IM Observatory

Various reports of all servers tested

Report for december 2013 | Results of the last day | Results of the last week | Results of the last month

TLS versions 131 results

SSL 2 1 0.8%
SSL 3 1 0.8%
TLS 1.0 66 50.4%
TLS 1.1 71 54.2%
TLS 1.2 130 99.2%

Grades 131 results

A 120 91.6%
B 10 7.6%
C 0 0%
D 0 0%
E 0 0%
F 1 0.8%
Does not penalize untrusted certificates.

RSA key sizes for domain certificates

RSA key size Count
2048 66 52%
3072 2 1.6%
4096 58 45.7%
8192 1 0.8%

StartTLS

Type Client to server Server to server
Required 83 89.2% 27 71.1%
Allowed 10 10.8% 11 28.9%

Trust

To do authenticated encryption, a certificate needs to be both trusted and valid. Trusted means it is issued by a well-known CA and valid means it is valid for the domain we want to connect to.

Trusted Untrusted
Valid 136 90.1% 9 6%
Invalid 1 0.7% 5 3.3%

SASL mechanisms 93 results

Mechanism # times offered before TLS # times offered after TLS
PLAIN 8 8.6% 90 96.8%
SCRAM-SHA-1 10 10.8% 80 86%
SCRAM-SHA-1-PLUS 0 0% 35 37.6%
X-OAUTH2 2 2.2% 26 28%
DIGEST-MD5 8 8.6% 21 22.6%
CRAM-MD5 4 4.3% 5 5.4%
CISCO-VTG-TOKEN 0 0% 1 1.1%
SCRAM-SHA-256 0 0% 1 1.1%
SCRAM-SHA-256-PLUS 0 0% 1 1.1%
SCRAM-SHA-512 0 0% 1 1.1%
SCRAM-SHA-512-PLUS 0 0% 1 1.1%
X-GOOGLE-TOKEN 1 1.1% 1 1.1%
LOGIN 0 0% 1 1.1%
ANONYMOUS 1 1.1% 1 1.1%
OAUTHBEARER 0 0% 1 1.1%

Servers supporting SSL 3, but not TLS 1.0 0 results

SSL 3 and TLS 1.0 are very similar, but TLS 1.0 has some small improvements. This table is meant to help judge whether SSL 3 can be disabled by listing the servers that do support SSL 3, but not TLS 1.0.

Target Type When

Servers supporting SSL 2 1 results

SSL 2 is broken and insecure. It is not required for compatibility and servers should disable it.

Target Type When
silper.cz client to server

CAs used Top 30

Name/Organization SHA1 Count
Let's Encrypt Authority X3 E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB 76
Sectigo RSA Domain Validation Secure Server CA 33:E4:E8:08:07:20:4C:2B:61:82:A3:A1:4B:59:1A:CD:25:B5:F0:DB 5
Go Daddy Secure Certificate Authority - G2 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 3
SwissSign Server Gold CA 2014 - G22 AD:F2:89:73:16:71:8B:45:25:CE:37:00:82:D9:F1:23:D4:93:8F:98 1
(Unknown) DC:E9:27:E6:03:E9:07:F1:71:9A:93:79:01:13:E2:F7:4E:CF:CC:E7 1
COMODO RSA Domain Validation Secure Server CA 33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39 1
GeoTrust RSA CA 2018 7C:CC:2A:87:E3:94:9F:20:57:2B:18:48:29:80:50:5F:A9:0C:AC:3B 1
GTS CA 1O1 DF:E2:07:0C:79:E7:FF:36:A9:25:FF:A3:27:FF:E3:DE:EC:F8:F9:C2 1
opal FC:24:59:35:00:39:F3:49:41:44:C8:93:29:3F:37:3B:57:76:FC:48 1
chat.gazduireit.ro 2B:CF:1A:2C:E5:2F:80:6C:A0:44:E8:BB:56:A8:A1:60:7A:FE:07:38 1
localhost B9:B3:E3:1F:26:CC:BF:DF:1E:78:9D:CA:61:A7:40:C5:FF:9C:E9:83 1
RECOSNET F5:E3:56:B8:0E:D9:BC:AE:75:32:C4:E9:C3:F2:05:EA:79:C1:2E:BE 1
AlphaSSL CA - SHA256 - G2 4C:27:43:17:17:56:5A:3A:07:F3:E6:D0:03:2C:42:58:94:9C:F9:EC 1
p4dvd 84:57:88:65:D5:1A:F6:DD:F5:54:E8:86:3B:3F:6D:BD:00:7E:83:B0 1
Certum Domain Validation CA SHA2 FF:9C:EB:13:C8:3F:15:B8:00:E6:EF:F9:87:B2:C7:2E:01:B4:B3:20 1
CA Cert Signing Authority DD:FC:DA:54:1E:75:77:AD:DC:A8:7E:88:27:A9:8A:50:60:32:52:A5 1
Starfield Secure Certificate Authority - G2 7E:DC:37:6D:CF:D4:5E:6D:DF:08:2C:16:0D:F6:AC:21:83:5B:95:D4 1
Gandi Standard SSL CA 2 24:71:06:A4:05:B2:88:A4:6E:70:A0:26:27:17:16:2D:09:03:E7:34 1
Let's Encrypt Authority X3 1B:23:67:53:54:FC:AD:90:11:9D:88:07:50:15:EA:17:AD:D5:27:D8 1
DigiCert Global CA G2 D6:AE:E3:16:31:F7:AB:C5:6B:9D:E8:AB:EC:CC:41:08:A6:26:B1:04 1

Servers using <2048-bit RSA certificates which expires after 01-01-2014 0 results

As described in the CA/Browser Forum Baseline Requirements, certificates with RSA keys with less than 2048 bits should not be issued with an notAfter date after 31-12-2013. This list lists all certificates which violate that rule.

Target Type When Issuer

Servers with DNSSEC signed SRV records 33 results

Target Type When
1200bps.xyz client to server
404.city client to server
5222.de client to server
5222.de server to server
anoxinon.me client to server
constexpr.org client to server
constexpr.org server to server
dismail.de client to server
ejabberd.seb78.com client to server
ejabberd.seb78.com server to server
freepbx.servicevolontaire.org client to server
hot-chilli.net client to server
jabber.at client to server
jabber.calyxinstitute.org client to server
jabber.fr client to server
jabberfr.org client to server
jabber.hot-chilli.net client to server
jabber.tcpreset.net client to server
jabber.uk client to server
lacti.de client to server
magicum.net client to server
magicum.net server to server
mailbox.org client to server
pimux.de client to server
raghavgururajan.name client to server
riseup.net client to server
silper.cz client to server
skorpil.cz client to server
thebackupbox.net client to server
thebackupbox.net server to server
thesecure.biz client to server
x0.chat client to server
xmpp.is client to server

Servers with DNSSEC signed DANE records 0 results

Target Type When

Servers with a hidden service 0 results

Target Type When

Servers not offering encryption 1 results

Target Type When
freepbx.servicevolontaire.org client to server

Servers sharing private keys 7 results

Target SHA256(SPKI)
msg-fm.mooo.com c2s 9E:E2:17:75:1E:78:4A:3A:F8:B5:79:57:F4:D5:44:04:F8:AF:2A:1C:9D:4E:ED:CA:E5:1A:0A:7F:82:51:71:A7
msg-fm.mooo.com s2s 9E:E2:17:75:1E:78:4A:3A:F8:B5:79:57:F4:D5:44:04:F8:AF:2A:1C:9D:4E:ED:CA:E5:1A:0A:7F:82:51:71:A7
xmpp.thefontenay.com c2s 9E:E2:17:75:1E:78:4A:3A:F8:B5:79:57:F4:D5:44:04:F8:AF:2A:1C:9D:4E:ED:CA:E5:1A:0A:7F:82:51:71:A7
ej.autumnsheet.com c2s B7:79:B5:65:0E:B0:DA:0C:38:62:45:D4:4C:29:09:B4:8D:89:8B:49:57:21:ED:67:E4:9D:AF:71:A5:13:5F:66
onionmessenger.com c2s B7:79:B5:65:0E:B0:DA:0C:38:62:45:D4:4C:29:09:B4:8D:89:8B:49:57:21:ED:67:E4:9D:AF:71:A5:13:5F:66
jabber.fr c2s E8:F8:76:67:90:D9:F1:4E:B1:9E:90:B6:AB:B4:1E:7C:E8:EA:CC:E1:72:5C:2D:3E:DB:18:BF:DE:59:44:A0:04
jabberfr.org c2s E8:F8:76:67:90:D9:F1:4E:B1:9E:90:B6:AB:B4:1E:7C:E8:EA:CC:E1:72:5C:2D:3E:DB:18:BF:DE:59:44:A0:04

Some rights reserved.