[Ach] SSL Pulse -- Server vs Client

christian mock cm at coretec.at
Sat Jan 10 00:18:16 CET 2015

As the newest SSL Pulse data
<https://www.trustworthyinternet.org/ssl-pulse/> just crossed my
twitter timeline, I'd like to compare what they see in the server
population vs what I see in the client population... Also, I have a new
graylog2 setup and love to play with it :-)

The site my data is from is TLS only and targets the general public --
so it's neither my personal nerdy site nor CoreTEC's, which both may
by skewed towards more computer literate users and their browsers.
Also, of course it's configured according to our paper, with the
addition of DES-CBC3-SHA to support IE on XP (y'know, business needs).
It runs apache2.2 on current debian.

Protocol support for TLS v1.2: only about 50% of the sites support it,
while about 90% of my site's requests use it. Definitely worthwhile to
upgrade your server for the AEAD cipher suites.

Forward secrecy: only 60% of the sites support any form of FS. Of the
requests I see, it's only 0.35% that don't support any form of FS and
therefore fall back to non-FS ciphersuites. So, also definitely
worthwhile enabling it, and maybe also just ignore those 0.35% and go
FS only.

AEAD: 81% of the requests use some form of AEAD cipher.

IPv6: 2.7% of requests :-(

So, my summary: embrace strong crypto! The browsers support it
in such an overwhelming majority that it's definitely worth it.
Looking at the SSL Pulse data, it's definitely the servers that keep
the NSA in the loop, not the browsers.


Christian Mock                          Wiedner Hauptstr. 15
Senior Security Engineer                1040 Wien
CoreTEC IT Security Solutions GmbH      +43-1-5037273
FN 214709 z

CoreTEC: Web Application Audit - Damit so etwas nicht passiert!



More information about the Ach mailing list