IM Observatory

Various reports of all servers tested

Report for december 2013 | Results of the last day | Results of the last week | Results of the last month

TLS versions 138 results

SSL 2 1 0.7%
SSL 3 3 2.2%
TLS 1.0 61 44.2%
TLS 1.1 67 48.6%
TLS 1.2 136 98.6%

Grades 138 results

A 129 93.5%
B 7 5.1%
C 1 0.7%
D 0 0%
E 0 0%
F 1 0.7%
Does not penalize untrusted certificates.

RSA key sizes for domain certificates

RSA key size Count
2048 75 59.1%
4096 51 40.2%
8192 1 0.8%

StartTLS

Type Client to server Server to server
Required 92 86.8% 26 81.3%
Allowed 14 13.2% 6 18.8%

Trust

To do authenticated encryption, a certificate needs to be both trusted and valid. Trusted means it is issued by a well-known CA and valid means it is valid for the domain we want to connect to.

Trusted Untrusted
Valid 134 88.2% 14 9.2%
Invalid 2 1.3% 2 1.3%

SASL mechanisms 106 results

Mechanism # times offered before TLS # times offered after TLS
PLAIN 10 9.4% 105 99.1%
SCRAM-SHA-1 12 11.3% 92 86.8%
SCRAM-SHA-1-PLUS 0 0% 68 64.2%
X-OAUTH2 2 1.9% 26 24.5%
DIGEST-MD5 8 7.5% 16 15.1%
SCRAM-SHA-512 0 0% 8 7.5%
SCRAM-SHA-512-PLUS 0 0% 8 7.5%
SCRAM-SHA-256 0 0% 7 6.6%
SCRAM-SHA-256-PLUS 0 0% 7 6.6%
CRAM-MD5 2 1.9% 3 2.8%
TIKITOKEN 1 0.9% 1 0.9%
LOGIN 0 0% 1 0.9%

Servers supporting SSL 3, but not TLS 1.0 0 results

SSL 3 and TLS 1.0 are very similar, but TLS 1.0 has some small improvements. This table is meant to help judge whether SSL 3 can be disabled by listing the servers that do support SSL 3, but not TLS 1.0.

Target Type When

Servers supporting SSL 2 1 results

SSL 2 is broken and insecure. It is not required for compatibility and servers should disable it.

Target Type When
s.ms client to server

CAs used Top 30

Name/Organization SHA1 Count
R3 A0:53:37:5B:FE:84:E8:B7:48:78:2C:7C:EE:15:82:7A:6A:F5:A4:05 84
R3 48:50:4E:97:4C:0D:AC:5B:5C:D4:76:C8:20:22:74:B2:4C:8C:71:72 6
Sectigo RSA Domain Validation Secure Server CA 33:E4:E8:08:07:20:4C:2B:61:82:A3:A1:4B:59:1A:CD:25:B5:F0:DB 4
chat.gazduireit.ro 2B:CF:1A:2C:E5:2F:80:6C:A0:44:E8:BB:56:A8:A1:60:7A:FE:07:38 1
Thawte TLS RSA CA G1 C9:FE:FC:76:3D:95:48:B4:87:69:6F:04:7A:CB:A0:AB:E4:5C:7B:C1 1
freedombox 04:B7:FE:C5:CC:F3:06:9A:68:0C:E6:43:46:F4:EC:D7:77:48:3D:9A 1
nulltrading.com 5E:4B:F5:A9:78:44:C7:CE:60:98:44:B4:BF:75:BB:DC:5D:C0:D5:96 1
69peshloche.uk 4F:12:BB:B2:0C:34:78:1D:BD:8A:82:7A:6E:05:6B:BE:D0:F9:2C:C2 1
PSYCAST-CA 86:1F:8E:6C:0C:C3:40:14:21:43:42:1A:2E:50:D9:6A:F9:D9:54:B0 1
parsec2.unicampania.it 2D:31:97:88:86:31:A9:8B:4B:30:90:4E:68:25:9B:CF:D5:06:87:E7 1
Conversations CA F9:87:0B:66:B3:81:01:6F:E3:F3:F2:C4:B2:9E:3D:64:54:FA:E5:E8 1
E1 09:1E:8E:A1:B2:56:A3:12:96:2A:F6:C1:40:C0:FB:F0:79:A4:07:B3 1
StartCom Class 1 DV Server CA 39:8E:19:36:63:9B:A5:20:6D:F5:17:9B:FB:B7:01:09:33:96:94:00 1
kortex.ch DE:9C:EF:F0:24:02:3D:46:27:79:CB:A5:38:6E:F5:5E:7F:86:68:7E 1
Thawte RSA CA 2018 4D:EE:A7:06:0D:80:BA:BF:16:43:B4:E0:F0:10:4C:82:99:50:75:B7 1
Encryption Everywhere DV TLS CA - G1 59:4F:2D:D1:03:52:C2:36:01:38:EE:35:AA:90:6F:97:3A:A3:0B:D3 1
RapidSSL RSA CA 2018 98:C6:A8:DC:88:79:63:BA:3C:F9:C2:73:1C:BD:D3:F7:DE:05:AC:2D 1
GeoTrust RSA CA 2018 7C:CC:2A:87:E3:94:9F:20:57:2B:18:48:29:80:50:5F:A9:0C:AC:3B 1
Let's Encrypt Authority X3 E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB 1

Servers using <2048-bit RSA certificates which expires after 01-01-2014 0 results

As described in the CA/Browser Forum Baseline Requirements, certificates with RSA keys with less than 2048 bits should not be issued with an notAfter date after 31-12-2013. This list lists all certificates which violate that rule.

Target Type When Issuer

Servers with DNSSEC signed SRV records 34 results

Target Type When
404.city client to server
404.city server to server
a3.pm client to server
aegeria.xyz client to server
dismail.de client to server
dismail.de server to server
disroot.org client to server
disroot.org server to server
elaon.de client to server
elaon.de server to server
habets.dev client to server
hot-chilli.net client to server
impfpush.de client to server
impfpush.de server to server
jabb3r.org client to server
jabber.absturztau.be server to server
jabber.at client to server
jabber.calyxinstitute.org client to server
jabber.de client to server
jabber.systemli.org client to server
mailbox.org client to server
monero.men client to server
pimux.de client to server
psifactor.pl client to server
psifactor.pl server to server
skynetcloud.site client to server
skynetcloud.site server to server
suchat.org client to server
thesecure.biz client to server
thfree.ru client to server
thfree.ru server to server
yakk.xyz client to server
yakk.xyz server to server
zash.se client to server

Servers with DNSSEC signed DANE records 0 results

Target Type When

Servers with a hidden service 1 results

Target Type When
jabber.calyxinstitute.org client to server

Servers not offering encryption 1 results

Target Type When
firemail.cc server to server

Servers sharing private keys 3 results

Target SHA256(SPKI)
01337.io c2s F8:0B:60:50:AA:27:B1:F4:42:8E:0A:59:EB:36:1D:B6:55:66:70:02:32:2C:B4:35:71:38:79:2E:A9:B9:B3:2F
01337.ru c2s F8:0B:60:50:AA:27:B1:F4:42:8E:0A:59:EB:36:1D:B6:55:66:70:02:32:2C:B4:35:71:38:79:2E:A9:B9:B3:2F
shad0w.io c2s F8:0B:60:50:AA:27:B1:F4:42:8E:0A:59:EB:36:1D:B6:55:66:70:02:32:2C:B4:35:71:38:79:2E:A9:B9:B3:2F

Some rights reserved.