Various reports of all servers tested
Report for december 2013 |
Results of the last day |
Results of the last week |
Results of the last month
TLS versions 30 results
| SSL 2 |
0 0% |
| SSL 3 |
1 3.3% |
| TLS 1.0 |
18 60% |
| TLS 1.1 |
18 60% |
| TLS 1.2 |
30 100% |
Grades 30 results
| A |
25 83.3% |
| B |
4 13.3% |
| C |
1 3.3% |
| D |
0 0% |
| E |
0 0% |
| F |
0 0% |
Does not penalize untrusted certificates.
RSA key sizes for domain certificates
| RSA key size |
Count |
| 2048 |
15 51.7% |
| 4096 |
14 48.3% |
StartTLS
| Type |
Client to server |
Server to server |
| Required |
16 76.2% |
7 77.8% |
| Allowed |
5 23.8% |
2 22.2% |
Trust
To do authenticated encryption, a certificate needs to be both trusted and valid. Trusted means it is issued by a well-known CA and valid means it is valid for the domain we want to connect to.
|
Trusted |
Untrusted |
| Valid |
0% |
6 19.4% |
| Invalid |
24 77.4% |
1 3.2% |
SASL mechanisms 21 results
| Mechanism |
# times offered before TLS |
# times offered after TLS |
| PLAIN |
5 23.8% |
21 100% |
| SCRAM-SHA-1 |
4 19% |
19 90.5% |
| SCRAM-SHA-1-PLUS |
0 0% |
8 38.1% |
| DIGEST-MD5 |
4 19% |
7 33.3% |
| X-OAUTH2 |
1 4.8% |
4 19% |
| CRAM-MD5 |
3 14.3% |
3 14.3% |
| SCRAM-SHA-256-PLUS |
0 0% |
1 4.8% |
| SCRAM-SHA-384 |
0 0% |
1 4.8% |
| SCRAM-SHA-384-PLUS |
0 0% |
1 4.8% |
| SCRAM-SHA-512 |
0 0% |
1 4.8% |
| SCRAM-SHA-512-PLUS |
0 0% |
1 4.8% |
| SCRAM-SHA-256 |
0 0% |
1 4.8% |
Servers supporting SSL 3, but not TLS 1.0 0 results
SSL 3 and TLS 1.0 are very similar, but TLS 1.0 has some small improvements. This table is meant to help judge whether SSL 3 can be disabled by listing the servers that do support SSL 3, but not TLS 1.0.
Servers supporting SSL 2 0 results
SSL 2 is broken and insecure. It is not required for compatibility and servers should disable it.
CAs used Top 30
| Name/Organization |
SHA1 |
Count |
| Let's Encrypt Authority X3 |
E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB |
16 |
| jabber.banuareload.com |
60:89:FA:C7:76:C6:83:49:00:0F:AD:2E:E3:2B:26:5E:45:77:6E:6B |
1 |
| m4iler.cloud |
9B:4A:E0:68:70:8B:15:0D:E1:67:D7:0F:21:27:AD:48:07:EA:97:35 |
1 |
| COMODO RSA Domain Validation Secure Server CA |
33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39 |
1 |
| numeritech.fr |
DF:2F:B5:AA:B3:6D:12:47:C2:31:29:51:A5:1D:27:70:D0:7C:49:15 |
1 |
| thawte SSL CA - G2 |
2E:A7:1C:36:7D:17:8C:84:3F:D2:1D:B4:FD:B6:30:BA:54:A2:0D:C5 |
1 |
| localhost |
B9:B3:E3:1F:26:CC:BF:DF:1E:78:9D:CA:61:A7:40:C5:FF:9C:E9:83 |
1 |
| germanyt366sirdc.onion |
F9:99:F2:02:D8:59:87:C2:2C:FA:26:D0:BB:A4:FE:DC:65:09:D6:54 |
1 |
| Thawte RSA CA 2018 |
4D:EE:A7:06:0D:80:BA:BF:16:43:B4:E0:F0:10:4C:82:99:50:75:B7 |
1 |
Servers using <2048-bit RSA certificates which expires after 01-01-2014 0 results
As described in the CA/Browser Forum Baseline Requirements, certificates with RSA keys with less than 2048 bits should not be issued with an notAfter date after 31-12-2013. This list lists all certificates which violate that rule.
Servers with DNSSEC signed SRV records 9 results
Servers with DNSSEC signed DANE records 0 results
Servers with a hidden service 1 results
Servers not offering encryption 0 results
Servers sharing private keys 0 results