All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Some Certificate Check Statistics
As I run a small SSL test tool, https://ssldecoder.org, I have some interesting statistics about certificates and sites, which you guys and gals might find interesting.
The last 5 days there have been about 20000 checks for over 5200 unique sites. These are the top 10 CA issuers:
96 CN=Symantec Class 3 EV SSL CA - G3
100 CN=thawte SSL CA - G2
106 CN=AlphaSSL CA - SHA256 - G2
106 CN=DigiCert SHA2 Secure Server CA
116 CN=COMODO RSA Organization Validation Secure Server CA
197 CN=Symantec Class 3 Secure Server CA - G4
239 CN=StartCom Class 1 Primary Intermediate Server CA
331 CN=RapidSSL SHA256 CA - G3
427 CN=Go Daddy Secure Certificate Authority - G2
660 CN=COMODO RSA Domain Validation Secure Server CA
As you can see, Comodo is a big player. The overall statistics for the past 6 months confirm that. Or, comodo cert owners regularly check their site.
Domain validation is also a big part of most certificates. There are no EV issuing CA's in the top 10. Organization validation is only number 6. But as we know OV doesn't offer any benefit, no green bar, no extra security, just more hassle during validation.
Lets Encrypt will, I hope, replace comodo as the biggest player in DV SSL certs. Since those are free, you know?
Here are the top signature algorithms:
10 Signature Algorithm: ecdsa-with-SHA384
14 Signature Algorithm: md5WithRSAEncryption
34 Signature Algorithm: ecdsa-with-SHA256
56 Signature Algorithm: sha384WithRSAEncryption
62 Signature Algorithm: sha512WithRSAEncryption
1790 Signature Algorithm: sha1WithRSAEncryption
7788 Signature Algorithm: sha256WithRSAEncryption
Shame on those 14 people with an MD5 certificate. With an ECDSA certificate you get smaller public/private keys, and faster crypto on modern hardware. Cloudflare issues ECDSA certs for some domains.
The SHA 1 certs will dissapear at the end of this year when they all expire.
About 43% of the checked certificates is a multidomain one, excluding cert providers that give a multidomain cert where the "www." version of the CN is includes.
19% of the sites checked has Strict Transport Security enabled on the first check. 7% of the sites that were checked multiple times had HSTS off on the first check, and on in a later check.
OCSP stapling was enabled by 39% of the checked sites on the first check, and 12% of the sites had it off on the first check and on in a later check
60% of the sites have a cert with a chain of 4 certificates.
21% of the sites have a cert with a chain of 2 certificates (most EV sites).
11% of the sites have a cert with a chain of 3 certs.
The rest has more than 4 certs in their chain.
About 72% of the sites checked has the chain setup correctly the first check. 89% of the sites that had an incorrect chain on the first check has a correct chain in a later check.
Are there more stats or facts you'd like me to research?
Any other tips or feature suggestions for my tool? In the next release I've got automatic chain construction as a huge feature. Paste a cert, get the correct chain. Incorrect chain installed? I give you the correct one, copy pastable. This release will be live next week.
Where do you guys buy your certificates? And if so, do you get a domain validation cert? When would you buy an EV vs a DV?
(Edit: Formatting)
Comments
If it's used that regularly, never throw that domain away. You probably have a bunch of links going to from relevant forums and such, so redirect instead one day for a little bit of so much hated seo value.
By the way, great service.
Liked it. I also spend quite a mentionable time on SSL Research, I indeed like it. And, I always configure the SSL Settings based on your website: cipherli.st
Tried using the site but I'm getting a CloudFlare 524 error.
Would it be a good idea to use one dhparam for several SSL certificates?
Which domain did you test?
Nah, generate a new one per certificate/domain.
Darn it. It takes ages to generate 4096 Bit dhs. I only have VPSs with one core or max 2 but these have mostly low CPU clocks.
Downloaded OpenSSL 1.0.1k for Windows (same version as on server) and it is only using one of my six cores...
securedragon.net - I'm running the test again, fingers crossed. SSL Labs has issues with the site also, I probably broke something when I switched to SHA2 last month.
Dang, as soon as I hit reply I got the CloudFlare timeout again.
2048 vs 4096 dhparams:
The way I understood it, I can worry about this in one year(renewal time) or in 2030 according to public domain cryptanalysis projections.
You don't have to generate the dhparam files on the VPS, you can also just generate one locally and copy it over. That's what I do in my ansible playbook to roll out a new server.
I'm not yet sure what's up but by lowering the timeout on my testserver I was able to do a full check: http://openstack.so/ssl/results/saved.securedragonnet.1445670511.739c0550c450112c8c873bb2bb5e53dc.html
EDIT
I also have a lot of packet loss to securedragon.net from that server:
Note that that is the full ping output.
Here's also the MTR:
I do, with OpenSSL for Windows but it is only using 1 of 6 cores (AMD Phenom II X6 1055T). Just a bit faster than the VPS. But still takes ages.
I find the
Subject Alternative Names
interesting.That is because of how the DDOS protection handles ICMP.
Ah, that explains. The PHP code does a lot of stream_socket and curl, would that be impacted?