Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Some Certificate Check Statistics
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Some Certificate Check Statistics

RaymiiRaymii Member
edited October 2015 in General

As I run a small SSL test tool, https://ssldecoder.org, I have some interesting statistics about certificates and sites, which you guys and gals might find interesting.

The last 5 days there have been about 20000 checks for over 5200 unique sites. These are the top 10 CA issuers:

 96 CN=Symantec Class 3 EV SSL CA - G3
100 CN=thawte SSL CA - G2
106 CN=AlphaSSL CA - SHA256 - G2
106 CN=DigiCert SHA2 Secure Server CA
116 CN=COMODO RSA Organization Validation Secure Server CA
197 CN=Symantec Class 3 Secure Server CA - G4
239 CN=StartCom Class 1 Primary Intermediate Server CA
331 CN=RapidSSL SHA256 CA - G3
427 CN=Go Daddy Secure Certificate Authority - G2
660 CN=COMODO RSA Domain Validation Secure Server CA

As you can see, Comodo is a big player. The overall statistics for the past 6 months confirm that. Or, comodo cert owners regularly check their site.

Domain validation is also a big part of most certificates. There are no EV issuing CA's in the top 10. Organization validation is only number 6. But as we know OV doesn't offer any benefit, no green bar, no extra security, just more hassle during validation.

Lets Encrypt will, I hope, replace comodo as the biggest player in DV SSL certs. Since those are free, you know?

Here are the top signature algorithms:

 10     Signature Algorithm: ecdsa-with-SHA384
 14     Signature Algorithm: md5WithRSAEncryption
 34     Signature Algorithm: ecdsa-with-SHA256
 56     Signature Algorithm: sha384WithRSAEncryption
 62     Signature Algorithm: sha512WithRSAEncryption
 1790     Signature Algorithm: sha1WithRSAEncryption
 7788     Signature Algorithm: sha256WithRSAEncryption

Shame on those 14 people with an MD5 certificate. With an ECDSA certificate you get smaller public/private keys, and faster crypto on modern hardware. Cloudflare issues ECDSA certs for some domains.

The SHA 1 certs will dissapear at the end of this year when they all expire.

About 43% of the checked certificates is a multidomain one, excluding cert providers that give a multidomain cert where the "www." version of the CN is includes.

19% of the sites checked has Strict Transport Security enabled on the first check. 7% of the sites that were checked multiple times had HSTS off on the first check, and on in a later check.

OCSP stapling was enabled by 39% of the checked sites on the first check, and 12% of the sites had it off on the first check and on in a later check

60% of the sites have a cert with a chain of 4 certificates.
21% of the sites have a cert with a chain of 2 certificates (most EV sites).
11% of the sites have a cert with a chain of 3 certs.
The rest has more than 4 certs in their chain.

About 72% of the sites checked has the chain setup correctly the first check. 89% of the sites that had an incorrect chain on the first check has a correct chain in a later check.

Are there more stats or facts you'd like me to research?

Any other tips or feature suggestions for my tool? In the next release I've got automatic chain construction as a huge feature. Paste a cert, get the correct chain. Incorrect chain installed? I give you the correct one, copy pastable. This release will be live next week.

Where do you guys buy your certificates? And if so, do you get a domain validation cert? When would you buy an EV vs a DV?

(Edit: Formatting)

Comments

  • GM2015GM2015 Member
    edited October 2015

    If it's used that regularly, never throw that domain away. You probably have a bunch of links going to from relevant forums and such, so redirect instead one day for a little bit of so much hated seo value.

    By the way, great service.

    Raymii said: The last 5 days there have been about 20000 checks for over 5200 unique sites.

  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    Liked it. I also spend quite a mentionable time on SSL Research, I indeed like it. And, I always configure the SSL Settings based on your website: cipherli.st

    Thanked by 1netomx
  • KuJoeKuJoe Member, Host Rep

    Tried using the site but I'm getting a CloudFlare 524 error. :(

  • Would it be a good idea to use one dhparam for several SSL certificates?

  • @KuJoe said:
    Tried using the site but I'm getting a CloudFlare 524 error. :(

    Which domain did you test?

  • @Hidden_Refuge said:
    Would it be a good idea to use one dhparam for several SSL certificates?

    Nah, generate a new one per certificate/domain.

    Thanked by 1vimalware
  • teknolaizteknolaiz Member
    edited October 2015

    @Raymii said:

    Darn it. It takes ages to generate 4096 Bit dhs. I only have VPSs with one core or max 2 but these have mostly low CPU clocks.

    Downloaded OpenSSL 1.0.1k for Windows (same version as on server) and it is only using one of my six cores...

    Thanked by 1netomx
  • KuJoeKuJoe Member, Host Rep
    edited October 2015

    @Raymii said:
    Which domain did you test?

    securedragon.net - I'm running the test again, fingers crossed. :) SSL Labs has issues with the site also, I probably broke something when I switched to SHA2 last month.

    Dang, as soon as I hit reply I got the CloudFlare timeout again. :(

    Thanked by 1netomx
  • 2048 vs 4096 dhparams:

    The way I understood it, I can worry about this in one year(renewal time) or in 2030 according to public domain cryptanalysis projections.

  • You don't have to generate the dhparam files on the VPS, you can also just generate one locally and copy it over. That's what I do in my ansible playbook to roll out a new server.

  • RaymiiRaymii Member
    edited October 2015

    @KuJoe said:
    Dang, as soon as I hit reply I got the CloudFlare timeout again. :(

    I'm not yet sure what's up but by lowering the timeout on my testserver I was able to do a full check: http://openstack.so/ssl/results/saved.securedragonnet.1445670511.739c0550c450112c8c873bb2bb5e53dc.html

    EDIT

    I also have a lot of packet loss to securedragon.net from that server:

    [root@vps2 ~]# ping -c 100 securedragon.net
    PING securedragon.net (198.57.47.14) 56(84) bytes of data.
    64 bytes from my.securedragon.net (198.57.47.14): icmp_seq=1 ttl=44 time=146 ms
    64 bytes from my.securedragon.net (198.57.47.14): icmp_seq=2 ttl=44 time=146 ms
    64 bytes from my.securedragon.net (198.57.47.14): icmp_seq=14 ttl=44 time=146 ms
    64 bytes from my.securedragon.net (198.57.47.14): icmp_seq=15 ttl=44 time=146 ms
    64 bytes from my.securedragon.net (198.57.47.14): icmp_seq=30 ttl=44 time=147 ms
    64 bytes from my.securedragon.net (198.57.47.14): icmp_seq=46 ttl=44 time=146 ms
    64 bytes from my.securedragon.net (198.57.47.14): icmp_seq=47 ttl=44 time=146 ms
    64 bytes from my.securedragon.net (198.57.47.14): icmp_seq=62 ttl=44 time=146 ms
    64 bytes from my.securedragon.net (198.57.47.14): icmp_seq=78 ttl=44 time=146 ms
    64 bytes from my.securedragon.net (198.57.47.14): icmp_seq=94 ttl=44 time=146 ms
    
    --- securedragon.net ping statistics ---
    100 packets transmitted, 10 received, 90% packet loss, time 100015ms
    rtt min/avg/max/mdev = 146.747/146.823/147.099/0.523 ms
    

    Note that that is the full ping output.

    Here's also the MTR:

        [root@vps2 ~]# mtr --report securedragon.net 
    HOST: vps2.sparklingclouds.nl     Loss%   Snt   Last   Avg  Best  Wrst StDev
      1. gw-v141.xl-is.net             0.0%    10    0.6   1.9   0.5   9.6   2.9
      2. te0-22.cr1.nkf.as49685.net    0.0%    10    2.3   2.2   0.9   8.1   2.2
      3. 8-2-5.ear2.Amsterdam1.Level3  0.0%    10    1.2   1.2   1.1   1.2   0.0
      4. ae-234-3610.edge3.Amsterdam1  0.0%    10    1.6   6.5   1.6  49.3  15.0
      5. 4.68.70.42                    0.0%    10    2.2   4.5   1.8  24.9   7.2
      6. ae14.cr1.ams10.nl.zip.zayo.c  0.0%    10    2.6   2.7   2.4   3.4   0.3
      7. v142.ae29.cr2.ord2.us.zip.za  0.0%    10   96.9  96.9  96.8  97.3   0.2
      8. v21.ae29.mpr2.sea1.us.zip.za  0.0%    10  144.3 144.4 144.1 146.0   0.6
      9. 208.184.53.250.IPYX-071942-Z  0.0%    10  143.8 143.9 143.5 144.6   0.3
     10. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
     11. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
     12. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
     13. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
     14. 198.57.47.2                  10.0%    10  148.7 148.6 148.4 148.8   0.1
     15. my.securedragon.net          10.0%    10  148.0 147.9 147.2 148.2   0.3
    [root@vps2 ~]# mtr --report --no-dns securedragon.net 
    HOST: vps2.sparklingclouds.nl     Loss%   Snt   Last   Avg  Best  Wrst StDev
      1. 37.34.55.1                    0.0%    10    0.6   3.0   0.6   9.0   3.5
      2. 80.246.207.190                0.0%    10    1.1   1.1   1.0   1.3   0.1
      3. 213.19.196.201                0.0%    10    1.1   1.2   1.1   1.5   0.1
      4. 4.69.162.214                  0.0%    10    1.9   1.9   1.6   2.0   0.1
      5. 4.68.70.42                    0.0%    10    2.2   2.2   1.9   2.4   0.2
      6. 64.125.21.77                  0.0%    10    2.5   2.9   2.5   5.4   0.9
      7. 64.125.30.170                 0.0%    10   97.0  96.9  96.3  97.4   0.3
      8. 64.125.31.54                  0.0%    10  144.2 144.1 143.5 144.3   0.3
      9. 208.184.53.250                0.0%    10  152.0 149.7 143.3 193.8  15.7
     10. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
     11. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
     12. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
     13. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
     14. 198.57.47.2                  10.0%    10  148.9 149.2 148.1 154.8   2.1
     15. 198.57.47.14                 10.0%    10  148.1 147.8 147.3 148.1   0.2
    
  • teknolaizteknolaiz Member
    edited October 2015

    @Raymii said:

    I do, with OpenSSL for Windows but it is only using 1 of 6 cores (AMD Phenom II X6 1055T). Just a bit faster than the VPS. But still takes ages.

  • I find the Subject Alternative Names interesting.

  • KuJoeKuJoe Member, Host Rep

    Raymii said: I also have a lot of packet loss to securedragon.net from that server:

    That is because of how the DDOS protection handles ICMP.

  • @KuJoe said:
    That is because of how the DDOS protection handles ICMP.

    Ah, that explains. The PHP code does a lot of stream_socket and curl, would that be impacted?

Sign In or Register to comment.