Cryptographic Strength of SSL/TLS Servers:
Current and Recent Practices
Homin K. Lee, Tal Malkin, and Erich Nahum.
The Secure Socket Layer (SSL) and its variant, Transport Layer
Security (TLS), are used toward ensuring server security.
In this paper, we characterize the cryptographic strength of public servers
running SSL/TLS. We present a tool developed for this purpose, the Probing
SSL Security Tool (PSST), and evaluate over 19,000 servers.
We expose the great diversity in the levels of cryptographic strength that
is supported on the Internet.
Some of our discouraging results show that most sites still support the
insecure SSL 2.0, weak export-level grades of encryption ciphers, or
weak RSA key strengths.
We also observe encouraging behavior such as sensible default choices
by servers when presented with multiple options, the quick adoption of
AES (more than half the servers support strong key AES as their
default choice), and the use of strong RSA key sizes of 1024 bits and
Comparing results of running our tool over the last two years points
to a positive trend that is moving in the right direction, though
perhaps not as quickly as it should.