Various reports of all servers tested

Report for december 2013 | Results of the last day | Results of the last week | Results of the last month

TLS versions 46 results

SSL 2 0 0%
SSL 3 0 0%
TLS 1.0 29 63%
TLS 1.1 34 73.9%
TLS 1.2 46 100%

Grades 46 results

A 43 93.5%
B 3 6.5%
C 0 0%
D 0 0%
E 0 0%
F 0 0%
Does not penalize untrusted certificates.

RSA key sizes for domain certificates

RSA key size Count
2048 29 63%
4096 17 37%

StartTLS

Type Client to server Server to server
Required 28 87.5% 8 57.1%
Allowed 4 12.5% 6 42.9%

Trust

To do authenticated encryption, a certificate needs to be both trusted and valid. Trusted means it is issued by a well-known CA and valid means it is valid for the domain we want to connect to.

Trusted Untrusted
Valid 0% 1 1.9%
Invalid 51 96.2% 1 1.9%

SASL mechanisms 32 results

Mechanism # times offered before TLS # times offered after TLS
PLAIN 3 9.4% 32 100%
SCRAM-SHA-1 3 9.4% 28 87.5%
SCRAM-SHA-1-PLUS 0 0% 12 37.5%
X-OAUTH2 1 3.1% 11 34.4%
DIGEST-MD5 2 6.3% 5 15.6%
SCRAM-SHA-384-PLUS 0 0% 1 3.1%
SCRAM-SHA-512 0 0% 1 3.1%
SCRAM-SHA-512-PLUS 0 0% 1 3.1%
SCRAM-SHA-256 0 0% 1 3.1%
LOGIN 0 0% 1 3.1%
CRAM-MD5 0 0% 1 3.1%
SCRAM-SHA-256-PLUS 0 0% 1 3.1%
SCRAM-SHA-384 0 0% 1 3.1%

Servers supporting SSL 3, but not TLS 1.0 0 results

SSL 3 and TLS 1.0 are very similar, but TLS 1.0 has some small improvements. This table is meant to help judge whether SSL 3 can be disabled by listing the servers that do support SSL 3, but not TLS 1.0.

Target Type When

Servers supporting SSL 2 0 results

SSL 2 is broken and insecure. It is not required for compatibility and servers should disable it.

Target Type When

CAs used Top 30

Name/Organization SHA1 Count
Let's Encrypt Authority X3 E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB 27
COMODO RSA Domain Validation Secure Server CA 33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39 3
GeoTrust RSA CA 2018 7C:CC:2A:87:E3:94:9F:20:57:2B:18:48:29:80:50:5F:A9:0C:AC:3B 1
Hochschule Darmstadt F5:24:8E:32:7C:AC:50:97:75:84:8E:DC:A3:01:3F:D9:72:61:4E:B6 1
RapidSSL RSA CA 2018 98:C6:A8:DC:88:79:63:BA:3C:F9:C2:73:1C:BD:D3:F7:DE:05:AC:2D 1
AlphaSSL CA - SHA256 - G2 4C:27:43:17:17:56:5A:3A:07:F3:E6:D0:03:2C:42:58:94:9C:F9:EC 1
SwissSign Server Silver CA 2014 - G22 55:BE:46:7A:A4:4B:F0:C1:5D:4B:CB:D0:6B:DC:A2:4B:BA:94:1E:13 1
ejabberd 47:A9:72:82:4E:AF:1C:18:EB:6B:A9:FC:31:1C:DB:EC:01:1E:D1:D4 1

Servers using <2048-bit RSA certificates which expires after 01-01-2014 0 results

As described in the CA/Browser Forum Baseline Requirements, certificates with RSA keys with less than 2048 bits should not be issued with an notAfter date after 31-12-2013. This list lists all certificates which violate that rule.

Target Type When Issuer

Servers with DNSSEC signed SRV records 8 results

Target Type When
mailbox.org client to server
xmpp.dk client to server
kitsune.one client to server
fysh.in client to server
4ept.net client to server
jabber.at client to server
bit-ant.net client to server
lightwitch.org client to server

Servers with DNSSEC signed DANE records 0 results

Target Type When

Servers with a hidden service 0 results

Target Type When

Servers not offering encryption 0 results

Target Type When

Servers sharing private keys 0 results

Target SHA256(SPKI)