[tech] [spec] TLS statistics

nervuri nervuri at disroot.org
Wed Dec 30 18:56:32 GMT 2020

Previous message (by thread): [tech] default response?
Next message (by thread): [tech] [spec] TLS statistics
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I recently gathered TLS-related statistics on Gemini servers, using a few shell scripts and OpenSSL. You'll find everything here:

https://gitlab.com/nervuri/gemini-stats

Among other things, the repo contains:
* data/certs/ - all certificates for servers listed by GUS
* data/ip/ip-hosts - ip & hostname pairs compatible with the OS's hosts file
* cipher-suites.md - stats on TLSv1.2 cipher suites supported by Gemini servers

Highlights:

* 422 hosts total
* 394 hosts functional
* 258 hosts remaining after eliminating subdomains with identical TLS configs (flounder.online has 107)

* 2 IPv6-only hosts

* all hosts support TLSv1.2
* 151 (59%) support TLSv1.3
* 107 (41%) do not support TLSv1.3
* 40 support TLSv1.1
* 39 support TLSv1.0

* 66 certs are signed by Let's Encrypt
* 35 pass OpenSSL validation
* 359 fail OpenSSL validation (not signed by a trusted CA, expired, etc)

* 347 serve a single cert
*  47 also serve an intermediate cert

## Public Key Algorithm

*   1 : ED25519
* 180 : ECDSA ( including flounder.online - 107 hosts )
* 213 : RSA

## Key size

*   1 : ED25519 Public-Key: (256 bit)
* 164 : ECDSA Public-Key: (256 bit) ( including flounder.online - 107 hosts )
*  15 : ECDSA Public-Key: (384 bit)
*   1 : ECDSA Public-Key: (521 bit)
*   1 : RSA Public-Key: (1024 bit)
* 102 : RSA Public-Key: (2048 bit)
* 110 : RSA Public-Key: (4096 bit)

## Expiration

### Not Before

*   1 : Not Before 1975
*   6 : Not Before 2019
* 387 : Not Before 2020 ( including flounder.online - 107 hosts )

### Not After

*   1 : Not After 2018
*   2 : Not After 2019
*  30 : Not After 2020
* 247 : Not After 2021 ( including flounder.online - 107 hosts )
*   2 : Not After 2022
*   6 : Not After 2023
*   2 : Not After 2024
*  56 : Not After 2025
*   1 : ...
*  38 : Not After 2030
*   6 : ...
*   3 : Not After 9999

-------------

These are the stats I find most interesting, but check the repo for more details. Let me know if I messed up somewhere.

I was especially interested in TLS 1.3 support. From the spec it seems like you're looking forward to getting rid of TLS 1.2, but is there a plan for that? Currently over 100 servers do not support 1.3.

  > Hopefully TLS 1.3 or higher can be specced in the near future. Clients who wish to be "ahead of the curve MAY refuse to connect to servers using TLS version 1.2 or lower.

As far as I know, with TLSv1.2 client certs are sent in the clear, revealing login information to the ISP (and whoever else is looking). In this respect, when used with TLS 1.2, client certs are worse than cookies. Also, 1.2 isn't compatible with encrypted SNI. So I hope it will be phased out soon, if possible. Let me know your thoughts.

Cheers!

Previous message (by thread): [tech] default response?
Next message (by thread): [tech] [spec] TLS statistics
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list