[jdev] SSL/TLS versions

Matthew Wild mwild1 at gmail.com
Fri Nov 15 22:59:28 UTC 2013


On 15 November 2013 02:33, Peter Saint-Andre <stpeter at stpeter.im> wrote:
> Hash: SHA1
> Matthew Wild has run some analytics on SSL/TLS versions negotiated
> over a period of time at the jabber.org XMPP service. The percentages
> were roughly as follows:
> TLS 1.0 72%
> TLS 1.2 21%
> TLS 1.1  4%
> SSLv3    3%

Quick note: I consider these preliminary results, they've had very
little processing and should be taken with a pinch of salt. For
example, I had to filter out some spammer who was abusing the service
with a single client and severely skewing the results. It's important
to note that these are a series of handshakes over a period of time
(~12h I think), and not a snapshot of connected clients at a single
point in time - thus they might include reconnects and other biases.

We saw somewhat different ratios on dukgo.com, which has a smaller but
large userbase - however I believe dukgo.com users are heavily skewed
towards Pidgin because of the tutorial they provide. Stats from there:

  TLS 1.0  66.4%
  TLS 1.1  16.7%
  TLS 1.2  16.6%
  SSL 3.0  0.2%

I'm still trying to play with the data and get results I'm more
confident in, and will post with more details when I have done so.

As they say: beware lies, damned lies and statistics.


More information about the JDev mailing list