Ivan Ristić has put together a fantastic survey of the state of SSL/TLS on the web. Some highlights include:
- 50% of the root CAs in Firefox appear to be unused.
- 44% of sites send unneeded certificates in their chains.
- 99% of sites work with only 23 roots.
- A total of 3 DSA keys from all valid sites found.
- 50% of servers still support SSLv2
- Almost nobody uses TLS 1.1 or 1.2
- Only 12 sites support STS :(
- 20.5% support the reneg extension.
- (32% support insecure renegotiation.)