IM Observatory

Various reports of all servers tested

Report for december 2013 | Results of the last day | Results of the last week | Results of the last month

TLS versions 120 results

SSL 2 1 0.8%
SSL 3 4 3.3%
TLS 1.0 55 45.8%
TLS 1.1 53 44.2%
TLS 1.2 118 98.3%

Grades 120 results

A 106 88.3%
B 11 9.2%
C 2 1.7%
D 0 0%
E 0 0%
F 1 0.8%
Does not penalize untrusted certificates.

RSA key sizes for domain certificates

RSA key size Count
2048 64 58.2%
4096 46 41.8%

StartTLS

Type Client to server Server to server
Required 78 87.6% 21 67.7%
Allowed 11 12.4% 10 32.3%

Trust

To do authenticated encryption, a certificate needs to be both trusted and valid. Trusted means it is issued by a well-known CA and valid means it is valid for the domain we want to connect to.

Trusted Untrusted
Valid 114 82.6% 15 10.9%
Invalid 3 2.2% 6 4.3%

SASL mechanisms 89 results

Mechanism # times offered before TLS # times offered after TLS
PLAIN 13 14.6% 86 96.6%
SCRAM-SHA-1 13 14.6% 70 78.7%
SCRAM-SHA-1-PLUS 0 0% 46 51.7%
X-OAUTH2 1 1.1% 25 28.1%
DIGEST-MD5 8 9% 16 18%
CRAM-MD5 5 5.6% 6 6.7%
SCRAM-SHA-512-PLUS 0 0% 5 5.6%
SCRAM-SHA-512 0 0% 5 5.6%
SCRAM-SHA-256-PLUS 0 0% 4 4.5%
SCRAM-SHA-256 0 0% 4 4.5%
ANONYMOUS 2 2.2% 2 2.2%
JIVE-SHAREDSECRET 1 1.1% 1 1.1%
OFCHAT 1 1.1% 1 1.1%
LOGIN 0 0% 1 1.1%

Servers supporting SSL 3, but not TLS 1.0 0 results

SSL 3 and TLS 1.0 are very similar, but TLS 1.0 has some small improvements. This table is meant to help judge whether SSL 3 can be disabled by listing the servers that do support SSL 3, but not TLS 1.0.

Target Type When

Servers supporting SSL 2 1 results

SSL 2 is broken and insecure. It is not required for compatibility and servers should disable it.

Target Type When
silper.cz client to server

CAs used Top 30

Name/Organization SHA1 Count
R3 48:50:4E:97:4C:0D:AC:5B:5C:D4:76:C8:20:22:74:B2:4C:8C:71:72 72
ZeroSSL RSA Domain Secure Site CA C8:1A:8B:D1:F9:CF:6D:84:C5:25:F3:78:CA:1D:3F:8C:30:77:0E:34 2
R3 A0:53:37:5B:FE:84:E8:B7:48:78:2C:7C:EE:15:82:7A:6A:F5:A4:05 2
Sectigo RSA Domain Validation Secure Server CA 33:E4:E8:08:07:20:4C:2B:61:82:A3:A1:4B:59:1A:CD:25:B5:F0:DB 2
Encryption Everywhere DV TLS CA - G1 59:4F:2D:D1:03:52:C2:36:01:38:EE:35:AA:90:6F:97:3A:A3:0B:D3 2
jabber.strategyobject.net 7B:22:EF:BA:C7:B7:34:15:56:36:FD:21:AC:4B:17:BD:13:F9:5F:4C 1
GeoTrust RSA CA 2018 7C:CC:2A:87:E3:94:9F:20:57:2B:18:48:29:80:50:5F:A9:0C:AC:3B 1
grompe.org.ru 43:DE:21:4C:85:67:B7:00:14:7C:8C:2A:BC:2E:93:14:66:8E:C1:68 1
localhost B9:B3:E3:1F:26:CC:BF:DF:1E:78:9D:CA:61:A7:40:C5:FF:9C:E9:83 1
mtr.co.id A2:ED:52:6E:75:41:C0:A0:BD:15:84:7A:3D:A2:3C:F6:FC:E1:ED:30 1
Starfield Secure Certificate Authority - G2 7E:DC:37:6D:CF:D4:5E:6D:DF:08:2C:16:0D:F6:AC:21:83:5B:95:D4 1
ejabberd 85:19:95:FD:24:F8:35:DB:B0:80:EE:48:BB:CE:AA:35:5D:7E:E8:CF 1
DigiCert SHA2 Extended Validation Server CA 7E:2F:3A:4F:8F:E8:FA:8A:57:30:AE:CA:02:96:96:63:7E:98:6F:3F 1
cPanel, Inc. Certification Authority 76:4D:2F:A5:9E:D1:23:F9:C9:55:70:C4:03:C9:2F:EF:33:8E:A7:45 1
CA Cert Signing Authority DD:FC:DA:54:1E:75:77:AD:DC:A8:7E:88:27:A9:8A:50:60:32:52:A5 1
ejabberd.softether.net F0:7B:9D:F7:0F:66:40:5C:2D:62:74:78:F3:B4:7D:80:F5:5C:4A:B0 1
test.p-fruck.de 44:71:4C:E2:02:40:CA:92:7E:53:0B:A6:0C:0F:6A:D8:F1:AE:7F:EB 1
Go Daddy Secure Certificate Authority - G2 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 1
SwissSign Server Gold CA 2014 - G22 AD:F2:89:73:16:71:8B:45:25:CE:37:00:82:D9:F1:23:D4:93:8F:98 1
prosody 2E:44:7A:6C:28:35:BE:72:5A:94:11:04:A8:47:F9:83:DD:02:1C:CB 1

Servers using <2048-bit RSA certificates which expires after 01-01-2014 0 results

As described in the CA/Browser Forum Baseline Requirements, certificates with RSA keys with less than 2048 bits should not be issued with an notAfter date after 31-12-2013. This list lists all certificates which violate that rule.

Target Type When Issuer

Servers with DNSSEC signed SRV records 46 results

Target Type When
101.wf client to server
404.city client to server
404.city server to server
5222.de client to server
a2x.ch client to server
alainwolf.ch client to server
autistici.org client to server
biohazardous.de server to server
c3l.lu client to server
chatsec.nz client to server
chatsec.nz server to server
cookiechat.de client to server
die.one client to server
disroot.org client to server
gajim.org client to server
habets.dev client to server
habets.dev server to server
home.floatblog.de client to server
hot-chilli.eu client to server
inventati.org client to server
jabber.at client to server
jabber.calyxinstitute.org client to server
jabber.de client to server
jabber.hot-chilli.net client to server
jabber.systemli.org client to server
leglock.me client to server
leglock.me server to server
lingruby.ovh client to server
lingruby.ovh server to server
mailbox.org client to server
nigma.city client to server
nigma.city server to server
nixnet.xyz client to server
orencak.sk client to server
pimux.de client to server
pimux.de server to server
riseup.net client to server
silper.cz client to server
snopyta.org client to server
snopyta.org server to server
suchat.org client to server
wiuwiu.de client to server
x0.chat client to server
xmpp.is client to server
xmpp.is server to server
ycc.fr server to server

Servers with DNSSEC signed DANE records 0 results

Target Type When

Servers with a hidden service 1 results

Target Type When
jabber.calyxinstitute.org client to server

Servers not offering encryption 1 results

Target Type When
cock.li server to server

Servers sharing private keys 4 results

Target SHA256(SPKI)
ejabberd.n360.info c2s B7:79:B5:65:0E:B0:DA:0C:38:62:45:D4:4C:29:09:B4:8D:89:8B:49:57:21:ED:67:E4:9D:AF:71:A5:13:5F:66
martinhome.org.uk c2s B7:79:B5:65:0E:B0:DA:0C:38:62:45:D4:4C:29:09:B4:8D:89:8B:49:57:21:ED:67:E4:9D:AF:71:A5:13:5F:66
im.tylerhoang.xyz c2s FB:47:D5:53:3D:56:15:C5:B5:01:2F:45:CD:D6:D3:27:FD:EE:58:B0:A5:2E:5F:99:7E:E1:94:95:C3:03:FB:01
tylerhoang.xyz c2s FB:47:D5:53:3D:56:15:C5:B5:01:2F:45:CD:D6:D3:27:FD:EE:58:B0:A5:2E:5F:99:7E:E1:94:95:C3:03:FB:01

Some rights reserved.