Weak ciphers used to be commonplace, due to the export restrictions on strong cryptography from the US. In January 2000, Netcraft found that more than 40% of sites outside of the US were offering only weak encryption ciphers. Since then, however, this has become rare; on the one hand, relaxed export regulations mean that new products can include strong ciphers by default, while on the other, practical attacks against the weaker ciphers mean that they have been considered unsafe for many years. Out of the 20,000 top SSL sites, Netcraft’s SSL survey found less than 40 (0.2%) which could only negotiate a weak cipher (here defined as one with a key length of less than 128 bits). Again this was consistent across the whole survey, with only around 0.2% out of all valid SSL sites negotiating a weak cipher.
Netcraft’s SSL survey has been running since 1996. It tracks the growing use of secure web servers on the Internet, and the server software, operating systems and certificates that are used. Single user and company subscriptions are available, and custom datasets can be produced on request.