Various reports of all servers tested

Report for december 2013 | Results of the last day | Results of the last week | Results of the last month

TLS versions 20 results

SSL 2	0 0%
SSL 3	0 0%
TLS 1.0	8 40%
TLS 1.1	10 50%
TLS 1.2	20 100%

Grades 20 results

A	18 90%
B	2 10%
C	0 0%
D	0 0%
E	0 0%
F	0 0%

Does not penalize untrusted certificates.

RSA key sizes for domain certificates

RSA key size	Count
2048	5 23.8%
4096	16 76.2%

StartTLS

Type	Client to server	Server to server
Required	11 84.6%	4 57.1%
Allowed	2 15.4%	3 42.9%

Trust

To do authenticated encryption, a certificate needs to be both trusted and valid. Trusted means it is issued by a well-known CA and valid means it is valid for the domain we want to connect to.

	Trusted	Untrusted
Valid	19 86.4%	1 4.5%
Invalid	1 4.5%	1 4.5%

SASL mechanisms 13 results

Mechanism	# times offered before TLS	# times offered after TLS
PLAIN	2 15.4%	12 92.3%
SCRAM-SHA-1	2 15.4%	10 76.9%
SCRAM-SHA-1-PLUS	0 0%	6 46.2%
DIGEST-MD5	1 7.7%	2 15.4%
SCRAM-SHA-256	0 0%	1 7.7%
SCRAM-SHA-256-PLUS	0 0%	1 7.7%
SCRAM-SHA-512	0 0%	1 7.7%
SCRAM-SHA-512-PLUS	0 0%	1 7.7%
ANONYMOUS	1 7.7%	1 7.7%
X-OAUTH2	0 0%	1 7.7%
CISCO-VTG-TOKEN	0 0%	1 7.7%
CRAM-MD5	1 7.7%	1 7.7%
OAUTHBEARER	0 0%	1 7.7%

Servers supporting SSL 3, but not TLS 1.0 0 results

SSL 3 and TLS 1.0 are very similar, but TLS 1.0 has some small improvements. This table is meant to help judge whether SSL 3 can be disabled by listing the servers that do support SSL 3, but not TLS 1.0.

Target	Type	When

Servers supporting SSL 2 0 results

SSL 2 is broken and insecure. It is not required for compatibility and servers should disable it.

Target	Type	When

CAs used Top 30

Name/Organization	SHA1	Count
Let's Encrypt Authority X3	E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB	7
Go Daddy Secure Certificate Authority - G2	27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8	3
Sectigo RSA Domain Validation Secure Server CA	33:E4:E8:08:07:20:4C:2B:61:82:A3:A1:4B:59:1A:CD:25:B5:F0:DB	2
RECOSNET	F5:E3:56:B8:0E:D9:BC:AE:75:32:C4:E9:C3:F2:05:EA:79:C1:2E:BE	1
(Unknown)	DC:E9:27:E6:03:E9:07:F1:71:9A:93:79:01:13:E2:F7:4E:CF:CC:E7	1
SwissSign Server Gold CA 2014 - G22	AD:F2:89:73:16:71:8B:45:25:CE:37:00:82:D9:F1:23:D4:93:8F:98	1
Starfield Secure Certificate Authority - G2	7E:DC:37:6D:CF:D4:5E:6D:DF:08:2C:16:0D:F6:AC:21:83:5B:95:D4	1

Servers using <2048-bit RSA certificates which expires after 01-01-2014 0 results

As described in the CA/Browser Forum Baseline Requirements, certificates with RSA keys with less than 2048 bits should not be issued with an notAfter date after 31-12-2013. This list lists all certificates which violate that rule.

Target	Type	When	Issuer

Servers with DNSSEC signed SRV records 6 results

Target	Type	When
5222.de	client to server	2020-10-23T09:44:13+00:00
5222.de	server to server	2020-10-23T09:49:09+00:00
cs.fau.de	client to server	2020-10-23T11:36:53+00:00
mailbox.org	client to server	2020-10-22T12:02:55+00:00
riseup.net	client to server	2020-10-22T19:40:19+00:00
thesecure.biz	client to server	2020-10-22T16:39:43+00:00

Servers with DNSSEC signed DANE records 0 results

Target	Type	When

Servers with a hidden service 0 results

Target	Type	When

Servers not offering encryption 0 results

Target	Type	When

Servers sharing private keys 3 results

Target	SHA256(SPKI)
msg-fm.mooo.com c2s	9E:E2:17:75:1E:78:4A:3A:F8:B5:79:57:F4:D5:44:04:F8:AF:2A:1C:9D:4E:ED:CA:E5:1A:0A:7F:82:51:71:A7
msg-fm.mooo.com s2s	9E:E2:17:75:1E:78:4A:3A:F8:B5:79:57:F4:D5:44:04:F8:AF:2A:1C:9D:4E:ED:CA:E5:1A:0A:7F:82:51:71:A7
xmpp.thefontenay.com c2s	9E:E2:17:75:1E:78:4A:3A:F8:B5:79:57:F4:D5:44:04:F8:AF:2A:1C:9D:4E:ED:CA:E5:1A:0A:7F:82:51:71:A7