Various reports of all servers tested

Report for december 2013 | Results of the last day | Results of the last week | Results of the last month

TLS versions 43 results

SSL 2	0 0%
SSL 3	0 0%
TLS 1.0	14 32.6%
TLS 1.1	19 44.2%
TLS 1.2	42 97.7%

Grades 43 results

A	38 88.4%
B	4 9.3%
C	1 2.3%
D	0 0%
E	0 0%
F	0 0%

Does not penalize untrusted certificates.

RSA key sizes for domain certificates

RSA key size	Count
2048	24 60%
4096	16 40%

StartTLS

Type	Client to server	Server to server
Required	26 89.7%	11 78.6%
Allowed	3 10.3%	3 21.4%

Trust

To do authenticated encryption, a certificate needs to be both trusted and valid. Trusted means it is issued by a well-known CA and valid means it is valid for the domain we want to connect to.

	Trusted	Untrusted
Valid	0%	43 93.5%
Invalid	0%	3 6.5%

SASL mechanisms 29 results

Mechanism	# times offered before TLS	# times offered after TLS
PLAIN	3 10.3%	29 100%
SCRAM-SHA-1	3 10.3%	24 82.8%
SCRAM-SHA-1-PLUS	0 0%	12 41.4%
X-OAUTH2	2 6.9%	9 31%
DIGEST-MD5	3 10.3%	4 13.8%
CRAM-MD5	1 3.4%	2 6.9%
LOGIN	0 0%	1 3.4%

Servers supporting SSL 3, but not TLS 1.0 0 results

SSL 3 and TLS 1.0 are very similar, but TLS 1.0 has some small improvements. This table is meant to help judge whether SSL 3 can be disabled by listing the servers that do support SSL 3, but not TLS 1.0.

Target	Type	When

Servers supporting SSL 2 0 results

SSL 2 is broken and insecure. It is not required for compatibility and servers should disable it.

Target	Type	When

CAs used Top 30

Name/Organization	SHA1	Count
Let's Encrypt Authority X3	E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB	28
COMODO RSA Domain Validation Secure Server CA	33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39	1
AlphaSSL CA - SHA256 - G2	4C:27:43:17:17:56:5A:3A:07:F3:E6:D0:03:2C:42:58:94:9C:F9:EC	1
Sectigo RSA Domain Validation Secure Server CA	33:E4:E8:08:07:20:4C:2B:61:82:A3:A1:4B:59:1A:CD:25:B5:F0:DB	1
tfs.today	E0:C5:77:C9:7F:CF:74:F0:73:D7:B2:A5:5A:D0:B2:2D:57:21:F0:7F	1

Servers using <2048-bit RSA certificates which expires after 01-01-2014 0 results

As described in the CA/Browser Forum Baseline Requirements, certificates with RSA keys with less than 2048 bits should not be issued with an notAfter date after 31-12-2013. This list lists all certificates which violate that rule.

Target	Type	When	Issuer

Servers with DNSSEC signed SRV records 11 results

Target	Type	When
404.city	client to server	2020-06-04T17:31:46+00:00
core.radiosignal.net	client to server	2020-06-04T09:10:23+00:00
core.radiosignal.net	server to server	2020-06-04T09:29:49+00:00
diebesban.de	client to server	2020-06-04T17:25:11+00:00
dismail.de	client to server	2020-06-04T08:01:52+00:00
im.icttci.cz	client to server	2020-06-04T14:00:35+00:00
jabber.de	client to server	2020-06-04T16:42:17+00:00
mdosch.de	client to server	2020-06-04T16:58:40+00:00
mdosch.de	server to server	2020-06-04T17:17:25+00:00
skynetcloud.site	client to server	2020-06-04T07:56:01+00:00
skynetcloud.site	server to server	2020-06-04T07:56:05+00:00

Servers with DNSSEC signed DANE records 0 results

Target	Type	When

Servers with a hidden service 0 results

Target	Type	When

Servers not offering encryption 0 results

Target	Type	When

Servers sharing private keys 3 results

Target	SHA256(SPKI)
diebesban.de c2s	39:E1:A1:AD:ED:B3:01:4E:A0:8F:35:A7:83:A8:0A:6E:45:F6:CA:40:9B:C5:4A:51:2A:2F:2E:0F:32:E7:7E:84
mdosch.de c2s	39:E1:A1:AD:ED:B3:01:4E:A0:8F:35:A7:83:A8:0A:6E:45:F6:CA:40:9B:C5:4A:51:2A:2F:2E:0F:32:E7:7E:84
mdosch.de s2s	39:E1:A1:AD:ED:B3:01:4E:A0:8F:35:A7:83:A8:0A:6E:45:F6:CA:40:9B:C5:4A:51:2A:2F:2E:0F:32:E7:7E:84