Are you over 18 and want to see adult content?
More Annotations
A complete backup of www.elbalad.news/4194622
Are you over 18 and want to see adult content?
A complete backup of english.jagran.com/lifestyle/h1n1-virus-outbreak-6-sc-judges-37-people-in-meerut-down-with-swine-flu-know-a
Are you over 18 and want to see adult content?
A complete backup of www.independent.co.uk/sport/football/live/newcastle-vs-burnley-live-stream-score-latest-updates-result-2020
Are you over 18 and want to see adult content?
Favourite Annotations
A complete backup of www.gamemeca.com/view.php?gid=1615685
Are you over 18 and want to see adult content?
A complete backup of www.insight.co.kr/news/267385
Are you over 18 and want to see adult content?
A complete backup of www.blazersedge.com/2020/2/11/21134027/zion-williamson-career-high-pelicans-vs-trail-blazers-lillard-mccoll
Are you over 18 and want to see adult content?
Text
Home Projects
Qualys Free Trial
Contact
YOU ARE HERE: Home > Projects> SSL Pulse
SSL PULSE
SSL Pulse is a continuous and global dashboard for monitoring the quality of SSL / TLS support over time across 150,000 SSL- and TLS-enabled websites, based on Alexa’s list of the most popularsites in the world.
Monthly Scan: May 03, 2021Previous Next
SSL Security Summary SSL Security Summary: This is the summary of the effective SSL security implemented by the most popular web sites. To be secure, a site has to be well configured, which means that it must have the A grade. In addition, it must not be vulnerable to any of the two currently known attacks against SSL (Insecure Renegotiation and the BEAST attack). Created with Highcharts 6.2.043.7%secure sitesTotal sites surveyed136,868Inadequate security77,007Secure sites59,861- 0.1 %- 0.7%+ 0.7 %A+AA-
SSL Labs Grade Distribution SSL Labs Grade Distribution: The SSL Labs assessment grade reflects the quality of the configuration of an SSL web site. The assessment methodology is documented in the SSL Rating Guide.
Created with Highcharts 6.2.0ABCDF010%20%30%40%50%60%Certificate Chain
Certificate Chain:
All SSL sites use certificates as their digital IDs. However, in many cases a chain of certificates is needed to create a trust link between the user and a trust anchor. A common mistake is that the certificate chain is incomplete, which often results with certificate warnings on sites that are otherwise well configured. Created with Highcharts 6.2.01.7%Sites with incompletecertificatechain2,285+ 0.0 %
Key Strength
Key Strength:
Key strength is the foundation of SSL security. Sites with weak keys cannot provide robust security, even when everything else is well configured. At minimum, web sites should use 2048-bit RSA keys or 256-bit ECDSA keys. This chart shows both RSA and ECDSA keys, but the strength of the latter is converted to their RSA equivalent to make the comparison possible. For example, 256-bit ECDSA keys have strength equivalent to that of 3072-bit RSA keys.117,952
Sites with keys
below 2048 bits
86.2 %of sites surveyed - 236since previous month Strict Transport Security Strict Transport Security: HTTP Strict Transport Security (HSTS) is an SSL safety net: technology designed to ensure that security remains intact even in the case of configuration problems and implementation errors. To activate HSTS protection, you set a single response header in your websites. After that, browsers that support HSTS (at this time, Chrome and Firefox) will enforce the protection. The goal of HSTS is simple: after activation, do not allow insecure communication with your website. It achieves this goal by automatically converting all plain-text links to secure ones. As a bonus, it will also disable click-through SSL certificate warnings.38,952
Sites that support HTTP STRICT TRANSPORT SECURITY 28.5 %of sites surveyed + 279since previous monthCAA
Certification Authority Authorization: The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA Resource Records allow a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.11,885
Sites that support
CERTIFICATION AUTHORITY AUTHORIZATION (RFC 6844) 8.7 %of sites surveyed + 81since previous monthNo data available.
Cipher Strength
Cipher Strength:
When it comes to data transfer, cipher strength is the measure of the security of the communication channel. Ciphers weaker than 128 bits are insecure and must not be used. Created with Highcharts 6.2.00.7%Sites that support weakor insecure cipher suites1,011- 0.1 %Protocol Support
Protocol Support:
There are six protocols in the SSL/TLS family, but not all of them are secure. The best practice is to use minimum TLS v1.2 as your main protocol and TLS v1.3 if they are supported by your server platform. That way, the clients that support newer protocols will select them, and those that don't will fall back to TLS v1.2. You must not use SSL v2.0 and SSL v3.0, because it is insecure. Avoid the usage of TLS v1.0and TLS v1.1.
Created with Highcharts 6.2.0SSL v2.0SSL v3.0TLS v1.0TLS v1.1TLS v1.2TLS v1.3020%40%60%80%100% Key Exchange Strength Key Exchange Strength: This chart shows the weakest key exchange supported by the servers we monitor. Values of 512 bits are typically observed on servers that support insecure export suites; 768 on some servers that use weak DH parameters; 1024 bits is very common and also usually comes from weak DH parameters. At this time, 2048 bits is the minimum expectedstrength.
Created with Highcharts 6.2.00512768102420483072010%20%30%40%50%60%70%80% Renegotiation SupportRenegotiation:
In 2009, the renegotiation feature of SSL was found to be insecure. A successful exploitation of this issue may allow the attacker to impersonate his victims and extract confidential data. Most vendors have issued patches by now or, at the very least, provided workaroundsfor the problem.
Created with Highcharts 6.2.0Secure renegotiation135,645 99.1%Insecure renegotiation106 0.1%Both56 < 0.1%No support1,061 0.8%+ 0.0 %+ 0.0 %+0.0 %+ 0.0 %
Extended Validation Certificates Extended Validation Certificates: Extended Validation (EV) certificates are high-assurance certificates that rely on manual identity validation to establish links between web sites and the organizations behind them. Created with Highcharts 6.2.06.1%Sites that have anExtended Validationcertificate8,345- 0.1 %HTTP/2
HTTP/2:
HTTP/2 is the second generation of the HTTP protocol, which powers the World Wide Web. This protocol has its origins in the earlier experimental SPDY protocol, originally developed by Google. Created with Highcharts 6.2.054.4%Sites that supportthe HTTP/2 protocol74,469+ 0.4 %Forward Secrecy
Forward Secrecy:
Forward Secrecy is a protocol feature that protects each connection individually. It is designed so that is is impossible to compromise connection security by compromising the server private key. Created with Highcharts 6.2.0Not supported1,268 0.9%Some FS suites enabled14,849 10.8%Used with modern browsers27,962 20.4%Used with most browsers92,789 67.8%+ 0.0 %- 0.2 %- 0.3 %+ 0.4 % Best Protocol Support Best Protocol Support: There are six protocols in the SSL/TLS family, but not all of them are secure. The best practice is to use minimum TLS v1.2 as your main protocol and TLS v1.3 if they are supported by your server platform. That way, the clients that support newer protocols will select them, and those that don't will fall back to TLS v1.2. You must not use SSL v2.0 and SSL v3.0, because it is insecure. Avoid the usage of TLS v1.0and TLS v1.1.
Created with Highcharts 6.2.0SSL v2.0SSL v3.0TLS v1.0TLS v1.1TLS v1.2TLS v1.3020%40%60%80%100% Key Strength DistributionKey Strength:
Key strength is the foundation of SSL security. Sites with weak keys cannot provide robust security, even when everything else is well configured. At minimum, web sites should use 2048-bit RSA keys or 256-bit ECDSA keys. This chart shows both RSA and ECDSA keys, but the strength of the latter is converted to their RSA equivalent to make the comparison possible. For example, 256-bit ECDSA keys have strength equivalent to that of 3072-bit RSA keys. Created with Highcharts 6.2.0Below 2048 bits0 0.0%2048 bits117,952 86.2%3072 bits9,084 6.6%4096 bits9,384 6.9%+ 0.0 %- 0.1 %+ 0.1 %+ 0.0%
BEAST Attack
BEAST Attack:
The BEAST attack is a practical attack based on a protocol vulnerability that was discovered in 2004. A successful exploitation of this issue will result in a disclosure of victim's session cookies, allowing the attacker to completely hijack the application session. It is no longer considered a threat because modern browsers ship with mitigations that prevent the attack. The BEAST Attack is no longer considered a valid threat for users of modern browsers, and will no longer be tracked on the SSL Pulse reportgoing forward.
SPDY
SPDY:
Sites that support the SPDY protocol. Created with Highcharts 6.2.01.1%Sites that supportthe SPDY protocol1,497+ 0.0 %RC4
RC4:
RC4 is a very widely used cipher suite. Before 2013, we knew of some RC4 weaknesses, but it was thought that they did not affect SSL. With new research published in early 2013, we now know that RC4 is weak andshould not be used.
Created with Highcharts 6.2.0Not supported126,940 92.7%Some RC4 suites enabled9,291 6.8%Used with modern browsers637 0.5%+ 0.1 %- 0.2 %+ 0.0%
Certificate Signature Algorithms Certificate Signature Algorithms: The strength of a certificate signature depends on the strength of the hashing function used to produce it. Most certificates use SHA1 for hashing, but this function is known to be weak. It is advisable to use signatures that use SHA256 for hashing. Created with Highcharts 6.2.0SHA512161 0.1%SHA3841,102 0.8%SHA256135,441 99.0%SHA10 0.0%+ 0.0 %+ 0.0 %+ 0.0 %+ 0.0 %CVE-2016-2107
OpenSSL AES-NI Vulnerability (CVE-2016-2107): A vulnerability in OpenSSL 1.0.1 versions (before 1.0.1t) and 1.0.2 versions (before 1.0.2h). This vulnerability can be exploited by MITM attacker using a padding Oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI. Created with Highcharts 6.2.0Not vulnerable134,817 98.5%Vulnerable864 0.6%Unknown1,187 0.9%+ 0.0 %- 0.1 %+ 0.0 %ROBOT
Return Of Bleichenbacher's Oracle Threat: Return Of Bleichenbacher Oracle Threat, is an attack model based on Daniel Bleichenbacher chosen-ciphertext attack. Researchers have been able to exploit the same vulnerability with small variations to the Bleichenbacher attack. Created with Highcharts 6.2.0Not vulnerable136,555 99.8%Vulnerable, strong oracle188 0.1%Vulnerable, weak oracle119 0.1%Unknown6 < 0.1%+ 0.0 %+ 0.0 %+ 0.0 %+ 0.0 %CVE-2014-0224
OpenSSL CCS Vulnerability(CVE-2014-0224):
A vulnerability in OpenSSL 1.0.1 (all releases) allows a MITM attacker to attack connections with clients who also use OpenSSL (all versions). Successful attack downgrades the connection and gives the attacker full access to the traffic. Created with Highcharts 6.2.0Not vulnerable134,762 98.5%Vulnerable and exploitable117 0.1%Vulnerable, not exploitable286 0.2%Unknown1,703 1.2%+ 0.1 %+ 0.0 %+ 0.0 %- 0.1 %DROWN Attack
DROWN Attack:
The DROWN attack is a cross-protocol security bug that attacks servers with modern TLS protocol suites by using their support for the insecure SSL v2 protocol and also in cases where the servers don't support SSL v2 but shares the same RSA-key/hostname with server that does. To mitigate this attack disable SSLv2 on all servers you have. Created with Highcharts 6.2.0Not vulnerable135,299 98.9%Vulnerable793 0.6%Unknown776 0.6%+ 0.0 %+ 0.0 %+ 0.1 %Heartbleed
Heartbleed:
Heartbleed is a vulnerability in the widely deployed OpenSSL library. It is very easy to exploit and allows the attacker to retrieve sensitive server data in just a few HTTP requests. The sensitive data could be anything that's in process memory, including passwords, session data, and server private key.35
Sites vulnerable to
the HEARTBLEED BUG
0.0 %of sites surveyed + 1since previous month Sites that require RC4RC4:
RC4 is a very widely used cipher suite. Before 2013, we knew of some RC4 weaknesses, but it was thought that they did not affect SSL. With new research published in early 2013, we now know that RC4 is weak andshould not be used.
1
Sites that support onlyRC4 CIPHER SUITES
0.0 %of sites surveyed + 0since previous monthNo data available.
Zombie POODLE
Zombie POODLE Vulnerability: The Zombie POODLE attack affects some TLS CBC implementations that don't have proper padding checks. The end result is that an active network attacker can relatively easily uncover small fragments of encrypted data (e.g., cookies). Zombie POODLE.
Created with Highcharts 6.2.0Not vulnerable127,990 93.5%Vulnerable and Exploitable313 0.2%Vulnerable39 < 0.1%Unknown8,526 6.2%- 0.2 %+ 0.0 %+0.0 %+ 0.1 %
0-Length Padding Oracle Zero Length Padding Oracle Vulnerability (CVE-2019-1559): A vulnerability in OpenSSL 1.0.2 versions (From 1.0.2 to 1.0.2q). When a 0-byte record is received with invalid padding, then OpenSSL behaves differently which is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. CVE-2019-1559.
Created with Highcharts 6.2.0Not vulnerable127,860 93.4%Vulnerable and Exploitable83 0.1%Vulnerable399 0.3%Unknown8,526 6.2%- 0.1 %+ 0.0 %+0.0 %+ 0.1 %
POODLE TLS
POODLE TLS:
The POODLE attack affects even some TLS implementations that don't have proper padding checks after decryption. The end result is that an active network attacker can relatively easily uncover small fragments of encrypted data (e.g., cookies). Created with Highcharts 6.2.0Not vulnerable136,570 99.8%Vulnerable and exploitable118 0.1%Unknown180 0.1%+ 0.0 %+ 0.0 %+ 0.0 %OCSP Stapling
OCSP Stapling:
OCSP stapling is a performance optimization feature that enables web servers to embed certificate freshness proof in the TLS handshake itself. Clients that connect to servers that support this feature don't need to contact the issuing CA to double-check certificatevalidity.
Created with Highcharts 6.2.040.8%Sites that supportOCSP stapling55,910+ 0.1 %GOLDENDOODLE
GOLDENDOODLE Vulnerability: GOLDENDOODLE is the name given for exploiting modern TLS stacks using the classic CBC padding oracle technique described by Serge Vaudenayin 2002
.
Difference between GOLDENDOODLE and Zombie POODLE or POODLE TLS is performance i.e GOLDENDOODLE is faster in exploiting. GOLDENDOODLE.
Created with Highcharts 6.2.0Not vulnerable128,263 93.7%Vulnerable and Exploitable72 0.1%Vulnerable7 < 0.1%Unknown8,526 6.2%- 0.2 %+ 0.0 %+0.0 %+ 0.1 %
Sleeping POODLE
Sleeping POODLE Vulnerability: This vulnerability is similar to POODLE TLS only change is that in POODLE TLS padding was checked on Application Record whereas for Sleeping POODLE padding is checked on Finished message. No article/advisory on this vulnerability is published yet. Created with Highcharts 6.2.0Not vulnerable128,215 93.7%Vulnerable and Exploitable127 0.1%Vulnerable0 0.0%Unknown8,526 6.2%- 0.1 %+ 0.0 %+0.0 %+ 0.1 %
Protocol Downgrade Defense Protocol Downgrade Defense: Servers that support a special signalling suite called TLS_FALLBACK_SCSV can detect protocol downgrade attacks when accessed by clients that also support this feature. Created with Highcharts 6.2.0Supported98,993 72.3%Not Supported9,577 7.0%Unknown28,298 20.7%- 0.2 %- 0.1 %+ 0.2 % TLS Compression / CRIME TLS Compression / CRIME: Sites that support TLS compression. These sites are vulnerable to theCRIME attack.
Created with Highcharts 6.2.00.1%Sites that supportTLS compression173+0.0 %
Comparisons are made against the previous month's data. Copyright © 2009-2021 Qualys, Inc . AllRights Reserved.
Terms and Conditions Try Qualys for free! Experience the award-winning Qualys Cloud Platform and the entire collection of Qualys Cloud Apps , including certificate security solutions.Details
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0