security September 2016

security@lists.fedoraproject.org

2 participants
4 discussions

TLS scan results for July 2016
by Hubert Kario 07 Sep '16

07 Sep '16

This time the results are enhanced with probes detecting tolerance to higher protocol versions and bigger messages. analysis here: https://securitypitfalls.wordpress.com/2016/09/06/july-2016-scan-results/ SSL/TLS survey of 603391 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 532905 88.3184 3DES Only 550 0.0912 3DES Preferred 1719 0.2849 3DES forced in TLS1.1+ 992 0.1644 AES 599329 99.3268 AES Only 46610 7.7247 AES-CBC 598756 99.2318 AES-CBC Only 4850 0.8038 AES-GCM 509780 84.4858 AES-GCM Only 526 0.0872 CAMELLIA 267705 44.3668 CAMELLIA Only 1 0.0002 CHACHA20 83982 13.9183 CHACHA20 Only 3 0.0005 Insecure 53186 8.8145 RC4 153525 25.4437 RC4 Only 140 0.0232 RC4 Preferred 12783 2.1185 RC4 forced in TLS1.1+ 6911 1.1454 x:FF 29 3DES Only 597 0.0989 x:FF 29 3DES Preferred 2030 0.3364 x:FF 29 RC4 Only 193 0.032 x:FF 29 RC4 Preferred 14404 2.3872 x:FF 29 incompatible 530 0.0878 x:FF 35 3DES Only 605 0.1003 x:FF 35 3DES Preferred 1956 0.3242 x:FF 35 RC4 Only 218 0.0361 x:FF 35 RC4 Preferred 14418 2.3895 x:FF 35 incompatible 532 0.0882 x:FF 44 3DES Only 3874 0.642 x:FF 44 3DES Preferred 7464 1.237 x:FF 44 incompatible 750 0.1243 y:DHE-RSA-SEED-SHA 79084 13.1066 y:IDEA-CBC-SHA 75906 12.5799 y:SEED-SHA 90103 14.9328 z:ADH-AES128-GCM-SHA256 428 0.0709 z:ADH-AES128-SHA 715 0.1185 z:ADH-AES128-SHA256 281 0.0466 z:ADH-AES256-GCM-SHA384 442 0.0733 z:ADH-AES256-SHA 759 0.1258 z:ADH-AES256-SHA256 284 0.0471 z:ADH-CAMELLIA128-SHA 368 0.061 z:ADH-CAMELLIA128-SHA256 1 0.0002 z:ADH-CAMELLIA256-SHA 393 0.0651 z:ADH-CAMELLIA256-SHA256 1 0.0002 z:ADH-DES-CBC-SHA 279 0.0462 z:ADH-DES-CBC3-SHA 720 0.1193 z:ADH-RC4-MD5 517 0.0857 z:ADH-SEED-SHA 298 0.0494 z:AECDH-AES128-SHA 9498 1.5741 z:AECDH-AES256-SHA 9566 1.5854 z:AECDH-DES-CBC3-SHA 9463 1.5683 z:AECDH-NULL-SHA 60 0.0099 z:AECDH-RC4-SHA 8940 1.4816 z:DES-CBC-MD5 6015 0.9969 z:DES-CBC-SHA 33753 5.5939 z:DES-CBC3-MD5 15538 2.5751 z:ECDHE-RSA-NULL-SHA 67 0.0111 z:EDH-RSA-DES-CBC-SHA 28904 4.7903 z:EXP-ADH-DES-CBC-SHA 180 0.0298 z:EXP-ADH-RC4-MD5 178 0.0295 z:EXP-DES-CBC-SHA 9916 1.6434 z:EXP-EDH-RSA-DES-CBC-SHA 7950 1.3176 z:EXP-RC2-CBC-MD5 11811 1.9574 z:EXP-RC4-MD5 12355 2.0476 z:EXP1024-DES-CBC-SHA 3045 0.5046 z:EXP1024-RC4-SHA 3108 0.5151 z:IDEA-CBC-MD5 1225 0.203 z:NULL-MD5 196 0.0325 z:NULL-SHA 201 0.0333 z:NULL-SHA256 39 0.0065 z:RC2-CBC-MD5 6171 1.0227 z:RC4-64-MD5 692 0.1147 Cipher ordering Count Percent -------------------------+---------+------- Client side 149228 24.7316 Server side 454163 75.2684 Supported Handshakes Count Percent -------------------------+---------+------- ADH 918 0.1521 AECDH 9574 1.5867 DHE 327644 54.3004 ECDH 2 0.0003 ECDHE 532966 88.3285 ECDHE and DHE 285103 47.2501 RSA 517470 85.7603 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 115821 19.195 35.3496 DH,2048bits 196265 32.527 59.9019 DH,2049bits 1 0.0002 0.0003 DH,2236bits 77 0.0128 0.0235 DH,2432bits 3 0.0005 0.0009 DH,3072bits 141 0.0234 0.043 DH,3092bits 2 0.0003 0.0006 DH,3196bits 1 0.0002 0.0003 DH,4096bits 14972 2.4813 4.5696 DH,512bits 122 0.0202 0.0372 DH,6144bits 1 0.0002 0.0003 DH,768bits 355 0.0588 0.1083 DH,8192bits 7 0.0012 0.0021 ECDH,B-571,570bits 4696 0.7783 0.8811 ECDH,K-163,163bits 1 0.0002 0.0002 ECDH,P-192,192bits 68 0.0113 0.0128 ECDH,P-224,224bits 91 0.0151 0.0171 ECDH,P-256,256bits 500295 82.9139 93.87 ECDH,P-384,384bits 12707 2.1059 2.3842 ECDH,P-521,521bits 17146 2.8416 3.2171 ECDH,brainpoolP512r1,512bits 3 0.0005 0.0006 ECDH,secp256k1,256bits 1 0.0002 0.0002 Prefer DH,1024bits 42440 7.0336 12.9531 Prefer DH,2048bits 4955 0.8212 1.5123 Prefer DH,3072bits 9 0.0015 0.0027 Prefer DH,3092bits 2 0.0003 0.0006 Prefer DH,4096bits 379 0.0628 0.1157 Prefer DH,768bits 33 0.0055 0.0101 Prefer ECDH,B-571,570bits 4438 0.7355 0.8327 Prefer ECDH,K-163,163bits 1 0.0002 0.0002 Prefer ECDH,P-192,192bits 1 0.0002 0.0002 Prefer ECDH,P-224,224bits 89 0.0147 0.0167 Prefer ECDH,P-256,256bits 465038 77.0708 87.2547 Prefer ECDH,P-384,384bits 10660 1.7667 2.0001 Prefer ECDH,P-521,521bits 15901 2.6353 2.9835 Prefer ECDH,brainpoolP512r1,512bits 3 0.0005 0.0006 Prefer ECDH,secp256k1,256bits 1 0.0002 0.0002 Prefer PFS 543950 90.1488 0 Support PFS 575507 95.3788 0 Supported ECC curves Count Percent -------------------------+---------+-------- None 2 0.0003 None Only 2 0.0003 brainpoolP256r1 27492 4.5562 brainpoolP384r1 27491 4.5561 brainpoolP512r1 27484 4.5549 prime192v1 1647 0.273 prime256v1 510415 84.5911 prime256v1 Only 428464 71.0093 secp160k1 1528 0.2532 secp160r1 1536 0.2546 secp160r2 1528 0.2532 secp192k1 1543 0.2557 secp224k1 1625 0.2693 secp224r1 5406 0.8959 secp256k1 29683 4.9194 secp384r1 88419 14.6537 secp384r1 Only 5169 0.8567 secp521r1 58499 9.695 secp521r1 Only 153 0.0254 sect163k1 1531 0.2537 sect163k1 Only 3 0.0005 sect163r1 1529 0.2534 sect163r2 1529 0.2534 sect193r1 1529 0.2534 sect193r2 1529 0.2534 sect233k1 1614 0.2675 sect233r1 1614 0.2675 sect239k1 1614 0.2675 sect283k1 28930 4.7946 sect283k1 Only 2 0.0003 sect283r1 28927 4.7941 sect409k1 28927 4.7941 sect409r1 28927 4.7941 sect571k1 28927 4.7941 sect571r1 28930 4.7946 server 38445 6.3715 server Only 38445 6.3715 Unsupported curve fallback Count Percent ------------------------------+---------+-------- False 532806 88.3019 unknown 70585 11.6981 ECC curve ordering Count Percent -------------------------+---------+-------- 36744 6.0896 client 18027 2.9876 server 478197 79.2516 unknown 70423 11.6712 TLSv1.2 PFS supported sigalgs Count Percent ------------------------------+---------+-------- ECDSA-SHA1 54563 9.0427 ECDSA-SHA1 Only 9 0.0015 ECDSA-SHA224 54587 9.0467 ECDSA-SHA256 72567 12.0265 ECDSA-SHA384 72639 12.0385 ECDSA-SHA512 72750 12.0569 ECDSA-SHA512 Only 118 0.0196 RSA-MD5 23842 3.9513 RSA-SHA1 462908 76.7178 RSA-SHA1 Only 30278 5.018 RSA-SHA224 387875 64.2825 RSA-SHA256 441866 73.2305 RSA-SHA256 Only 8016 1.3285 RSA-SHA384 403401 66.8557 RSA-SHA384 Only 4 0.0007 RSA-SHA512 403342 66.8459 RSA-SHA512 Only 131 0.0217 TLSv1.2 PFS ordering Count Percent ------------------------------+---------+-------- client 282677 46.8481 indeterminate 38 0.0063 intolerant 6561 1.0874 order-fallback 4 0.0007 server 236059 39.1221 unsupported 14339 2.3764 TLSv1.2 PFS sigalg fallback Count Percent ------------------------------+---------+-------- ECDSA SHA1 54456 9.025 ECDSA intolerant 652 0.1081 ECDSA pfs-rsa-SHA512 17783 2.9472 ECDSA soft-nopfs 15 0.0025 RSA False 23629 3.916 RSA SHA1 399316 66.1786 RSA intolerant 50007 8.2877 RSA pfs-ecdsa-SHA512 99 0.0164 RSA soft-nopfs 389 0.0645 Renegotiation Count Percent -------------------------+---------+-------- False 4550 0.7541 insecure 15701 2.6021 secure 583140 96.6438 Compression Count Percent -------------------------+---------+-------- 1 (zlib compression) 6683 1.1076 False 4550 0.7541 NONE 592158 98.1384 TLS session ticket hint Count Percent -------------------------+---------+-------- 1 3 0.0005 1 only 3 0.0005 5 8 0.0013 5 only 8 0.0013 10 9 0.0015 10 only 9 0.0015 15 7 0.0012 15 only 7 0.0012 30 29 0.0048 30 only 29 0.0048 60 172 0.0285 60 only 166 0.0275 65 2 0.0003 65 only 2 0.0003 70 6 0.001 70 only 4 0.0007 75 1 0.0002 75 only 1 0.0002 90 1 0.0002 90 only 1 0.0002 100 15 0.0025 100 only 15 0.0025 120 28 0.0046 120 only 28 0.0046 128 3 0.0005 128 only 2 0.0003 150 2 0.0003 180 83 0.0138 180 only 80 0.0133 240 12 0.002 240 only 12 0.002 300 306995 50.8783 300 only 304055 50.391 302 2 0.0003 302 only 2 0.0003 360 3 0.0005 360 only 2 0.0003 400 8 0.0013 400 only 8 0.0013 420 120 0.0199 420 only 103 0.0171 480 11 0.0018 480 only 11 0.0018 500 4 0.0007 500 only 4 0.0007 540 4 0.0007 540 only 4 0.0007 600 29961 4.9654 600 only 29817 4.9416 630 1 0.0002 630 only 1 0.0002 700 1 0.0002 700 only 1 0.0002 720 6 0.001 720 only 6 0.001 840 2 0.0003 840 only 2 0.0003 900 1560 0.2585 900 only 1541 0.2554 960 3 0.0005 960 only 3 0.0005 1000 1 0.0002 1000 only 1 0.0002 1200 3528 0.5847 1200 only 3525 0.5842 1210 2 0.0003 1210 only 2 0.0003 1320 1 0.0002 1320 only 1 0.0002 1380 1 0.0002 1380 only 1 0.0002 1440 1 0.0002 1440 only 1 0.0002 1500 4 0.0007 1500 only 3 0.0005 1800 860 0.1425 1800 only 839 0.139 1980 2 0.0003 1980 only 2 0.0003 2100 1 0.0002 2400 8 0.0013 2400 only 8 0.0013 2700 12 0.002 2700 only 12 0.002 3000 41 0.0068 3000 only 41 0.0068 3600 1100 0.1823 3600 only 1090 0.1806 3900 2 0.0003 3900 only 2 0.0003 4200 2 0.0003 4200 only 1 0.0002 4500 1 0.0002 4500 only 1 0.0002 5160 1 0.0002 5160 only 1 0.0002 5400 15 0.0025 5400 only 9 0.0015 6000 341 0.0565 6000 only 340 0.0563 7200 15389 2.5504 7200 only 15355 2.5448 7500 2 0.0003 7500 only 2 0.0003 9000 2 0.0003 9000 only 2 0.0003 10800 5322 0.882 10800 only 5300 0.8784 14400 147 0.0244 14400 only 144 0.0239 18000 9 0.0015 18000 only 8 0.0013 21600 4353 0.7214 21600 only 4353 0.7214 25200 1 0.0002 25200 only 1 0.0002 28800 2164 0.3586 28800 only 2164 0.3586 30000 2 0.0003 30000 only 1 0.0002 36000 1239 0.2053 36000 only 1231 0.204 43200 67 0.0111 43200 only 67 0.0111 54000 2 0.0003 54000 only 2 0.0003 60000 3 0.0005 60000 only 3 0.0005 64800 73037 12.1044 64800 only 73018 12.1013 72000 12 0.002 72000 only 12 0.002 79200 1 0.0002 79200 only 1 0.0002 86400 3232 0.5356 86400 only 3222 0.534 100800 9169 1.5196 100800 only 9156 1.5174 108000 1 0.0002 108000 only 1 0.0002 115200 1 0.0002 115200 only 1 0.0002 129600 6 0.001 129600 only 6 0.001 172800 49 0.0081 172800 only 49 0.0081 216000 3 0.0005 216000 only 3 0.0005 259200 3 0.0005 259200 only 3 0.0005 432000 1 0.0002 432000 only 1 0.0002 604800 1 0.0002 864000 2 0.0003 864000 only 2 0.0003 7776000 2 0.0003 7776000 only 2 0.0003 None 147458 24.4382 None only 144200 23.8983 Certificate sig alg Count Percent -------------------------+---------+-------- None 10178 1.6868 ecdsa-with-SHA256 70598 11.7002 sha1WithRSAEncryption 17351 2.8756 sha256WithRSAEncryption 533303 88.3843 sha384WithRSAEncryption 7 0.0012 sha512WithRSAEncryption 77 0.0128 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 72865 12.0759 ECDSA 384 41 0.0068 ECDSA 521 1 0.0002 RSA 1024 14 0.0023 RSA 2048 516458 85.5926 RSA 2049 4 0.0007 RSA 2056 1 0.0002 RSA 2058 3 0.0005 RSA 2059 1 0.0002 RSA 2080 6 0.001 RSA 2084 1 0.0002 RSA 2086 1 0.0002 RSA 2096 3 0.0005 RSA 2408 1 0.0002 RSA 2432 6 0.001 RSA 2560 1 0.0002 RSA 2948 1 0.0002 RSA 3072 158 0.0262 RSA 3096 2 0.0003 RSA 3120 1 0.0002 RSA 3248 3 0.0005 RSA 4048 3 0.0005 RSA 4056 21 0.0035 RSA 4069 1 0.0002 RSA 4086 3 0.0005 RSA 4092 2 0.0003 RSA 4094 1 0.0002 RSA 4095 1 0.0002 RSA 4096 33887 5.6161 RSA 4196 1 0.0002 RSA 8192 12 0.002 RSA 8392 1 0.0002 RSA/ECDSA Dual Stack 20097 3.3307 OCSP stapling Count Percent -------------------------+---------+-------- Supported 139486 23.117 Unsupported 463905 76.883 Supported Protocols Count Percent -------------------------+---------+------- SSL2 15694 2.601 SSL2 Only 9 0.0015 SSL3 88647 14.6915 SSL3 Only 325 0.0539 SSL3 or TLS1 Only 47120 7.8092 SSL3 or lower Only 335 0.0555 TLS1 590402 97.8473 TLS1 Only 28435 4.7125 TLS1 or lower Only 61759 10.2353 TLS1.1 532582 88.2648 TLS1.1 Only 43 0.0071 TLS1.1 or up Only 12475 2.0675 TLS1.2 539663 89.4384 TLS1.2 Only 3587 0.5945 TLS1.2, 1.0 but not 1.1 5029 0.8335 Client Hello intolerance Count Percent ----------------------------------------+---------+------- Huge Cipher List 539862 89.4713 Huge Cipher List (trunc 16388) 143271 23.7443 SSL 3.254 19882 3.295 TLS 1.0 66391 11.003 TLS 1.1 3190 0.5287 TLS 1.2 67 0.0111 TLS 1.3 7896 1.3086 TLS 1.4 14758 2.4458 Xmas tree 43001 7.1266 x:missing information 44 0.0073 Statistics from 544239 chains provided by 734331 hosts Server provided chains Count Percent -------------------------+---------+------- complete 493648 67.2242 incomplete 20056 2.7312 untrusted 220627 30.0446 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 1 0.0002 3 540295 99.2753 4 3930 0.7221 5 13 0.0024 CA key size in chains Count -------------------------+--------- ECDSA 256 30197 ECDSA 384 30193 RSA 1024 9 RSA 2045 2 RSA 2048 845143 RSA 4096 186889 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 30197 5.5485 ECDSA 384 30193 5.5477 RSA 1024 7 0.0013 RSA 2045 2 0.0004 RSA 2048 513612 94.3725 RSA 4096 186227 34.2179 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 30185 sha1WithRSAEncryption 20474 sha256WithRSAEncryption 330105 sha384WithRSAEncryption 167373 sha512WithRSAEncryption 57 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 20448 3.7572 112 493575 90.6909 128 30216 5.552 Most popular root CAs Count Percent ---------------------------------------------+---------+------- (d6325660) COMODO RSA Certification Authority 149876 27.5386 (2c543cd1) GeoTrust Global CA 82272 15.1169 (cbf06781) Go Daddy Root Certificate Authorit 46152 8.4801 (5ad8a5d6) GlobalSign Root CA 42046 7.7256 (b204d74a) VeriSign Class 3 Public Primary Ce 30585 5.6198 (eed8c118) COMODO ECC Certification Authority 30178 5.545 (244b5494) DigiCert High Assurance EV Root CA 21202 3.8957 (2e4eed3c) thawte Primary Root CA 17390 3.1953 (fc5a8f99) USERTrust RSA Certification Author 17354 3.1887 (2e5ac55d) DST Root CA X3 16492 3.0303 (653b494a) Baltimore CyberTrust Root 11315 2.079 (3513523f) DigiCert Global Root CA 10347 1.9012 (ae8153b9) StartCom Certification Authority 9044 1.6618 (4bfab552) Starfield Root Certificate Authori 9012 1.6559 (e2799e36) GeoTrust Primary Certification Aut 6148 1.1297 (480720ec) GeoTrust Primary Certification Aut 5775 1.0611 (02265526) Entrust Root Certification Authori 3969 0.7293 (ba89ed3b) thawte Primary Root CA - G3 3394 0.6236 (8096d0a9) Certification Authority of WoSign 2877 0.5286 (157753a5) AddTrust External CA Root 2782 0.5112 Most popular intermediate CA Count Percent ---------------------------------------------+---------+------- (8d28ae65) COMODO RSA Domain Validation Secur 100923 18.5439 (27eb7704) Go Daddy Secure Certificate Author 46152 8.4801 (53f3e569) RapidSSL SHA256 CA - G3 40339 7.412 (6cfa716c) COMODO ECC Domain Validation Secur 30126 5.5354 (7d9c641e) Symantec Class 3 Secure Server CA 21662 3.9802 (1400f578) cPanel, Inc. Certification Authori 19580 3.5977 (38ae8eda) DigiCert SHA2 High Assurance Serve 17140 3.1494 (4f06f81d) Let's Encrypt Authority X3 16492 3.0303 (16744f0c) AlphaSSL CA - SHA256 - G2 16239 2.9838 (493a2f06) COMODO RSA Domain Validation Secur 13442 2.4699 (10310d4b) GeoTrust SSL CA - G3 13423 2.4664 (80ecc636) RapidSSL SHA256 CA 12795 2.351 (d7d634d4) GlobalSign Domain Validation CA - 11432 2.1005 (b85455c4) GlobalSign Organization Validation 11363 2.0879 (c43a77d9) COMODO RSA Organization Validation 11217 2.061 (85cf5865) DigiCert SHA2 Secure Server CA 10208 1.8756 (9ad474ec) thawte SSL CA - G2 9146 1.6805 (cd7781e5) Starfield Secure Certificate Autho 9012 1.6559 (d84ef247) GeoTrust DV SSL CA - G4 7163 1.3161 (a0f7ac3e) Symantec Class 3 EV SSL CA - G3 7144 1.3127 (3d97f5e2) Verizon Akamai SureServer CA G14-S 7025 1.2908 (fd917e82) SecureCore RSA DV CA 6995 1.2853 (b71a5f76) GeoTrust EV SSL CA - G4 5724 1.0517 (661c52cc) thawte DV SSL CA - G2 5368 0.9863 (e22cd3f0) COMODO RSA Extended Validation Sec 4365 0.802 (7f8496de) StartCom Class 1 DV Server CA 3678 0.6758 (45bfefc3) DigiCert SHA2 Extended Validation 3527 0.6481 (2835d715) Entrust Certification Authority - 3328 0.6115 (f131b364) RapidSSL CA 3180 0.5843 (98d7cad7) GeoTrust DV SSL CA - G3 3154 0.5795 Scan performed between 20th of July and 17th of August 2016 -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

1 0

TLS scan results for June 2016
by Hubert Kario 07 Sep '16

07 Sep '16

SSL/TLS survey of 593851 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 525961 88.5678 3DES Only 605 0.1019 3DES Preferred 1797 0.3026 3DES forced in TLS1.1+ 978 0.1647 AES 589255 99.2261 AES Only 43606 7.3429 AES-CBC 588687 99.1304 AES-CBC Only 5565 0.9371 AES-GCM 490658 82.6231 AES-GCM Only 520 0.0876 CAMELLIA 261701 44.0685 CAMELLIA Only 2 0.0003 CHACHA20 81256 13.6829 Insecure 56141 9.4537 RC4 166167 27.9813 RC4 Only 158 0.0266 RC4 Preferred 13843 2.3311 RC4 forced in TLS1.1+ 7176 1.2084 x:FF 29 3DES Only 654 0.1101 x:FF 29 3DES Preferred 2164 0.3644 x:FF 29 RC4 Only 233 0.0392 x:FF 29 RC4 Preferred 16139 2.7177 x:FF 29 incompatible 518 0.0872 x:FF 35 3DES Only 662 0.1115 x:FF 35 3DES Preferred 2094 0.3526 x:FF 35 RC4 Only 273 0.046 x:FF 35 RC4 Preferred 16162 2.7216 x:FF 35 incompatible 522 0.0879 x:FF 44 3DES Only 4368 0.7355 x:FF 44 3DES Preferred 8162 1.3744 x:FF 44 incompatible 795 0.1339 y:DHE-RSA-SEED-SHA 79533 13.3928 y:IDEA-CBC-SHA 76113 12.8169 y:SEED-SHA 90128 15.1769 z:ADH-AES128-GCM-SHA256 430 0.0724 z:ADH-AES128-SHA 771 0.1298 z:ADH-AES128-SHA256 268 0.0451 z:ADH-AES256-GCM-SHA384 444 0.0748 z:ADH-AES256-SHA 809 0.1362 z:ADH-AES256-SHA256 269 0.0453 z:ADH-CAMELLIA128-SHA 401 0.0675 z:ADH-CAMELLIA128-SHA256 1 0.0002 z:ADH-CAMELLIA256-SHA 424 0.0714 z:ADH-CAMELLIA256-SHA256 1 0.0002 z:ADH-DES-CBC-SHA 326 0.0549 z:ADH-DES-CBC3-SHA 781 0.1315 z:ADH-RC4-MD5 571 0.0962 z:ADH-SEED-SHA 322 0.0542 z:AECDH-AES128-SHA 10202 1.7179 z:AECDH-AES256-SHA 10261 1.7279 z:AECDH-DES-CBC3-SHA 10168 1.7122 z:AECDH-NULL-SHA 94 0.0158 z:AECDH-RC4-SHA 9605 1.6174 z:DES-CBC-MD5 6658 1.1212 z:DES-CBC-SHA 35044 5.9011 z:DES-CBC3-MD5 17074 2.8751 z:ECDHE-RSA-NULL-SHA 100 0.0168 z:EDH-RSA-DES-CBC-SHA 29995 5.0509 z:EXP-ADH-DES-CBC-SHA 181 0.0305 z:EXP-ADH-RC4-MD5 180 0.0303 z:EXP-DES-CBC-SHA 10901 1.8356 z:EXP-EDH-RSA-DES-CBC-SHA 8667 1.4595 z:EXP-RC2-CBC-MD5 13108 2.2073 z:EXP-RC4-MD5 13716 2.3097 z:EXP1024-DES-CBC-SHA 3463 0.5831 z:EXP1024-RC4-SHA 3524 0.5934 z:IDEA-CBC-MD5 1453 0.2447 z:NULL-MD5 233 0.0392 z:NULL-SHA 238 0.0401 z:NULL-SHA256 36 0.0061 z:RC2-CBC-MD5 6966 1.173 z:RC4-64-MD5 757 0.1275 Cipher ordering Count Percent -------------------------+---------+------- Client side 152565 25.6908 Server side 441286 74.3092 Supported Handshakes Count Percent -------------------------+---------+------- ADH 979 0.1649 AECDH 10271 1.7296 DHE 320930 54.0422 ECDH 2 0.0003 ECDHE 517887 87.2082 ECDHE and DHE 274945 46.2987 RSA 509769 85.8412 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 119481 20.1197 37.2296 DH,1028bits 1 0.0002 0.0003 DH,2048bits 188192 31.6901 58.6396 DH,2236bits 78 0.0131 0.0243 DH,2430bits 1 0.0002 0.0003 DH,2432bits 3 0.0005 0.0009 DH,2560bits 1 0.0002 0.0003 DH,3072bits 132 0.0222 0.0411 DH,3092bits 2 0.0003 0.0006 DH,3196bits 1 0.0002 0.0003 DH,4046bits 1 0.0002 0.0003 DH,4094bits 1 0.0002 0.0003 DH,4096bits 12637 2.128 3.9376 DH,512bits 108 0.0182 0.0337 DH,6144bits 1 0.0002 0.0003 DH,768bits 385 0.0648 0.12 DH,8192bits 8 0.0013 0.0025 ECDH,B-571,570bits 3072 0.5173 0.5932 ECDH,K-163,163bits 1 0.0002 0.0002 ECDH,P-192,192bits 60 0.0101 0.0116 ECDH,P-224,224bits 94 0.0158 0.0182 ECDH,P-256,256bits 490672 82.6254 94.745 ECDH,P-384,384bits 9474 1.5953 1.8294 ECDH,P-521,521bits 16461 2.7719 3.1785 ECDH,brainpoolP512r1,512bits 1 0.0002 0.0002 ECDH,secp256k1,256bits 1 0.0002 0.0002 Prefer DH,1024bits 45380 7.6416 14.1402 Prefer DH,2048bits 5635 0.9489 1.7558 Prefer DH,3072bits 8 0.0013 0.0025 Prefer DH,3092bits 2 0.0003 0.0006 Prefer DH,4096bits 398 0.067 0.124 Prefer DH,768bits 44 0.0074 0.0137 Prefer ECDH,B-571,570bits 2840 0.4782 0.5484 Prefer ECDH,K-163,163bits 1 0.0002 0.0002 Prefer ECDH,P-192,192bits 1 0.0002 0.0002 Prefer ECDH,P-224,224bits 92 0.0155 0.0178 Prefer ECDH,P-256,256bits 453139 76.3052 87.4977 Prefer ECDH,P-384,384bits 7350 1.2377 1.4192 Prefer ECDH,P-521,521bits 15215 2.5621 2.9379 Prefer ECDH,brainpoolP512r1,512bits 1 0.0002 0.0002 Prefer ECDH,secp256k1,256bits 1 0.0002 0.0002 Prefer PFS 530107 89.266 0 Support PFS 563872 94.9518 0 Supported ECC curves Count Percent -------------------------+---------+-------- brainpoolP256r1 17814 2.9997 brainpoolP384r1 17827 3.0019 brainpoolP512r1 17836 3.0034 prime192v1 1799 0.3029 prime256v1 513258 86.4288 prime256v1 Only 427959 72.065 secp160k1 1678 0.2826 secp160r1 1688 0.2842 secp160r2 1678 0.2826 secp192k1 1693 0.2851 secp224k1 1780 0.2997 secp224r1 5748 0.9679 secp256k1 20085 3.3822 secp384r1 88954 14.9792 secp384r1 Only 3672 0.6183 secp521r1 50953 8.5801 secp521r1 Only 140 0.0236 sect163k1 1684 0.2836 sect163k1 Only 2 0.0003 sect163r1 1682 0.2832 sect163r2 1681 0.2831 sect193r1 1681 0.2831 sect193r2 1681 0.2831 sect233k1 1770 0.2981 sect233r1 1768 0.2977 sect239k1 1768 0.2977 sect283k1 19394 3.2658 sect283r1 19392 3.2655 sect409k1 19395 3.266 sect409r1 19391 3.2653 sect571k1 19395 3.266 sect571r1 19395 3.266 Unsupported curve fallback Count Percent ------------------------------+---------+-------- False 56371 9.4924 True 391090 65.8566 order-specific 45 0.0076 unknown 146345 24.6434 ECC curve ordering Count Percent -------------------------+---------+-------- client 13249 2.231 inconclusive-noecc 8 0.0013 server 503853 84.845 unknown 76741 12.9226 TLSv1.2 PFS supported sigalgs Count Percent ------------------------------+---------+-------- ECDSA-SHA1 53286 8.973 ECDSA-SHA1 Only 8 0.0013 ECDSA-SHA224 53248 8.9666 ECDSA-SHA256 71063 11.9665 ECDSA-SHA384 71064 11.9666 ECDSA-SHA512 71074 11.9683 ECDSA-SHA512 Only 16 0.0027 RSA-MD5 27142 4.5705 RSA-SHA1 447072 75.2835 RSA-SHA1 Only 34046 5.7331 RSA-SHA224 371135 62.4963 RSA-SHA256 422358 71.1219 RSA-SHA256 Only 8044 1.3545 RSA-SHA384 383992 64.6613 RSA-SHA384 Only 4 0.0007 RSA-SHA512 384022 64.6664 RSA-SHA512 Only 209 0.0352 TLSv1.2 PFS ordering Count Percent ------------------------------+---------+-------- client 280809 47.2861 indeterminate 54 0.0091 intolerant 6465 1.0887 order-fallback 8 0.0013 server 220388 37.1117 unsupported 15018 2.5289 TLSv1.2 PFS sigalg fallback Count Percent ------------------------------+---------+-------- ECDSA SHA1 53230 8.9635 ECDSA intolerant 189 0.0318 ECDSA pfs-rsa-SHA512 17719 2.9837 ECDSA soft-nopfs 7 0.0012 RSA False 26845 4.5205 RSA SHA1 386610 65.1022 RSA intolerant 43313 7.2936 RSA pfs-ecdsa-SHA512 27 0.0045 RSA soft-nopfs 474 0.0798 Renegotiation Count Percent -------------------------+---------+-------- False 4962 0.8356 insecure 16550 2.7869 secure 572339 96.3775 Compression Count Percent -------------------------+---------+-------- 1 (zlib compression) 7077 1.1917 False 4962 0.8356 NONE 581812 97.9727 TLS session ticket hint Count Percent -------------------------+---------+-------- 1 2 0.0003 1 only 2 0.0003 2 1 0.0002 2 only 1 0.0002 5 5 0.0008 5 only 5 0.0008 10 8 0.0013 10 only 8 0.0013 15 8 0.0013 15 only 8 0.0013 30 25 0.0042 30 only 25 0.0042 60 166 0.028 60 only 161 0.0271 65 2 0.0003 65 only 2 0.0003 70 8 0.0013 70 only 8 0.0013 75 1 0.0002 75 only 1 0.0002 90 1 0.0002 90 only 1 0.0002 100 16 0.0027 100 only 16 0.0027 120 27 0.0045 120 only 27 0.0045 128 6 0.001 128 only 6 0.001 150 2 0.0003 180 78 0.0131 180 only 74 0.0125 240 14 0.0024 240 only 14 0.0024 244 2 0.0003 244 only 2 0.0003 300 298609 50.2835 300 only 295255 49.7187 302 2 0.0003 302 only 2 0.0003 360 3 0.0005 360 only 2 0.0003 400 6 0.001 400 only 6 0.001 420 129 0.0217 420 only 111 0.0187 450 1 0.0002 450 only 1 0.0002 480 11 0.0019 480 only 11 0.0019 500 3 0.0005 500 only 3 0.0005 540 4 0.0007 540 only 4 0.0007 600 28678 4.8292 600 only 28547 4.8071 660 1 0.0002 660 only 1 0.0002 700 1 0.0002 700 only 1 0.0002 720 3 0.0005 720 only 3 0.0005 840 2 0.0003 840 only 2 0.0003 900 1532 0.258 900 only 1515 0.2551 960 3 0.0005 960 only 3 0.0005 1000 1 0.0002 1000 only 1 0.0002 1200 3512 0.5914 1200 only 3508 0.5907 1210 2 0.0003 1210 only 2 0.0003 1320 1 0.0002 1320 only 1 0.0002 1380 1 0.0002 1380 only 1 0.0002 1440 1 0.0002 1440 only 1 0.0002 1500 6 0.001 1500 only 5 0.0008 1800 751 0.1265 1800 only 734 0.1236 1980 2 0.0003 1980 only 2 0.0003 2100 2 0.0003 2100 only 1 0.0002 2400 10 0.0017 2400 only 10 0.0017 2700 11 0.0019 2700 only 11 0.0019 3000 42 0.0071 3000 only 42 0.0071 3300 1 0.0002 3300 only 1 0.0002 3600 1079 0.1817 3600 only 1070 0.1802 3900 1 0.0002 3900 only 1 0.0002 4200 1 0.0002 4500 1 0.0002 4500 only 1 0.0002 5160 1 0.0002 5160 only 1 0.0002 5400 19 0.0032 5400 only 6 0.001 6000 352 0.0593 6000 only 352 0.0593 7200 15154 2.5518 7200 only 15130 2.5478 9000 2 0.0003 9000 only 2 0.0003 10800 5334 0.8982 10800 only 5324 0.8965 14400 116 0.0195 14400 only 116 0.0195 18000 9 0.0015 18000 only 9 0.0015 21600 4287 0.7219 21600 only 4286 0.7217 25200 1 0.0002 25200 only 1 0.0002 28800 2555 0.4302 28800 only 2555 0.4302 30000 3 0.0005 30000 only 1 0.0002 36000 1220 0.2054 36000 only 1209 0.2036 43200 65 0.0109 43200 only 65 0.0109 54000 1 0.0002 54000 only 1 0.0002 54647 1 0.0002 54660 1 0.0002 54674 1 0.0002 54690 1 0.0002 54703 1 0.0002 54722 1 0.0002 54737 1 0.0002 54751 1 0.0002 60000 2 0.0003 60000 only 2 0.0003 64800 70759 11.9153 64800 only 70736 11.9114 72000 12 0.002 72000 only 12 0.002 79200 1 0.0002 79200 only 1 0.0002 86400 2990 0.5035 86400 only 2984 0.5025 100800 9026 1.5199 100800 only 9015 1.5181 108000 1 0.0002 108000 only 1 0.0002 115200 1 0.0002 115200 only 1 0.0002 129600 6 0.001 129600 only 6 0.001 172800 47 0.0079 172800 only 47 0.0079 216000 4 0.0007 216000 only 3 0.0005 259200 2 0.0003 259200 only 2 0.0003 432000 1 0.0002 432000 only 1 0.0002 604800 1 0.0002 604800 only 1 0.0002 864000 2 0.0003 864000 only 2 0.0003 7776000 1 0.0002 7776000 only 1 0.0002 None 150742 25.3838 None only 147105 24.7714 Certificate sig alg Count Percent -------------------------+---------+-------- None 10920 1.8388 ecdsa-with-SHA256 68463 11.5286 sha1WithRSAEncryption 21372 3.5989 sha256WithRSAEncryption 521742 87.8574 sha384WithRSAEncryption 8 0.0013 sha512WithRSAEncryption 69 0.0116 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 71108 11.974 ECDSA 384 38 0.0064 ECDSA 521 1 0.0002 RSA 1024 15 0.0025 RSA 2048 511834 86.189 RSA 2049 3 0.0005 RSA 2056 1 0.0002 RSA 2058 3 0.0005 RSA 2059 1 0.0002 RSA 2080 6 0.001 RSA 2084 2 0.0003 RSA 2086 1 0.0002 RSA 2096 3 0.0005 RSA 2408 1 0.0002 RSA 2432 3 0.0005 RSA 2560 1 0.0002 RSA 2948 1 0.0002 RSA 3072 163 0.0274 RSA 3073 1 0.0002 RSA 3096 2 0.0003 RSA 3248 3 0.0005 RSA 4048 4 0.0007 RSA 4056 18 0.003 RSA 4069 1 0.0002 RSA 4086 4 0.0007 RSA 4092 2 0.0003 RSA 4094 1 0.0002 RSA 4095 1 0.0002 RSA 4096 30991 5.2186 RSA 4196 1 0.0002 RSA 8192 10 0.0017 RSA 8392 1 0.0002 RSA/ECDSA Dual Stack 20358 3.4281 OCSP stapling Count Percent -------------------------+---------+-------- Supported 126688 21.3333 Unsupported 467163 78.6667 Supported Protocols Count Percent -------------------------+---------+------- SSL2 17236 2.9024 SSL2 Only 12 0.002 SSL3 99629 16.7768 SSL3 Only 497 0.0837 SSL3 or TLS1 Only 52946 8.9157 SSL3 or lower Only 505 0.085 TLS1 582034 98.0101 TLS1 Only 32797 5.5228 TLS1 or lower Only 68913 11.6044 TLS1.1 515189 86.7539 TLS1.1 Only 42 0.0071 TLS1.1 or up Only 11134 1.8749 TLS1.2 522729 88.0236 TLS1.2 Only 3290 0.554 TLS1.2, 1.0 but not 1.1 5865 0.9876 Statistics from 628845 chains provided by 728648 hosts Server provided chains Count Percent -------------------------+---------+------- complete 570337 78.2733 incomplete 21286 2.9213 untrusted 137025 18.8054 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 1 0.0002 3 625155 99.4132 4 3676 0.5846 5 13 0.0021 CA key size in chains Count -------------------------+--------- ECDSA 256 68458 ECDSA 384 68457 RSA 1024 8 RSA 2045 2 RSA 2048 927971 RSA 4096 196495 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 68458 10.8863 ECDSA 384 68456 10.886 RSA 1024 6 0.001 RSA 2045 2 0.0003 RSA 2048 559959 89.0456 RSA 4096 195838 31.1425 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 68447 sha1WithRSAEncryption 24541 sha256WithRSAEncryption 363378 sha384WithRSAEncryption 176120 sha512WithRSAEncryption 60 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 24524 3.8998 112 535845 85.211 128 68476 10.8892 Most popular root CAs Count Percent ---------------------------------------------+---------+------- (d6325660) COMODO RSA Certification Authority 158376 25.1852 (2c543cd1) GeoTrust Global CA 95542 15.1933 (eed8c118) COMODO ECC Certification Authority 68438 10.8831 (cbf06781) Go Daddy Root Certificate Authorit 49514 7.8738 (5ad8a5d6) GlobalSign Root CA 48382 7.6938 (b204d74a) VeriSign Class 3 Public Primary Ce 32086 5.1024 (2e5ac55d) DST Root CA X3 26043 4.1414 (244b5494) DigiCert High Assurance EV Root CA 20408 3.2453 (2e4eed3c) thawte Primary Root CA 19033 3.0267 (fc5a8f99) USERTrust RSA Certification Author 17598 2.7985 (653b494a) Baltimore CyberTrust Root 11671 1.8559 (3513523f) DigiCert Global Root CA 10585 1.6832 (ae8153b9) StartCom Certification Authority 9453 1.5032 (4bfab552) Starfield Root Certificate Authori 8502 1.352 Scan performed between 19th of June and 6th of July 2016 -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

1 0

TLS scan results for May 2016
by Hubert Kario 07 Sep '16

07 Sep '16

SSL/TLS survey of 588324 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 521557 88.6513 3DES Only 618 0.105 3DES Preferred 1789 0.3041 3DES forced in TLS1.1+ 964 0.1639 AES 583623 99.201 AES Only 42928 7.2967 AES-CBC 583065 99.1061 AES-CBC Only 6504 1.1055 AES-GCM 482505 82.0135 AES-GCM Only 514 0.0874 CAMELLIA 258710 43.9741 CAMELLIA Only 3 0.0005 CHACHA20 80738 13.7234 CHACHA20 Only 4 0.0007 Insecure 56788 9.6525 RC4 168525 28.6449 RC4 Only 166 0.0282 RC4 Preferred 14971 2.5447 RC4 forced in TLS1.1+ 8083 1.3739 x:FF 29 3DES Only 661 0.1124 x:FF 29 3DES Preferred 2145 0.3646 x:FF 29 RC4 Only 245 0.0416 x:FF 29 RC4 Preferred 16797 2.8551 x:FF 29 incompatible 506 0.086 x:FF 35 3DES Only 669 0.1137 x:FF 35 3DES Preferred 2073 0.3524 x:FF 35 RC4 Only 285 0.0484 x:FF 35 RC4 Preferred 16818 2.8586 x:FF 35 incompatible 510 0.0867 x:FF 44 3DES Only 4449 0.7562 x:FF 44 3DES Preferred 8286 1.4084 x:FF 44 incompatible 795 0.1351 y:DHE-RSA-SEED-SHA 79291 13.4774 y:IDEA-CBC-SHA 75311 12.8009 y:SEED-SHA 89316 15.1814 z:ADH-AES128-GCM-SHA256 414 0.0704 z:ADH-AES128-SHA 763 0.1297 z:ADH-AES128-SHA256 275 0.0467 z:ADH-AES256-GCM-SHA384 425 0.0722 z:ADH-AES256-SHA 792 0.1346 z:ADH-AES256-SHA256 275 0.0467 z:ADH-CAMELLIA128-SHA 406 0.069 z:ADH-CAMELLIA128-SHA256 1 0.0002 z:ADH-CAMELLIA256-SHA 423 0.0719 z:ADH-CAMELLIA256-SHA256 1 0.0002 z:ADH-DES-CBC-SHA 338 0.0575 z:ADH-DES-CBC3-SHA 773 0.1314 z:ADH-RC4-MD5 578 0.0982 z:ADH-SEED-SHA 332 0.0564 z:AECDH-AES128-SHA 10505 1.7856 z:AECDH-AES256-SHA 10564 1.7956 z:AECDH-DES-CBC3-SHA 10475 1.7805 z:AECDH-NULL-SHA 91 0.0155 z:AECDH-RC4-SHA 9925 1.687 z:DES-CBC-MD5 6864 1.1667 z:DES-CBC-SHA 35454 6.0263 z:DES-CBC3-MD5 17200 2.9236 z:ECDHE-RSA-NULL-SHA 98 0.0167 z:EDH-RSA-DES-CBC-SHA 30414 5.1696 z:EXP-ADH-DES-CBC-SHA 188 0.032 z:EXP-ADH-RC4-MD5 186 0.0316 z:EXP-DES-CBC-SHA 11293 1.9195 z:EXP-EDH-RSA-DES-CBC-SHA 8983 1.5269 z:EXP-RC2-CBC-MD5 13517 2.2975 z:EXP-RC4-MD5 14150 2.4051 z:EXP1024-DES-CBC-SHA 3580 0.6085 z:EXP1024-RC4-SHA 3641 0.6189 z:IDEA-CBC-MD5 1486 0.2526 z:NULL-MD5 239 0.0406 z:NULL-SHA 242 0.0411 z:NULL-SHA256 33 0.0056 z:RC2-CBC-MD5 7118 1.2099 z:RC4-64-MD5 762 0.1295 Cipher ordering Count Percent -------------------------+---------+------- Client side 151229 25.7051 Server side 437095 74.2949 Supported Handshakes Count Percent -------------------------+---------+------- ADH 941 0.1599 AECDH 10576 1.7976 DHE 319231 54.2611 ECDH 2 0.0003 ECDHE 509684 86.6332 ECDHE and DHE 272378 46.2973 RSA 505946 85.9979 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 122627 20.8434 38.4132 DH,2048bits 183782 31.2382 57.5702 DH,2236bits 92 0.0156 0.0288 DH,2430bits 1 0.0002 0.0003 DH,2432bits 3 0.0005 0.0009 DH,2560bits 1 0.0002 0.0003 DH,3072bits 122 0.0207 0.0382 DH,3092bits 2 0.0003 0.0006 DH,3196bits 1 0.0002 0.0003 DH,4094bits 1 0.0002 0.0003 DH,4096bits 12216 2.0764 3.8267 DH,512bits 91 0.0155 0.0285 DH,6144bits 1 0.0002 0.0003 DH,768bits 384 0.0653 0.1203 DH,8192bits 9 0.0015 0.0028 ECDH,B-571,570bits 2788 0.4739 0.547 ECDH,K-163,163bits 1 0.0002 0.0002 ECDH,P-192,192bits 39 0.0066 0.0077 ECDH,P-224,224bits 92 0.0156 0.0181 ECDH,P-256,256bits 484945 82.4282 95.1462 ECDH,P-384,384bits 8059 1.3698 1.5812 ECDH,P-521,521bits 15676 2.6645 3.0756 ECDH,brainpoolP512r1,512bits 1 0.0002 0.0002 Prefer DH,1024bits 46364 7.8807 14.5237 Prefer DH,2048bits 5558 0.9447 1.7411 Prefer DH,3072bits 11 0.0019 0.0034 Prefer DH,4096bits 389 0.0661 0.1219 Prefer DH,768bits 45 0.0076 0.0141 Prefer ECDH,B-571,570bits 2562 0.4355 0.5027 Prefer ECDH,K-163,163bits 1 0.0002 0.0002 Prefer ECDH,P-192,192bits 1 0.0002 0.0002 Prefer ECDH,P-224,224bits 89 0.0151 0.0175 Prefer ECDH,P-256,256bits 446551 75.9022 87.6133 Prefer ECDH,P-384,384bits 6159 1.0469 1.2084 Prefer ECDH,P-521,521bits 14444 2.4551 2.8339 Prefer ECDH,brainpoolP512r1,512bits 1 0.0002 0.0002 Prefer PFS 522175 88.7564 0 Support PFS 556537 94.597 0 Supported ECC curves Count Percent -------------------------+---------+-------- brainpoolP256r1 15666 2.6628 brainpoolP384r1 15673 2.664 brainpoolP512r1 15677 2.6647 prime192v1 1721 0.2925 prime256v1 505771 85.9681 prime256v1 Only 424806 72.2061 secp160k1 1634 0.2777 secp160r1 1641 0.2789 secp160r2 1633 0.2776 secp192k1 1647 0.2799 secp224k1 1732 0.2944 secp224r1 5585 0.9493 secp256k1 17871 3.0376 secp384r1 83624 14.2139 secp384r1 Only 2663 0.4526 secp521r1 47374 8.0524 secp521r1 Only 142 0.0241 sect163k1 1637 0.2782 sect163r1 1636 0.2781 sect163r2 1637 0.2782 sect193r1 1636 0.2781 sect193r2 1636 0.2781 sect233k1 1728 0.2937 sect233r1 1725 0.2932 sect239k1 1721 0.2925 sect283k1 17205 2.9244 sect283r1 17203 2.9241 sect409k1 17203 2.9241 sect409r1 17200 2.9236 sect571k1 17204 2.9242 sect571r1 17205 2.9244 Unsupported curve fallback Count Percent ------------------------------+---------+-------- False 56188 9.5505 True 384116 65.2899 order-specific 30 0.0051 unknown 147990 25.1545 ECC curve ordering Count Percent -------------------------+---------+-------- client 12072 2.0519 inconclusive-noecc 8 0.0014 server 496534 84.3981 unknown 79710 13.5487 TLSv1.2 PFS supported sigalgs Count Percent ------------------------------+---------+-------- ECDSA-SHA1 53235 9.0486 ECDSA-SHA1 Only 7 0.0012 ECDSA-SHA224 53208 9.044 ECDSA-SHA256 70734 12.023 ECDSA-SHA384 70725 12.0214 ECDSA-SHA512 70735 12.0231 ECDSA-SHA512 Only 16 0.0027 RSA-MD5 32419 5.5104 RSA-SHA1 439804 74.7554 RSA-SHA1 Only 34182 5.8101 RSA-SHA224 364514 61.958 RSA-SHA256 414576 70.4673 RSA-SHA256 Only 7888 1.3408 RSA-SHA384 377143 64.1046 RSA-SHA384 Only 4 0.0007 RSA-SHA512 377071 64.0924 RSA-SHA512 Only 85 0.0144 TLSv1.2 PFS ordering Count Percent ------------------------------+---------+-------- client 276407 46.9821 indeterminate 52 0.0088 intolerant 6076 1.0328 order-fallback 9 0.0015 server 217108 36.9028 unsupported 15976 2.7155 TLSv1.2 PFS sigalg fallback Count Percent ------------------------------+---------+-------- ECDSA SHA1 53190 9.0409 ECDSA intolerant 134 0.0228 ECDSA pfs-rsa-SHA512 17450 2.9661 ECDSA soft-nopfs 9 0.0015 RSA False 32115 5.4587 RSA SHA1 374923 63.7273 RSA intolerant 41684 7.0852 RSA pfs-ecdsa-SHA512 26 0.0044 RSA soft-nopfs 481 0.0818 Renegotiation Count Percent -------------------------+---------+-------- False 5021 0.8534 insecure 16740 2.8454 secure 566563 96.3012 Compression Count Percent -------------------------+---------+-------- 1 (zlib compression) 7345 1.2485 False 5021 0.8534 NONE 575958 97.8981 TLS session ticket hint Count Percent -------------------------+---------+-------- 1 2 0.0003 1 only 2 0.0003 2 1 0.0002 2 only 1 0.0002 5 9 0.0015 5 only 9 0.0015 10 8 0.0014 10 only 8 0.0014 15 7 0.0012 15 only 7 0.0012 30 24 0.0041 30 only 24 0.0041 60 159 0.027 60 only 151 0.0257 65 2 0.0003 65 only 2 0.0003 70 8 0.0014 70 only 7 0.0012 75 1 0.0002 75 only 1 0.0002 90 1 0.0002 90 only 1 0.0002 100 15 0.0025 100 only 15 0.0025 120 24 0.0041 120 only 24 0.0041 128 6 0.001 128 only 5 0.0008 150 2 0.0003 180 72 0.0122 180 only 70 0.0119 240 13 0.0022 240 only 13 0.0022 244 2 0.0003 244 only 2 0.0003 300 294538 50.0639 300 only 291166 49.4908 302 2 0.0003 302 only 2 0.0003 360 3 0.0005 360 only 2 0.0003 400 4 0.0007 400 only 4 0.0007 420 133 0.0226 420 only 113 0.0192 480 11 0.0019 480 only 10 0.0017 500 3 0.0005 500 only 3 0.0005 540 4 0.0007 540 only 4 0.0007 600 28048 4.7674 600 only 27923 4.7462 700 3 0.0005 700 only 3 0.0005 840 2 0.0003 840 only 2 0.0003 900 1508 0.2563 900 only 1487 0.2528 960 4 0.0007 960 only 4 0.0007 1000 1 0.0002 1000 only 1 0.0002 1200 3403 0.5784 1200 only 3400 0.5779 1210 2 0.0003 1210 only 2 0.0003 1320 1 0.0002 1320 only 1 0.0002 1380 1 0.0002 1380 only 1 0.0002 1440 1 0.0002 1440 only 1 0.0002 1500 7 0.0012 1500 only 6 0.001 1800 698 0.1186 1800 only 680 0.1156 1980 2 0.0003 1980 only 2 0.0003 2100 2 0.0003 2100 only 1 0.0002 2160 1 0.0002 2160 only 1 0.0002 2400 9 0.0015 2400 only 9 0.0015 2700 10 0.0017 2700 only 10 0.0017 3000 38 0.0065 3000 only 38 0.0065 3300 1 0.0002 3300 only 1 0.0002 3600 1035 0.1759 3600 only 1024 0.1741 3900 2 0.0003 3900 only 2 0.0003 4200 1 0.0002 4500 1 0.0002 4500 only 1 0.0002 5160 1 0.0002 5160 only 1 0.0002 5400 22 0.0037 5400 only 6 0.001 6000 345 0.0586 6000 only 345 0.0586 7200 15012 2.5517 7200 only 14995 2.5488 8100 1 0.0002 8100 only 1 0.0002 9000 2 0.0003 9000 only 2 0.0003 10800 5061 0.8602 10800 only 5045 0.8575 14400 106 0.018 14400 only 106 0.018 18000 11 0.0019 18000 only 11 0.0019 21600 4326 0.7353 21600 only 4324 0.735 25200 1 0.0002 25200 only 1 0.0002 28800 2688 0.4569 28800 only 2688 0.4569 30000 3 0.0005 30000 only 1 0.0002 36000 1246 0.2118 36000 only 1240 0.2108 43200 61 0.0104 43200 only 61 0.0104 54000 1 0.0002 54000 only 1 0.0002 60000 2 0.0003 60000 only 2 0.0003 64800 70216 11.9349 64800 only 70188 11.9302 72000 12 0.002 72000 only 12 0.002 79200 1 0.0002 79200 only 1 0.0002 86400 2835 0.4819 86400 only 2826 0.4803 100800 9392 1.5964 100800 only 9375 1.5935 108000 1 0.0002 108000 only 1 0.0002 115200 1 0.0002 115200 only 1 0.0002 129600 7 0.0012 129600 only 7 0.0012 172800 55 0.0093 172800 only 55 0.0093 216000 4 0.0007 216000 only 4 0.0007 259200 3 0.0005 259200 only 3 0.0005 432000 1 0.0002 432000 only 1 0.0002 604800 1 0.0002 864000 3 0.0005 864000 only 3 0.0005 7776000 1 0.0002 7776000 only 1 0.0002 None 150759 25.6252 None only 147078 24.9995 Certificate sig alg Count Percent -------------------------+---------+-------- None 11191 1.9022 ecdsa-with-SHA256 67977 11.5543 sha1WithRSAEncryption 23775 4.0411 sha256WithRSAEncryption 514022 87.3706 sha384WithRSAEncryption 8 0.0014 sha512WithRSAEncryption 67 0.0114 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 70749 12.0255 ECDSA 384 34 0.0058 ECDSA 521 1 0.0002 RSA 1024 17 0.0029 RSA 2048 507589 86.2771 RSA 2049 2 0.0003 RSA 2056 1 0.0002 RSA 2058 3 0.0005 RSA 2059 1 0.0002 RSA 2084 1 0.0002 RSA 2086 1 0.0002 RSA 2096 3 0.0005 RSA 2408 1 0.0002 RSA 2432 2 0.0003 RSA 2560 1 0.0002 RSA 2948 1 0.0002 RSA 3072 156 0.0265 RSA 3073 1 0.0002 RSA 3096 2 0.0003 RSA 3248 2 0.0003 RSA 4048 4 0.0007 RSA 4056 16 0.0027 RSA 4069 1 0.0002 RSA 4086 3 0.0005 RSA 4092 2 0.0003 RSA 4094 1 0.0002 RSA 4095 1 0.0002 RSA 4096 29945 5.0899 RSA 4196 1 0.0002 RSA 8192 11 0.0019 RSA 8392 1 0.0002 RSA/ECDSA Dual Stack 20215 3.436 OCSP stapling Count Percent -------------------------+---------+-------- Supported 127611 21.6906 Unsupported 460713 78.3094 Supported Protocols Count Percent -------------------------+---------+------- SSL2 17372 2.9528 SSL2 Only 13 0.0022 SSL3 102349 17.3967 SSL3 Only 1020 0.1734 SSL3 or TLS1 Only 54445 9.2543 SSL3 or lower Only 1028 0.1747 TLS1 576797 98.0407 TLS1 Only 33030 5.6143 TLS1 or lower Only 70001 11.8984 TLS1.1 507108 86.1954 TLS1.1 Only 42 0.0071 TLS1.1 or up Only 10330 1.7558 TLS1.2 515617 87.6417 TLS1.2 Only 3098 0.5266 TLS1.2, 1.0 but not 1.1 7000 1.1898 Statistics from 622291 chains provided by 724741 hosts Server provided chains Count Percent -------------------------+---------+------- complete 563959 77.8152 incomplete 21088 2.9097 untrusted 139694 19.275 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 2 0.0003 3 618971 99.4665 4 3305 0.5311 5 13 0.0021 CA key size in chains Count -------------------------+--------- ECDSA 256 67969 ECDSA 384 67967 RSA 1024 10 RSA 2045 2 RSA 2048 918447 RSA 4096 193516 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 67969 10.9224 ECDSA 384 67967 10.9221 RSA 1024 8 0.0013 RSA 2045 2 0.0003 RSA 2048 553908 89.0111 RSA 4096 192863 30.9924 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 67958 sha1WithRSAEncryption 27126 sha256WithRSAEncryption 356410 sha384WithRSAEncryption 174062 sha512WithRSAEncryption 64 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 27123 4.3586 112 527185 84.7168 128 67983 10.9246 Most common root CAs Count Percent ---------------------------------------------+---------+------- (d6325660) COMODO RSA Certification Authority 156327 25.1212 (2c543cd1) GeoTrust Global CA 97389 15.6501 (eed8c118) COMODO ECC Certification Authority 67950 10.9193 (5ad8a5d6) GlobalSign Root CA 54936 8.828 (cbf06781) Go Daddy Root Certificate Authorit 48751 7.8341 (b204d74a) VeriSign Class 3 Public Primary Ce 32016 5.1449 (244b5494) DigiCert High Assurance EV Root CA 19865 3.1922 (2e4eed3c) thawte Primary Root CA 18906 3.0381 (fc5a8f99) USERTrust RSA Certification Author 17597 2.8278 (2e5ac55d) DST Root CA X3 17594 2.8273 (653b494a) Baltimore CyberTrust Root 11729 1.8848 (3513523f) DigiCert Global Root CA 10305 1.656 (ae8153b9) StartCom Certification Authority 9737 1.5647 (4bfab552) Starfield Root Certificate Authori 8211 1.3195 Scan performed between 30th of May and 18th of June 2016 -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

1 0

cipherscan
by cla＠danskebank.dk 02 Sep '16

02 Sep '16

Hi, Are you still using https://github.com/tomato42/cipherscan as-is or have you modified it? Thanks, Martin

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security September 2016