SSL3 Only 4125 1.0372 SSL3 or TLS1 Only 117512 29.5483 TLS1 385363 96.8991 TLS1 Only 3015 0.7581 TLS1.1 218025 54.8222 TLS1.1 Only 37 0.0093 TLS1.1 or up Only 709 0.1783 TLS1.2 229097 57.6062 TLS1.2 Only 374 0.094 TLS1.2, 1.0 but not 1.1 15264 3.8381 Scan performed between 8th and 19th of August 2014. Statistics from 443385 chains provided by 585568 hosts Server provided chains Count Percent -------------------------+---------+------- complete 365544 62.4255 incomplete 29700 5.072 untrusted 190324 32.5025 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 2394 0.5399 3 431592 97.3402 4 9378 2.1151 5 21 0.0047 CA key size in chains Count -------------------------+--------- ECDSA 256 3 ECDSA 384 3 RSA 1024 1733 RSA 2045 1 RSA 2048 874329 RSA 4096 17727 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 3 0.0007 ECDSA 384 3 0.0007 RSA 1024 1723 0.3886 RSA 2045 1 0.0002 RSA 2048 441708 99.6218 RSA 4096 17345 3.912 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 3 sha1WithRSAEncryption 387560 sha256WithRSAEncryption 50026 sha384WithRSAEncryption 12822 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 388390 87.5966 112 54992 12.4028 128 3 0.0007 Root CAs Count Percent ---------------------------------------------+---------+------- (2c543cd1) GeoTrust Global CA 115908 26.1416 (157753a5) AddTrust External CA Root 69723 15.7252 (5ad8a5d6) GlobalSign Root CA 44630 10.0657 (2e4eed3c) thawte Primary Root CA 29574 6.67 (cbf06781) Go Daddy Root Certificate Authorit 28151 6.3491 (f081611a) The Go Daddy Group, Inc. 26956 6.0796 (b204d74a) VeriSign Class 3 Public Primary Ce 26596 5.9984 (244b5494) DigiCert High Assurance EV Root CA 22613 5.1001 (b13cc6df) UTN-USERFirst-Hardware 12983 2.9282 (40547a79) COMODO Certification Authority 11362 2.5626 (653b494a) Baltimore CyberTrust Root 10593 2.3891 (ae8153b9) StartCom Certification Authority 9134 2.0601 (f387163d) Starfield Technologies, Inc. 7934 1.7894 -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hkario(a)redhat.com Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

2 2

question about uploading of core dumps to generate a backtrace for ABRT
by Jakub Filak 14 Aug '14

14 Aug '14

Hello, the ABRT team got an request to replace uploading of core dumps to the retrace server by providing a fuse-like share with debuginfos [1]. It would be really nice if the security experts could comment on this. Thank you for considering my request. Kind regards, Jakub Filak 1: https://github.com/abrt/abrt/issues/832

3 2

[Secure Coding] master: Go: Add section on deserialization (1865417)
by fweimer＠fedoraproject.org 13 Aug '14

13 Aug '14

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit 18654176d5d06211ba6393ceaf83afc53080d146 Author: Florian Weimer <fweimer(a)redhat.com> Date: Wed Aug 13 09:44:05 2014 +0200 Go: Add section on deserialization In particular, warn about information leakage due to object reuse. >--------------------------------------------------------------- defensive-coding/en-US/Go.xml | 20 ++++++++++++++++++++ 1 files changed, 20 insertions(+), 0 deletions(-) diff --git a/defensive-coding/en-US/Go.xml b/defensive-coding/en-US/Go.xml index 0e44d5e..b5529a6 100644 --- a/defensive-coding/en-US/Go.xml +++ b/defensive-coding/en-US/Go.xml @@ -87,4 +87,24 @@ spontaneously. </para> </section> +<section id="chap-Defensive_Coding-Go-Marshaling"> + <title>Marshaling and marshaling</title> + <para> + Several packages in the <literal>encoding</literal> hierarchy + provide support for serialization and deserialization. The usual + caveats apply (see + <xref linkend="chap-Defensive_Coding-Tasks-Serialization"/>). + </para> + <para> + As an additional precaution, the <function>Unmarshal</function> + and <function>Decode</function> functions should only be used with + fresh values in the <literal>interface{}</literal> argument. This + is due to the way defaults for missing values are implemented: + During deserialization, missing value do not result in an error, + but the original value is preserved. Using a fresh value (with + suitable default values if necessary) ensures that data from a + previous deserialization operation does not leak into the current + one. This is especially relevant when structs are deserialized. + </para> +</section> </chapter>

1 0

proposed text for crypto-policies in Packaging Guidelines
by Nikos Mavrogiannopoulos 08 Aug '14

08 Aug '14

Hello, I plan to submit the following text for packaging guidelines regarding crypto policies. Are there any comments or suggestions? Since Fedora 21 (http://fedoraproject.org/wiki/Changes/CryptoPolicy) there are policies for the usage of SSL and TLS cryptographic protocols that are enforced system-wide. Each application being added in Fedora must be checked to comply with the policies. Currently the policies are restricted to applications using GnuTLS and OpenSSL. * OpenSSL applications: If the application provides a configuration file that allows to modify the cipher list string, ensure that the default is "PROFILE=SYSTEM". Otherwise, if the application doesn't have a configuration file, ensure that there is no default cipher list specified, or that the default list is set as "PROFILE=SYSTEM". * GnuTLS applications: If the application provides a configuration file that allows to modify the cipher priority string, ensure that the default is "@SYSTEM". Otherwise, if the application doesn't have a configuration file, ensure that it uses gnutls_set_default_priority(), or that the default priority string is "@SYSTEM". Applications utilizing other cryptographic libraries do not adhere to the system wide crypto policies. regards, Nikos

6 14

TLS Survey for July 2014
by Hubert Kario 04 Aug '14

04 Aug '14

Since this month's results are a bit less interesting: small changes of already established trends with regards to RC4, SHA256 and TLS1.2 adoption, I'm spicing them up with the addition of CA certificate statistics :) The addition of the CA cert statistics is also the reason for the late release of data, sorry. Full analysis and commentary available here: https://securitypitfalls.wordpress.com/2014/08/03/july-2014-scan-results/ SSL/TLS survey of 393337 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 344071 87.4749 3DES Only 152 0.0386 AES 364726 92.7261 AES Only 879 0.2235 AES-CBC Only 510 0.1297 AES-GCM 156262 39.7273 AES-GCM Only 6 0.0015 CAMELLIA 161308 41.0101 CHACHA20 15543 3.9516 RC4 350784 89.1815 RC4 Only 3734 0.9493 RC4 Preferred 69540 17.6795 RC4 forced in TLS1.1+ 45989 11.692 x:FF 29 RC4 Only 6429 1.6345 x:FF 29 RC4 Preferred 16265 4.1351 x:FF 29 incompatible 103 0.0262 z:ADH-AES128-GCM-SHA256 351 0.0892 z:ADH-AES128-SHA 1439 0.3658 z:ADH-AES128-SHA256 325 0.0826 z:ADH-AES256-GCM-SHA384 337 0.0857 z:ADH-AES256-SHA 1445 0.3674 z:ADH-AES256-SHA256 330 0.0839 z:ADH-CAMELLIA128-SHA 722 0.1836 z:ADH-CAMELLIA256-SHA 733 0.1864 z:ADH-DES-CBC-SHA 723 0.1838 z:ADH-DES-CBC3-SHA 1496 0.3803 z:ADH-RC4-MD5 1326 0.3371 z:ADH-SEED-SHA 587 0.1492 z:AECDH-AES128-SHA 13159 3.3455 z:AECDH-AES256-SHA 13161 3.346 z:AECDH-DES-CBC3-SHA 13122 3.3361 z:AECDH-NULL-SHA 14 0.0036 z:AECDH-RC4-SHA 12264 3.1179 z:DES-CBC-MD5 27892 7.0911 z:DES-CBC-SHA 76809 19.5275 z:DHE-RSA-SEED-SHA 68828 17.4985 z:ECDHE-RSA-NULL-SHA 17 0.0043 z:EDH-RSA-DES-CBC-SHA 61870 15.7295 z:EXP-ADH-DES-CBC-SHA 469 0.1192 z:EXP-ADH-RC4-MD5 473 0.1203 z:EXP-DES-CBC-SHA 62566 15.9065 z:EXP-EDH-RSA-DES-CBC-SHA 44087 11.2085 z:EXP-RC2-CBC-MD5 67561 17.1764 z:IDEA-CBC-MD5 10575 2.6885 z:IDEA-CBC-SHA 70335 17.8816 z:NULL-MD5 339 0.0862 z:NULL-SHA 337 0.0857 z:NULL-SHA256 6 0.0015 z:RC2-CBC-MD5 38543 9.799 z:SEED-SHA 83026 21.1081 Cipher ordering Count Percent -------------------------+---------+------- Client side 183896 46.7528 Server side 209441 53.2472 Supported Handshakes Count Percent -------------------------+---------+------- ADH 1562 0.3971 AECDH 13188 3.3529 DHE 198612 50.4941 ECDH 1 0.0003 ECDHE 175607 44.6454 ECDHE and DHE 67049 17.0462 RSA 393014 99.9179 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 183927 46.7607 92.6062 DH,2048bits 13134 3.3391 6.6129 DH,2226bits 2 0.0005 0.001 DH,3072bits 4 0.001 0.002 DH,3248bits 4 0.001 0.002 DH,4096bits 620 0.1576 0.3122 DH,512bits 44238 11.2468 22.2736 DH,768bits 771 0.196 0.3882 DH,8192bits 1 0.0003 0.0005 ECDH,B-163,163bits 16 0.0041 0.0091 ECDH,B-571,570bits 392 0.0997 0.2232 ECDH,P-224,224bits 4 0.001 0.0023 ECDH,P-256,256bits 174312 44.3162 99.2626 ECDH,P-384,384bits 207 0.0526 0.1179 ECDH,P-521,521bits 764 0.1942 0.4351 Prefer DH,1024bits 117558 29.8873 59.1898 Prefer DH,2048bits 1721 0.4375 0.8665 Prefer DH,4096bits 54 0.0137 0.0272 Prefer DH,512bits 2 0.0005 0.001 Prefer DH,768bits 87 0.0221 0.0438 Prefer ECDH,B-163,163bits 16 0.0041 0.0091 Prefer ECDH,B-571,570bits 304 0.0773 0.1731 Prefer ECDH,P-224,224bits 1 0.0003 0.0006 Prefer ECDH,P-256,256bits 126826 32.2436 72.2215 Prefer ECDH,P-384,384bits 135 0.0343 0.0769 Prefer ECDH,P-521,521bits 699 0.1777 0.398 Prefer PFS 247403 62.8985 0 Support PFS 307170 78.0933 0 TLS session ticket hint Count Percent -------------------------+---------+-------- 5 2 0.0005 5 only 2 0.0005 10 2 0.0005 30 1 0.0003 30 only 1 0.0003 60 15 0.0038 60 only 10 0.0025 120 7 0.0018 120 only 6 0.0015 128 5 0.0013 128 only 5 0.0013 180 24 0.0061 180 only 24 0.0061 240 7 0.0018 240 only 7 0.0018 300 145958 37.1076 300 only 127245 32.3501 420 12 0.0031 420 only 10 0.0025 480 6 0.0015 480 only 6 0.0015 600 6491 1.6502 600 only 6280 1.5966 900 188 0.0478 900 only 158 0.0402 960 2 0.0005 960 only 2 0.0005 1200 54 0.0137 1200 only 52 0.0132 1500 12 0.0031 1500 only 11 0.0028 1800 121 0.0308 1800 only 116 0.0295 2400 1 0.0003 2400 only 1 0.0003 2700 1 0.0003 2700 only 1 0.0003 3000 5 0.0013 3000 only 4 0.001 3600 239 0.0608 3600 only 235 0.0597 5400 2 0.0005 6000 1 0.0003 6000 only 1 0.0003 7200 10678 2.7147 7200 only 1678 0.4266 10800 7 0.0018 10800 only 3 0.0008 14400 650 0.1653 14400 only 650 0.1653 18000 1 0.0003 18000 only 1 0.0003 21600 27 0.0069 21600 only 27 0.0069 28800 5 0.0013 28800 only 5 0.0013 30720 1 0.0003 30720 only 1 0.0003 36000 477 0.1213 36000 only 477 0.1213 43200 6420 1.6322 43200 only 6420 1.6322 64800 9211 2.3418 64800 only 9208 2.341 86000 28 0.0071 86000 only 26 0.0066 86400 4228 1.0749 86400 only 4223 1.0736 100800 15552 3.9539 100800 only 11 0.0028 115200 1 0.0003 115200 only 1 0.0003 129600 7 0.0018 129600 only 7 0.0018 864000 6 0.0015 864000 only 6 0.0015 None 236414 60.1047 None only 192884 49.0378 Certificate sig alg Count Percent -------------------------+---------+-------- None 14656 3.7261 sha1WithRSAEncryption 343217 87.2577 sha256WithRSAEncryption 50153 12.7506 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 8717 2.2162 RSA 1024 1894 0.4815 RSA 2028 1 0.0003 RSA 2047 1 0.0003 RSA 2048 377818 96.0545 RSA 2049 1 0.0003 RSA 2056 5 0.0013 RSA 2058 1 0.0003 RSA 2060 1 0.0003 RSA 2064 1 0.0003 RSA 2080 2 0.0005 RSA 2084 5 0.0013 RSA 2408 3 0.0008 RSA 2432 48 0.0122 RSA 2536 1 0.0003 RSA 2612 1 0.0003 RSA 3050 1 0.0003 RSA 3072 40 0.0102 RSA 3120 1 0.0003 RSA 3248 3 0.0008 RSA 3600 1 0.0003 RSA 4042 1 0.0003 RSA 4046 2 0.0005 RSA 4048 2 0.0005 RSA 4086 1 0.0003 RSA 4092 2 0.0005 RSA 4096 13502 3.4327 RSA 4098 3 0.0008 RSA 4192 1 0.0003 RSA 8192 5 0.0013 RSA 16384 1 0.0003 RSA/ECDSA Dual Stack 8714 2.2154 OCSP stapling Count Percent -------------------------+---------+-------- Supported 39893 10.1422 Unsupported 353444 89.8578 Supported Protocols Count Percent -------------------------+---------+------- SSL2 56197 14.2872 SSL2 Only 6140 1.561 SSL3 377423 95.9541 SSL3 Only 3710 0.9432 SSL3 or TLS1 Only 118014 30.0033 TLS1 382682 97.2911 TLS1 Only 2707 0.6882 TLS1.1 212833 54.1096 TLS1.1 Only 7 0.0018 TLS1.1 or up Only 74 0.0188 TLS1.2 223413 56.7994 TLS1.2 Only 34 0.0086 TLS1.2, 1.0 but not 1.1 14809 3.765 Statistics from 445095 chains provided by 582719 hosts ====================================================== Server provided chains Count Percent -------------------------+---------+------- complete 359484 61.6908 incomplete 29543 5.0699 untrusted 193692 33.2393 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 2414 0.5423 3 434366 97.5895 4 8292 1.863 5 23 0.0052 CA key size in chains Count -------------------------+--------- ECDSA 256 2 ECDSA 384 2 RSA 1024 1788 RSA 2045 1 RSA 2048 877819 RSA 4096 16502 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 2 0.0004 ECDSA 384 2 0.0004 RSA 1024 1776 0.399 RSA 2045 1 0.0002 RSA 2048 443399 99.619 RSA 4096 16134 3.6248 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 2 sha1WithRSAEncryption 397615 sha256WithRSAEncryption 42654 sha384WithRSAEncryption 10748 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 398413 89.5119 112 46680 10.4876 128 2 0.0004 Most common root CAs Count Percent ---------------------------------------------+---------+------- (2c543cd1) GeoTrust Global CA 119586 26.8675 (157753a5) AddTrust External CA Root 68556 15.4026 (5ad8a5d6) GlobalSign Root CA 44275 9.9473 (2e4eed3c) thawte Primary Root CA 29162 6.5519 (f081611a) The Go Daddy Group, Inc. 28250 6.347 (cbf06781) Go Daddy Root Certificate Authorit 26503 5.9545 (b204d74a) VeriSign Class 3 Public Primary Ce 26474 5.9479 (244b5494) DigiCert High Assurance EV Root CA 18086 4.0634 (653b494a) Baltimore CyberTrust Root 16986 3.8163 (b13cc6df) UTN-USERFirst-Hardware 13183 2.9618 (40547a79) COMODO Certification Authority 10947 2.4595 (ae8153b9) StartCom Certification Authority 9048 2.0328 (f387163d) Starfield Technologies, Inc. 7516 1.6886 Survey was conducted between 11th and 19th of July 2014. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hkario(a)redhat.com Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security August 2014