Transport layer security has had a rough ride recently, with a number of vulnerabilities being reported. At a time when trust is required between you and the site you are interacting with, it’s key that website owners configure their sites to be as secure as possible.
With that in mind, I decided to analyse HTTP Security Headers from the top 10k Alexa websites, and look at what SSL Ciphers were being used on those websites.
These results are from a scan performed against port 443 for all domains listed above. Only 4715 servers replied.
note: The OpenSSL version installed on my server did not support SSLv2 so SSLv2 ciphers have not been detected.
Here are the results:
It’s clear that overall cipher choice for the top 10,000 websites is poor and that many weak ciphers are present. At a time when customers are more savvy about personal security when using the Internet, site owners should do more to ensure the connection between the client and the server is as secure as it can be.