Month: May 2014

TLS 1.2 adoption half way mark reached! May 2014 cipher scan results

Update: previous version of results counted “broken” cipher suites (export, ADH, AECDH) even if server didn’t have a trusted certificate.

I’ve scanned Alexa Top 1 million sites again and this month’s results results are both depressing and encouraging.

The bad

Number of sites that force RC4 in TLS 1.1 and TLS 1.2 connections has grown (by nearly 1.5%). The percent of sites that accept export grade cryptography or plain broken cryptography hasn’t changed significantly.

The good

Fraction of servers that support only RC4 ciphers has fallen by 0.4% to 1.38%. More and more certificates are using the SHA-256 based signatures (now over 10%, an increase by nearly 5%).

Interestingly, there are first sites that use only ECDSA certificates (at the moment 2).

Also, we’ve finally reached the half way mark for TLS 1.2 adoption on the servers. Over 54% of servers support TLS1.2 and over 51% support TLS1.1.

Results

SSL/TLS survey of 318366 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)

Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      276742    86.9257
3DES Only                 137       0.043
AES                       296225    93.0454
AES Only                  930       0.2921
AES-CBC Only              588       0.1847
AES-GCM                   121699    38.2261
AES-GCM Only              4         0.0013
CAMELLIA                  127345    39.9996
CAMELLIA Only             1         0.0003
CHACHA20                  19834     6.2299
RC4                       283641    89.0927
RC4 Only                  4388      1.3783
RC4 Preferred             59422     18.6647
RC4 forced in TLS1.1+     37507     11.7811
z:ADH-AES128-GCM-SHA256   290       0.0911
z:ADH-AES128-SHA          1431      0.4495
z:ADH-AES128-SHA256       279       0.0876
z:ADH-AES256-GCM-SHA384   285       0.0895
z:ADH-AES256-SHA          1430      0.4492
z:ADH-AES256-SHA256       283       0.0889
z:ADH-CAMELLIA128-SHA     794       0.2494
z:ADH-CAMELLIA256-SHA     799       0.251
z:ADH-DES-CBC-SHA         845       0.2654
z:ADH-DES-CBC3-SHA        1482      0.4655
z:ADH-RC4-MD5             1345      0.4225
z:ADH-SEED-SHA            689       0.2164
z:AECDH-AES128-SHA        8482      2.6642
z:AECDH-AES256-SHA        8485      2.6652
z:AECDH-DES-CBC3-SHA      8457      2.6564
z:AECDH-NULL-SHA          4         0.0013
z:AECDH-RC4-SHA           8091      2.5414
z:DES-CBC-MD5             254       0.0798
z:DES-CBC-SHA             60478     18.9964
z:DHE-RSA-SEED-SHA        51890     16.2989
z:ECDHE-RSA-NULL-SHA      7         0.0022
z:EDH-RSA-DES-CBC-SHA     49291     15.4825
z:EXP-ADH-DES-CBC-SHA     461       0.1448
z:EXP-ADH-RC4-MD5         467       0.1467
z:EXP-DES-CBC-SHA         49466     15.5375
z:EXP-EDH-RSA-DES-CBC-SHA 35342     11.1011
z:EXP-RC2-CBC-MD5         46932     14.7415
z:IDEA-CBC-MD5            27        0.0085
z:IDEA-CBC-SHA            51847     16.2853
z:NULL-MD5                319       0.1002
z:NULL-SHA                313       0.0983
z:NULL-SHA256             10        0.0031
z:RC2-CBC-MD5             281       0.0883
z:SEED-SHA                65444     20.5562

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1525      0.479
AECDH                     8502      2.6705
DHE                       154179    48.4282
ECDHE                     134412    42.2193
RSA                       318109    99.9193

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               145407    45.6729  94.3105
DH,2048bits               7568      2.3771   4.9086
DH,3072bits               2         0.0006   0.0013
DH,3248bits               2         0.0006   0.0013
DH,4096bits               428       0.1344   0.2776
DH,4097bits               2         0.0006   0.0013
DH,512bits                35433     11.1296  22.9817
DH,768bits                683       0.2145   0.443
ECDH,B-163,163bits        1         0.0003   0.0007
ECDH,B-571,570bits        294       0.0923   0.2187
ECDH,P-224,224bits        3         0.0009   0.0022
ECDH,P-256,256bits        133565    41.9533  99.3698
ECDH,P-384,384bits        165       0.0518   0.1228
ECDH,P-521,521bits        450       0.1413   0.3348
Prefer DH,1024bits        98865     31.0539  64.1235
Prefer DH,2048bits        2143      0.6731   1.3899
Prefer DH,4096bits        34        0.0107   0.0221
Prefer DH,512bits         1         0.0003   0.0006
Prefer DH,768bits         74        0.0232   0.048
Prefer ECDH,B-163,163bits 1         0.0003   0.0007
Prefer ECDH,B-571,570bits 236       0.0741   0.1756
Prefer ECDH,P-256,256bits 94747     29.7604  70.49
Prefer ECDH,P-384,384bits 115       0.0361   0.0856
Prefer ECDH,P-521,521bits 409       0.1285   0.3043
Prefer PFS                196625    61.7607  0
Support PFS               245584    77.1389  0

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      9994      3.1392   
ecdsa-with-SHA256         2         0.0006   
sha1WithRSAEncryption     286277    89.9207  
sha256WithRSAEncryption   32146     10.0972  

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 384                 2         0.0006   
RSA 1024                  1935      0.6078   
RSA 2028                  1         0.0003   
RSA 2047                  2         0.0006   
RSA 2048                  304898    95.7696  
RSA 2049                  2         0.0006   
RSA 2056                  3         0.0009   
RSA 2058                  1         0.0003
RSA 2060                  1         0.0003
RSA 2064                  1         0.0003
RSA 2080                  3         0.0009
RSA 2084                  4         0.0013
RSA 2345                  1         0.0003
RSA 2408                  1         0.0003
RSA 2432                  60        0.0188
RSA 2536                  1         0.0003
RSA 2612                  1         0.0003
RSA 3000                  1         0.0003
RSA 3050                  1         0.0003
RSA 3072                  19        0.006
RSA 3248                  3         0.0009
RSA 3600                  1         0.0003
RSA 4042                  1         0.0003
RSA 4046                  1         0.0003
RSA 4048                  1         0.0003
RSA 4069                  1         0.0003
RSA 4086                  1         0.0003
RSA 4092                  2         0.0006
RSA 4096                  11427     3.5893
RSA 4098                  1         0.0003
RSA 4192                  2         0.0006
RSA 8192                  3         0.0009
RSA/ECDSA Dual Stack      0         0.0

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      621       0.1951
SSL2 Only                 73        0.0229
SSL3                      314763    98.8683
SSL3 Only                 3524      1.1069
SSL3 or TLS1 Only         140708    44.1969
TLS1                      314191    98.6886
TLS1 Only                 1117      0.3509
TLS1.1                    164225    51.5837
TLS1.1 Only               8         0.0025
TLS1.1 or up Only         68        0.0214
TLS1.2                    173049    54.3554
TLS1.2 Only               48        0.0151
TLS1.2, 1.0 but not 1.1   12720     3.9954

Scan performed between 7th and 15th of May 2014.

Forged TLS certificates are used in the wild

New Facebook study revealed that 0.2% of TLS connections were tampered with. While many of the forged certificates were created either by corporate SSL man in the middle proxies or antivirus software, few hundred connections were tapped into by attackers.

What’s worrisome, is that Facebook is a high profile site, for many people also an authenticator for other services on the web. And yet 3.4% of those tampered connections would have given certificate errors even in case of where the browser trusted the fraudulent CA. Most other connections probably also triggered certificate warnings. That means that significant number of people ignore certificate warning even for very important sites.

This clearly shows that there is high need for extensions like HTTP Strict Transport Security (HSTS), Trust Assertions for Certificate Keys (TACK), DNSSEC based certificate pinning or extensions like Perspectives for Firefox which make sure that users can’t ignore certificate warnings in cases where they really are under a man in the middle attack.

Opportunistic encryption in SMTP is here (mostly)

Facebook published their outgoing SMTP stats on 13th of May. The situation is much better than what we previously thought.

Few high points:

76% of hosts that Facebook contacted to send email support STARTTLS and correctly negotiated secure connection
56% of outgoing email gets encrypted using TLS
out of encrypted email, over 98% used Perfect Forward Secrecy

The bad:

only 25% of domains have matching, trusted and still valid certificates
this falls down to 6.6% for unique MX hosts
and includes 59.6% of all mail
nearly 50% of email was transferred using the possibly passively-crackable RC4 cipher
the same issue affects close to 20% of domains

In summary, it looks like we are on very good road for strict certificate checking using DANE in SMTP.

SHA-2 on the rise

According to Netcraft the number of sites that use certificates signed with SHA-256 increased by more than 50% during past month. You may be asking yourself why would such a big change happen so quickly. Netcraft guesses that’s the result of certificate re-issuance following Heartbleed and I would agree.

You can expect cipherscan results from yours truly in few days.

Cipher scan results in April 2014

Update: The previous version of the tool incorrectly counted broken cipher suites (export, ADH, AECDH).

I scanned Alexa top 1 million sites between 5th and 17th of April 2014 and found out that many servers still not only are badly configured (prefer RC4 ciphers) but won’t negotiate with safely configured browser (one that does not support RC4).

SSL/TLS survey of 305280 websites from Alexa's top 0.97 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate
installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      274502    89.9181
3DES Only                 9641      3.1581
AES                       277199    90.8016
AES Only                  520       0.1703
AES-CBC Only              265       0.0868
AES-GCM                   100595    32.9517
AES-GCM Only              12        0.0039
CAMELLIA                  112135    36.7319
CAMELLIA Only             1         0.0003
CHACHA20                  19072     6.2474
RC4                       268295    87.8849
RC4 Only                  5408      1.7715
RC4 Preferred             59552     19.5073
RC4 forced in TLS1.1+     31737     10.396
z:ADH-AES128-GCM-SHA256   248       0.0812
z:ADH-AES128-SHA          1413      0.4629
z:ADH-AES128-SHA256       241       0.0789
z:ADH-AES256-GCM-SHA384   250       0.0819
z:ADH-AES256-SHA          1412      0.4625
z:ADH-AES256-SHA256       245       0.0803
z:ADH-CAMELLIA128-SHA     736       0.2411
z:ADH-CAMELLIA256-SHA     740       0.2424
z:ADH-DES-CBC-SHA         831       0.2722
z:ADH-DES-CBC3-SHA        1469      0.4812
z:ADH-RC4-MD5             1333      0.4366
z:ADH-SEED-SHA            636       0.2083
z:AECDH-AES128-SHA        10300     3.374
z:AECDH-AES256-SHA        10349     3.39
z:AECDH-DES-CBC3-SHA      10313     3.3782
z:AECDH-NULL-SHA          3         0.001
z:AECDH-RC4-SHA           9913      3.2472
z:DES-CBC-MD5             279       0.0914
z:DES-CBC-SHA             60744     19.8978
z:DHE-RSA-SEED-SHA        46262     15.154
z:ECDHE-RSA-NULL-SHA      6         0.002
z:EDH-RSA-DES-CBC-SHA     49529     16.2241
z:EXP-ADH-DES-CBC-SHA     458       0.15
z:EXP-ADH-RC4-MD5         458       0.15
z:EXP-DES-CBC-SHA         49850     16.3293
z:EXP-EDH-RSA-DES-CBC-SHA 36180     11.8514
z:EXP-RC2-CBC-MD5         47372     15.5176
z:IDEA-CBC-MD5            28        0.0092
z:IDEA-CBC-SHA            44932     14.7183
z:NULL-MD5                322       0.1055
z:NULL-SHA                317       0.1038
z:NULL-SHA256             11        0.0036
z:RC2-CBC-MD5             307       0.1006
z:SEED-SHA                59061     19.3465

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1503      0.4923
AECDH                     10393     3.4044
DHE                       145234    47.574
ECDHE                     113831    37.2874
RSA                       305033    99.9191

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               138773    45.4576  95.5513
DH,2048bits               5472      1.7925   3.7677
DH,3072bits               2         0.0007   0.0014
DH,3248bits               2         0.0007   0.0014
DH,4094bits               1         0.0003   0.0007
DH,4096bits               250       0.0819   0.1721
DH,512bits                36257     11.8766  24.9645
DH,768bits                662       0.2169   0.4558
ECDH,B-163,163bits        1         0.0003   0.0009
ECDH,B-571,570bits        279       0.0914   0.2451
ECDH,P-224,224bits        3         0.001    0.0026
ECDH,P-256,256bits        113201    37.081   99.4465
ECDH,P-384,384bits        138       0.0452   0.1212
ECDH,P-521,521bits        266       0.0871   0.2337
Prefer DH,1024bits        99289     32.5239  68.3648
Prefer DH,2048bits        1848      0.6053   1.2724
Prefer DH,4096bits        12        0.0039   0.0083
Prefer DH,512bits         1         0.0003   0.0007
Prefer DH,768bits         72        0.0236   0.0496
Prefer ECDH,B-163,163bits 1         0.0003   0.0009
Prefer ECDH,B-571,570bits 226       0.074    0.1985
Prefer ECDH,P-256,256bits 80220     26.2775  70.4729
Prefer ECDH,P-384,384bits 84        0.0275   0.0738
Prefer ECDH,P-521,521bits 246       0.0806   0.2161
Prefer PFS                181999    59.6171  0
Support PFS               225224    73.7762  0

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      11870     3.8882   
sha1WithRSAEncryption     289276    94.7576  
sha256WithRSAEncryption   16033     5.2519   

Certificate key size    Count     Percent 
-------------------------+---------+--------
RSA 1024                  2098      0.6872   
RSA 2028                  1         0.0003   
RSA 2047                  3         0.001    
RSA 2048                  295413    96.7679
RSA 2049                  4         0.0013
RSA 2056                  3         0.001
RSA 2058                  1         0.0003
RSA 2060                  1         0.0003
RSA 2064                  1         0.0003
RSA 2080                  3         0.001
RSA 2084                  2         0.0007
RSA 2345                  1         0.0003
RSA 2408                  1         0.0003
RSA 2432                  88        0.0288
RSA 2536                  1         0.0003
RSA 2612                  1         0.0003
RSA 3000                  1         0.0003
RSA 3050                  1         0.0003
RSA 3072                  18        0.0059
RSA 3248                  2         0.0007
RSA 3600                  1         0.0003
RSA 4042                  1         0.0003
RSA 4048                  1         0.0003
RSA 4069                  1         0.0003
RSA 4086                  1         0.0003
RSA 4092                  2         0.0007
RSA 4096                  7634      2.5007
RSA 4098                  1         0.0003
RSA 4192                  2         0.0007
RSA 8192                  4         0.0013
RSA/ECDSA Dual Stack      0         0.0

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      644       0.211
SSL2 Only                 20        0.0066
SSL3                      303052    99.2702
SSL3 Only                 3706      1.214
SSL3 or TLS1 Only         155876    51.06
TLS1                      301098    98.6301
TLS1 Only                 673       0.2205
TLS1.1                    136386    44.6757
TLS1.1 Only               4         0.0013
TLS1.1 or up Only         60        0.0197
TLS1.2                    144857    47.4505
TLS1.2 Only               45        0.0147
TLS1.2, 1.0 but not 1.1   12292     4.0265

	Hubert Kario on Making RAID work (dm-integrity…
	Noma on Making RAID work (dm-integrity…
	Nob on Making RAID work (dm-integrity…
	Hubert Kario on Making RAID work (dm-integrity…
	Hubert Kario on Making RAID work (dm-integrity…

securitypitfalls

A blog about cryptography and security by Hubert Kario