Distribution of Cryptographic Protocols in Universities' Servers

SSL leverages the Public Key Infrastructure (PKI), in order to bind public cryptographic keys present in X.509 certificates with the identity of the communicating entities. Its final version, SSL 3.0, was publicly released by the IETF in 1996 but it was deprecated in June 2015 because of its insufficient security guarantees. The Internet Engineering Task Force (IETF) released a standard protocol called Transport Layer Security (TLS) in 1999 to overcome many of the security problems present in SSL 3.0. (A more detailed description of these protocols can be found in here)

The below chart specifies the universities we studied and the percentage of various SSL/TLS protocols they support on their web servers. For example Duke University contains 21.5% of all the records in our data. Further, the servers who support TLS1 in Duke University, are 7.03% of our data.

TLS version breakdown for each university

The following chart specifies the SSL/TLS protocol breakdown for each of the universities we measured.

Ciphersuites

A ciphersuite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings in a TLS connection. Key exchange algorithms are used to create shared keys for the encryption stage. Encryption algorithms encrypt messages exchanged between clients and servers. Message authentication algorithms generate message hashes and signatures that are used to ensure the integrity of a message. Some of these ciphersuites have proven to be weak, according to this link : "Weak ciphers such as DES and RC4 should be disabled. Using current technology, DES can be broken in a few hours while RC4 has been found to be weaker than previously thought". We present a breakdown of the top 5 ciphersuites supported by different versions of SSL/TLS. An interesting finding is that while DES is proven to be weak, it is still among the top 3 ciphersuites used in TLS1. Furthermore, recently the first SHA1 collision has been reported link. The ciphersuites that openssl uses are mapped to the RFC in the following link.

TLS1 Ciphersuites
popularity distribution

Top 5 TLS1
Ciphersuites

TLS1_1 Ciphersuites
popularity distribution

Top 5 TLS1_1
Ciphersuites

TLS1_2 Ciphersuites
popularity distribution

Top 5 TLS1_2
Ciphersuites

SSL3 Ciphersuites
popularity distribution

Top 5 SSL3
Ciphersuites