Various reports of all servers tested

Report for december 2013 | Results of the last day | Results of the last week | Results of the last month

TLS versions 157 results

SSL 2 0 0%
SSL 3 1 0.6%
TLS 1.0 98 62.4%
TLS 1.1 110 70.1%
TLS 1.2 157 100%

Grades 157 results

A 134 85.4%
B 22 14%
C 1 0.6%
D 0 0%
E 0 0%
F 0 0%
Does not penalize untrusted certificates.

RSA key sizes for domain certificates

RSA key size Count
1024 1 0.7%
2048 87 56.9%
4096 63 41.2%
8192 2 1.3%

StartTLS

Type Client to server Server to server
Required 78 79.6% 37 62.7%
Allowed 20 20.4% 22 37.3%

Trust

To do authenticated encryption, a certificate needs to be both trusted and valid. Trusted means it is issued by a well-known CA and valid means it is valid for the domain we want to connect to.

Trusted Untrusted
Valid 150 86.7% 14 8.1%
Invalid 3 1.7% 6 3.5%

SASL mechanisms 98 results

Mechanism # times offered before TLS # times offered after TLS
PLAIN 23 23.5% 98 100%
SCRAM-SHA-1 21 21.4% 86 87.8%
X-OAUTH2 7 7.1% 32 32.7%
SCRAM-SHA-1-PLUS 0 0% 30 30.6%
DIGEST-MD5 16 16.3% 22 22.4%
CRAM-MD5 6 6.1% 7 7.1%
ANONYMOUS 1 1% 2 2%
LOGIN 0 0% 1 1%
JIVE-SHAREDSECRET 1 1% 1 1%
X-OAUTH 1 1% 1 1%
GSSAPI 1 1% 1 1%

Servers supporting SSL 3, but not TLS 1.0 0 results

SSL 3 and TLS 1.0 are very similar, but TLS 1.0 has some small improvements. This table is meant to help judge whether SSL 3 can be disabled by listing the servers that do support SSL 3, but not TLS 1.0.

Target Type When

Servers supporting SSL 2 0 results

SSL 2 is broken and insecure. It is not required for compatibility and servers should disable it.

Target Type When

CAs used Top 30

Name/Organization SHA1 Count
Let's Encrypt Authority X3 E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB 96
COMODO RSA Domain Validation Secure Server CA 33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39 6
Let's Encrypt Authority X3 1B:23:67:53:54:FC:AD:90:11:9D:88:07:50:15:EA:17:AD:D5:27:D8 2
Sectigo RSA Domain Validation Secure Server CA 33:E4:E8:08:07:20:4C:2B:61:82:A3:A1:4B:59:1A:CD:25:B5:F0:DB 2
GeoTrust RSA CA 2018 7C:CC:2A:87:E3:94:9F:20:57:2B:18:48:29:80:50:5F:A9:0C:AC:3B 1
localhost B9:B3:E3:1F:26:CC:BF:DF:1E:78:9D:CA:61:A7:40:C5:FF:9C:E9:83 1
*.muc.tigase.org 76:48:B0:A9:BF:67:2E:D7:E9:17:01:60:64:DD:A1:55:5B:5E:5F:2E 1
muc.tigase.org 76:48:B0:A9:BF:67:2E:D7:E9:17:01:60:64:DD:A1:55:5B:5E:5F:2E 1
openfire.southindia.cloudapp.azure.com FC:7F:7E:2E:FC:2E:C5:B0:CA:2D:52:69:18:2E:C7:30:78:5B:BC:AA 1
RapidSSL SHA256 CA C8:6E:DB:C7:1A:B0:50:78:F6:1A:CD:F3:D8:DC:5D:B6:1E:B7:5F:B6 1
Starfield Secure Certificate Authority - G2 7E:DC:37:6D:CF:D4:5E:6D:DF:08:2C:16:0D:F6:AC:21:83:5B:95:D4 1
tfs.today E0:C5:77:C9:7F:CF:74:F0:73:D7:B2:A5:5A:D0:B2:2D:57:21:F0:7F 1
vitor.guia.nom.br 3C:5B:BE:07:55:4E:82:C3:57:9B:45:D1:0E:76:44:E2:95:D1:FE:01 1
AlphaSSL CA - SHA256 - G2 4C:27:43:17:17:56:5A:3A:07:F3:E6:D0:03:2C:42:58:94:9C:F9:EC 1
xmpp-chat-server 9D:64:03:2A:26:25:9A:AD:27:AF:68:20:A6:DA:25:64:54:C6:93:93 1
CA Cert Signing Authority 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33 1
ejabberd D3:15:3D:8E:44:48:3C:E5:71:91:17:35:1C:6B:08:1A:C3:20:9C:3F 1
Fachhochschule Aachen CA - G01 1E:40:27:3D:8B:B9:58:38:5F:3B:70:1F:F0:70:EE:23:0A:79:65:97 1

Servers using <2048-bit RSA certificates which expires after 01-01-2014 2 results

As described in the CA/Browser Forum Baseline Requirements, certificates with RSA keys with less than 2048 bits should not be issued with an notAfter date after 31-12-2013. This list lists all certificates which violate that rule.

Target Type When Issuer
muc.tigase.org server to server *.muc.tigase.org
muc.tigase.org server to server muc.tigase.org

Servers with DNSSEC signed SRV records 46 results

Target Type When
404.city client to server
elaon.de client to server
jabb3r.org client to server
xmpp.is client to server
xmpp.taiga-san.net server to server
blesmrt.net server to server
dark-alexandr.net server to server
elaon.de server to server
jabber.de client to server
trashserver.net client to server
trashserver.net server to server
volatile.bz client to server
xmpp.mynet.fr server to server
dark-alexandr.net client to server
jalogisch.de server to server
tbk112.com client to server
thesecure.biz client to server
volatile.bz server to server
jabber.de server to server
jabber.ordinatis.de client to server
sharezen.de client to server
5222.de client to server
dismail.de server to server
serafean.cz server to server
sharezen.de server to server
x0.chat client to server
xmpp.is server to server
disroot.org client to server
draugr.de client to server
knop.eu client to server
knop.eu server to server
petko.me server to server
xmpp.mynet.fr client to server
barfoo.eu client to server
dismail.de client to server
maurice-walker.com client to server
maurice-walker.com server to server
omemo.ca client to server
petko.me client to server
serafean.cz client to server
im.cyberjinh.fr client to server
im.cyberjinh.fr server to server
jabber.cat client to server
pouet.ovh client to server
rooms.kitsune.one server to server
wowana.me server to server

Servers with DNSSEC signed DANE records 0 results

Target Type When

Servers with a hidden service 0 results

Target Type When

Servers not offering encryption 1 results

Target Type When
webex.com server to server

Servers sharing private keys 6 results

Target SHA256(SPKI)
push.tigase.im s2s 57:88:30:BC:82:FB:AA:23:A2:4E:74:4B:C8:85:D8:42:22:93:82:4C:80:00:03:4E:FC:83:CD:C4:D8:76:67:7D
tigase.im c2s 57:88:30:BC:82:FB:AA:23:A2:4E:74:4B:C8:85:D8:42:22:93:82:4C:80:00:03:4E:FC:83:CD:C4:D8:76:67:7D
tigase.im s2s 57:88:30:BC:82:FB:AA:23:A2:4E:74:4B:C8:85:D8:42:22:93:82:4C:80:00:03:4E:FC:83:CD:C4:D8:76:67:7D
muc.volatile.bz s2s FD:1F:2B:A1:5C:44:93:EC:3A:68:5C:12:97:1E:A0:EC:19:B5:4A:B6:EB:38:1E:9E:97:DE:87:7D:BE:4C:9A:B5
volatile.bz c2s FD:1F:2B:A1:5C:44:93:EC:3A:68:5C:12:97:1E:A0:EC:19:B5:4A:B6:EB:38:1E:9E:97:DE:87:7D:BE:4C:9A:B5
volatile.bz s2s FD:1F:2B:A1:5C:44:93:EC:3A:68:5C:12:97:1E:A0:EC:19:B5:4A:B6:EB:38:1E:9E:97:DE:87:7D:BE:4C:9A:B5