On Mon, Jul 27, 2015 at 03:17:52PM +0200, Aaron Zauner wrote:
https://www.ietf.org/proceedings/93/slides/slides-93-saag-2.pdf
* RC4 support is at about 83-85%
* unsurprisingly TLS 1.0 is most widely supported
* ~60% of certificates are self-signed
* a huge number of servers offer AUTH PLAIN (some without STARTTLS)
* ECDH: most use 256bit group size
No surprises in the above.
* 512bit DH(E) primes are very common
With export ciphers, or with non-export ciphers? I would expect
non-export ciphersuites to be accompanied by stronger DHE primes,
with 512-bit DHE primarily used with export ciphers. Do you have
a break-down?
* RC2-CBC-MD5 is supported by 40% of SMTP servers we've studied,
This looks implausible, I've not seen it once in SMTP connection
logs. Slide 8 even mentions this "preferred" by ~25% of servers.
Preferred to what?
This is an SSL 2.0 ciphersuite, and OpenSSL will never choose it
unless the selected protocol is SSL 2.0. And indeed it is by
default the most preferred ciphersuite if you force SSL 2.0.
But SSLv2-only servers are VERY rare (at least for SMTP), the above
datapoint is at least misleading.
* IDEA-CBC-MD5 by 14%
This is also SSLv2 only.
--
Viktor.