Various reports of all servers tested

Report for december 2013 | Results of the last day | Results of the last week | Results of the last month

TLS versions 93 results

SSL 2 0 0%
SSL 3 1 1.1%
TLS 1.0 46 49.5%
TLS 1.1 49 52.7%
TLS 1.2 92 98.9%

Grades 93 results

A 88 94.6%
B 4 4.3%
C 0 0%
D 0 0%
E 0 0%
F 1 1.1%
Does not penalize untrusted certificates.

RSA key sizes for domain certificates

RSA key size Count
1024 2 2.2%
2048 43 47.8%
4096 45 50%

StartTLS

Type Client to server Server to server
Required 51 83.6% 23 71.9%
Allowed 10 16.4% 9 28.1%

Trust

To do authenticated encryption, a certificate needs to be both trusted and valid. Trusted means it is issued by a well-known CA and valid means it is valid for the domain we want to connect to.

Trusted Untrusted
Valid 92 89.3% 7 6.8%
Invalid 1 1% 3 2.9%

SASL mechanisms 61 results

Mechanism # times offered before TLS # times offered after TLS
PLAIN 6 9.8% 59 96.7%
SCRAM-SHA-1 9 14.8% 55 90.2%
SCRAM-SHA-1-PLUS 0 0% 23 37.7%
X-OAUTH2 2 3.3% 15 24.6%
DIGEST-MD5 4 6.6% 10 16.4%
CRAM-MD5 1 1.6% 2 3.3%
LOGIN 0 0% 1 1.6%

Servers supporting SSL 3, but not TLS 1.0 0 results

SSL 3 and TLS 1.0 are very similar, but TLS 1.0 has some small improvements. This table is meant to help judge whether SSL 3 can be disabled by listing the servers that do support SSL 3, but not TLS 1.0.

Target Type When

Servers supporting SSL 2 0 results

SSL 2 is broken and insecure. It is not required for compatibility and servers should disable it.

Target Type When

CAs used Top 30

Name/Organization SHA1 Count
Let's Encrypt Authority X3 E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB 56
Sectigo RSA Domain Validation Secure Server CA 33:E4:E8:08:07:20:4C:2B:61:82:A3:A1:4B:59:1A:CD:25:B5:F0:DB 2
Let's Encrypt Authority X3 1B:23:67:53:54:FC:AD:90:11:9D:88:07:50:15:EA:17:AD:D5:27:D8 2
COMODO RSA Domain Validation Secure Server CA 33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39 1
GeoTrust RSA CA 2018 7C:CC:2A:87:E3:94:9F:20:57:2B:18:48:29:80:50:5F:A9:0C:AC:3B 1
new-swankton.net A3:BF:22:D3:EE:44:6E:65:B0:F8:25:80:89:89:81:56:99:B9:7B:E7 1
ejabberd C1:8B:AF:97:16:64:64:71:DA:50:8A:1C:7E:DC:E6:E6:FA:42:4F:68 1
John Doe 4B:EB:B2:62:42:70:4B:2D:1A:A6:A6:47:F3:E5:B1:E7:54:8C:11:FD 1
live.web-connected.com EA:67:28:78:88:7A:38:5C:3A:D3:F9:9A:0F:43:3F:1C:A1:DC:42:6A 1
RapidSSL RSA CA 2018 98:C6:A8:DC:88:79:63:BA:3C:F9:C2:73:1C:BD:D3:F7:DE:05:AC:2D 1
Conversations CA F9:87:0B:66:B3:81:01:6F:E3:F3:F2:C4:B2:9E:3D:64:54:FA:E5:E8 1
RapidSSL SHA256 CA - G3 0E:34:14:18:46:E7:42:3D:37:F2:0D:C0:AB:06:C9:BB:D8:43:DC:24 1
blikon.ddns.net 3E:B5:2C:F0:4A:D9:A4:39:90:56:A4:38:DA:E5:C4:0C:21:49:C4:0C 1
Go Daddy Secure Certificate Authority - G2 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 1
SwissSign Server Gold CA 2014 - G22 AD:F2:89:73:16:71:8B:45:25:CE:37:00:82:D9:F1:23:D4:93:8F:98 1

Servers using <2048-bit RSA certificates which expires after 01-01-2014 1 results

As described in the CA/Browser Forum Baseline Requirements, certificates with RSA keys with less than 2048 bits should not be issued with an notAfter date after 31-12-2013. This list lists all certificates which violate that rule.

Target Type When Issuer
new-swankton.net server to server new-swankton.net

Servers with DNSSEC signed SRV records 30 results

Target Type When
404.city client to server
a3.pm client to server
anoxinon.me client to server
beherit.pl client to server
beherit.pl server to server
dismail.de client to server
disroot.org client to server
erewhon.in client to server
im.in-ulm.de client to server
jabber.briehl.de client to server
jabber.calyxinstitute.org client to server
jabber.de client to server
jabber.fr client to server
jabber.systemli.org client to server
jabber.uk server to server
juniorjpdj.pl client to server
juniorjpdj.pl server to server
mailbox.org client to server
nlnet.nl client to server
savemy.name client to server
snopyta.org client to server
snopyta.org server to server
suchat.org client to server
thesecure.biz client to server
tm-t.ca client to server
tm-t.ca server to server
van-donselaar.nl client to server
van-donselaar.nl server to server
wiuwiu.de client to server
xmpp.is client to server

Servers with DNSSEC signed DANE records 0 results

Target Type When

Servers with a hidden service 1 results

Target Type When
jabber.calyxinstitute.org client to server

Servers not offering encryption 0 results

Target Type When

Servers sharing private keys 2 results

Target SHA256(SPKI)
draugr.de c2s 9D:E8:C7:2E:58:A9:F5:18:63:BA:4A:9C:AA:9B:C3:D1:03:DF:A1:5F:00:C6:49:9A:EB:20:FB:C5:39:EB:13:6B
ubuntu-jabber.net s2s 9D:E8:C7:2E:58:A9:F5:18:63:BA:4A:9C:AA:9B:C3:D1:03:DF:A1:5F:00:C6:49:9A:EB:20:FB:C5:39:EB:13:6B