SSL on Untrusted Network

SANS ISC Diary - Positive trends related to public IP ranges from the year 2025

Jan Kopriva — Thu, 18 Dec 2025 09:10:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a few positive trends related to public IP ranges from the past twelve months…

SSL 2.0 support on servers in the Czech Republic

Jan Kopriva — Mon, 10 Feb 2025 07:55:00 +0100

While I was writing last week’s article, which was devoted to the number of internet-exposed servers that still support SSL 2.0, it occured to me that it might be interesting to take a look at how support for this protocol has decreased in the Czech Republic over the years… So, you will find the answer in the following chart.

SANS ISC Diary - SSL 2.0 turns 30 this Sunday... Perhaps the time has come to let it die?

Jan Kopriva — Fri, 07 Feb 2025 11:45:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an upcoming 30-year anniversary of the publication of SSL 2.0, and on the number of internet-exposed systems that still support this protocol…

SANS ISC Diary - Changes in SSL and TLS support in 2024

Jan Kopriva — Mon, 30 Dec 2024 12:25:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at changes in SSL/TLS support on web servers and e-mail servers during the 12 months of 2024…

SANS ISC Diary - Support of SSL 2.0 on web servers in 2024

Jan Kopriva — Fri, 28 Jun 2024 12:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of web server that still support SSL v2.0…

SANS ISC Diary - Kazakhstan - the world's last SSLv2 superpower... and a country with potentially vulnerable last-mile internet infrastructure

Jan Kopriva — Wed, 28 Jun 2023 08:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a surprisingly high number of old network devices in Kazakhstan, which still support SSL version 2.0…

SSL version 2.0 support on web servers in the Czech Republic

Jan Kopriva — Thu, 08 Jun 2023 07:30:00 +0100

Last week, I published an article discussing the weakening support for SSLv2 on web servers on the global internet. While I was writing it, it occurred to me that it might also be interesting to look specifically at the situation as it relates to web servers in the Czech Republic.

Long story short, in CZ, the situation is somewhat worse than average - globally, we currently see SSLv2 on about 0.35% of all web servers, while in the Czech Republic, it is a little over 0.89%. Nevertheless, the overall trend of SSLv2 “dying off” is present even here, as you may see in the following chart…

SANS ISC Diary - After 28 years, SSLv2 is still not gone from the internet... but we're getting there

Jan Kopriva — Thu, 01 Jun 2023 10:40:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at how SSLv2 support on web servers connected to the internet is slowly “dying off”…

Open ports statistics for 2021

Jan Kopriva — Wed, 05 Jan 2022 07:30:00 +0200

The year 2021 is behind us which means that the time has come for us to take a look at how the internet changed over its 365 days.

As always, the data, on which the following charts are based, have been gathered using Shodan. Therefore bear in mind that although the charts should give us a good enough view of more significant changes, they may not be completely accurate (see the first post with quarterly statistics.

It should be mentioned that since Shodan started offering a new service called Trends few months back, which enables one to quickly view similar charts as the ones bellow for arbitrary search queries, this may be the last post in the “Open port statistics” series, since these are somewhat superfluous given the new service… Althoug, since Shodan Trends displays only “high-level” charts with significantly lower level of precission (it seems that it uses either an average or a median for each month, whereas the following charts show precise values returned by Shodan on each day in the year), maybe I’ll decide to keep posting these at least on a yearly basis - we’ll see…

Should you be interested in the port situation in the Czech Republic, you may find corresponding charts here.

Bellow, you may find charts for the following protocols and ports:

Web

E-mail

SSL/TLS

Industrial Control Systems (ICS)

SSH (port 22)

Telnet (port 23)

DNS (port 53)

NTP (port 123)

SNMP (port 161)

SMB (port 445)

RDP (port 3389)

Web

HTTP (port 80)

HTTPS (port 443)

TLS 1.3 (port 443)

TLS 1.2 (port 443)

TLS 1.1 (port 443)

TLS 1.0 (port 443)

SSL 3.0 (port 443)

SSL 2.0 (port 443)

E-mail

SMTP (port 25)

SMTPS (port 465)

IMAP (port 143)

IMAPS (port 993)

POP3 (port 110)

POP3S (port 995)

SSL/TLS

TLS 1.3 (all ports)

TLS 1.2 (all ports)

TLS 1.1 (all ports)

TLS 1.0 (all ports)

SSL 3.0 (all ports)

SSL 2.0 (all ports)

Industrial Control Systems

All ICS protocols

Modbus (port 502)

EIBnet/IP (port 3671)

BACnet/IP (port 47808)

Open ports statistics for Q3 2021

Jan Kopriva — Fri, 01 Oct 2021 15:00:00 +0200

Only the last three months remain until the end of 2021, which means it’s time for a look at how the internet as a whole changed in the third quarter of the year.

Should you be interested in the port situation in the Czech Republic, you may find corresponding charts here.

Bellow, you may find charts for the following protocols and ports:

Web

E-mail

SSL/TLS

Industrial Control Systems (ICS)

SSH (port 22)

Telnet (port 23)

DNS (port 53)

NTP (port 123)

SNMP (port 161)

SMB (port 445)

RDP (port 3389)

Web

HTTP (port 80)

HTTPS (port 443)

TLS 1.3 (port 443)

TLS 1.2 (port 443)

TLS 1.1 (port 443)

TLS 1.0 (port 443)

SSL 3.0 (port 443)

SSL 2.0 (port 443)

E-mail

SMTP (port 25)

SMTPS (port 465)

IMAP (port 143)

IMAPS (port 993)

POP3 (port 110)

POP3S (port 995)

SSL/TLS

TLS 1.3 (all ports)

TLS 1.2 (all ports)

TLS 1.1 (all ports)

TLS 1.0 (all ports)

SSL 3.0 (all ports)

SSL 2.0 (all ports)

Industrial Control Systems

All ICS protocols

Modbus (port 502)

EIBnet/IP (port 3671)

BACnet/IP (port 47808)

SANS ISC Diary - TLS 1.3 and SSL - the current state of affairs

Jan Kopriva — Tue, 28 Sep 2021 11:20:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the current state of adoption of TLS 1.3 and disposal of SSL 2.0 and 3.0…

Open ports statistics for Q2 2021

Jan Kopriva — Wed, 30 Jun 2021 21:15:00 +0200

The first half of 2020 is behind us, which means it’s time for a look at how the internet as a whole changed during the past 3 months.

Should you be interested in the port situation in the Czech Republic, you may find corresponding charts here.

Bellow, you may find charts for the following protocols and ports:

Web

E-mail

SSL/TLS

Industrial Control Systems (ICS)

SSH (port 22)

Telnet (port 23)

DNS (port 53)

NTP (port 123)

SNMP (port 161)

SMB (port 445)

RDP (port 3389)

Web

HTTP (port 80)

HTTPS (port 443)

TLS 1.3 (port 443)

TLS 1.2 (port 443)

TLS 1.1 (port 443)

TLS 1.0 (port 443)

SSL 3.0 (port 443)

SSL 2.0 (port 443)

E-mail

SMTP (port 25)

SMTPS (port 465)

IMAP (port 143)

IMAPS (port 993)

POP3 (port 110)

POP3S (port 995)

SSL/TLS

TLS 1.3 (all ports)

TLS 1.2 (all ports)

TLS 1.1 (all ports)

TLS 1.0 (all ports)

SSL 3.0 (all ports)

SSL 2.0 (all ports)

Industrial Control Systems

All ICS protocols

Modbus (port 502)

EIBnet/IP (port 3671)

BACnet/IP (port 47808)

Open ports statistics for Q1 2021

Jan Kopriva — Mon, 05 Apr 2021 11:30:00 +0200

The first quarter of 2020 is behind us, which means it’s time for another look at some of the interesting ports accessible on public IPs. This time however, we will take a look at how the internet as a whole changed during the past 3 months in terms of accessible ports, but also at specific changes related to support of different versions of SSL and TLS.

Should you be interested in the port situation in the Czech Republic, you may find corresponding charts here.

Bellow, you may find charts for the following protocols and ports:

Web

E-mail

SSL/TLS

Industrial Control Systems (ICS)

SSH (port 22)

Telnet (port 23)

DNS (port 53)

NTP (port 123)

SNMP (port 161)

SMB (port 445)

RDP (port 3389)

Web

HTTP (port 80)

HTTPS (port 443)

TLS 1.3 (port 443)

TLS 1.2 (port 443)

TLS 1.1 (port 443)

TLS 1.0 (port 443)

SSL 3.0 (port 443)

SSL 2.0 (port 443)

E-mail

SMTP (port 25)

SMTPS (port 465)

IMAP (port 143)

IMAPS (port 993)

POP3 (port 110)

POP3S (port 995)

SSL/TLS

TLS 1.3 (all ports)

TLS 1.2 (all ports)

TLS 1.1 (all ports)

TLS 1.0 (all ports)

SSL 3.0 (all ports)

SSL 2.0 (all ports)

Industrial Control Systems

All ICS protocols

Modbus (port 502)

EIBnet/IP (port 3671)

BACnet/IP (port 47808)

SANS ISC Diary - Old TLS versions - gone, but not forgotten... well, not really 'gone' either

Jan Kopriva — Tue, 30 Mar 2021 10:20:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at changes in the number of web servers, which support TLS 1.0 and TLS 1.1…

Open ports statistics for 2020

Jan Kopriva — Fri, 01 Jan 2021 17:00:00 +0200

The last quarter of 2020 is behind us, which means it’s time for another look at some of the interesting ports accessible on public IPs. This time however, we will take a look at how the internet changed during the whole of 2020, not just at the past 3 months.

I would especially like to bring to your attention the steady decrease in ICS systems connected to the internet during 2020. Although Shodan still sees almost 100k of IP addresses running services communicating using industrial protocols, it is over 30k less then it saw at the beginning of the year.

Should you be interested in the port situation in the Czech Republic, you may find corresponding charts here.

Bellow, you may find charts for the following protocols and ports:

Web

E-mail

Industrial Control Systems (ICS)

SSH (port 22)

Telnet (port 23)

DNS (port 53)

NTP (port 123)

SNMP (port 161)

SMB (port 445)

RDP (port 3389)

HTTP (port 80)

HTTPS (port 443)

SMTP (port 25)

SMTPS (port 465)

IMAP (port 143)

IMAPS (port 993)

POP3 (port 110)

POP3S (port 995)

All ICS protocols

Modbus (port 502)

EIBnet/IP (port 3671)

BACnet/IP (port 47808)

SANS ISC Diary - TLS 1.3 is now supported by about 1 in every 5 HTTPS servers

Jan Kopriva — Wed, 30 Dec 2020 12:55:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at the increse in support of TLS 1.3 by HTTPS servers and the decrease in support of SSL 2.0.

Open ports statistics for Q3 2020

Jan Kopriva — Wed, 30 Sep 2020 07:30:00 +0200

If you’ve read any of my posts about open ports on public IP addresses either here or on the SANS Internet Storm Center website, you probably know that I’m interested in how the internet changes over time and I try to gain at least some understanding of it by analyzing data gathered over time from Shodan.

To this end, I’ve been gathering daily statistics of different open ports/running services accessible on public IP addresses around the world and in different countries for about 18 months now. In order to acquire this data, I wrote Python tool (which I’ve called “TriOp” for obvious reasons), that enables me to quickly create reusable batches of queries for Shodan and automatically gather the numbers of IP addresses, which satisfy these queries. I plan to open source the tool in the future, but I will first need to find some time to clean up the code a little, as although it works just fine in its current version, it is a bit too spaghetti-like in some places for my liking…

In any case, since I have access to this data and I’m probably not the only one who finds the changes in numbers of different open ports interesting, I’ve decided to start publishing quarterly (and perhaps yearly) charts of the numbers of IPs, which have some of the more interesting ports open to the internet.
The list of ports is intentionally small, but if you’d like to see a chart for any of the missing ones next quarter, let me know and I’ll consider adding it.

I should mention that due to the way Shodan works, the numbers gathered from it may sometimes increase or decrease sharply and take a while to stabilize (see the first week of September in any of the charts bellow), which does not necessarily represent the real state of affairs. Short discussion of this issue may be found here. To alleviate this issue to at least some degree, I’ve included relative (i.e. percentage of IPs Shodan sees, which have a specific port open) as well as absolute values in all the charts.

Given the limitations of Shodan and the fact that (except for ICS data) the values in the charts are gathered using only port queries (i.e. “port:80”) and are not limited by any service specification, they may be slightly imprecise. Still, the results are certainly interesting and provide at least somewhat accurate look at how the internet changes over time.

Bellow, you may find charts for the following protocols and ports:

Web

E-mail

Industrial Control Systems (ICS)

SSH (port 22)

Telnet (port 23)

DNS (port 53)

NTP (port 123)

SNMP (port 161)

SMB (port 445)

RDP (port 3389)

HTTP (port 80)

HTTPS (port 443)

SMTP (port 25)

SMTPS (port 465)

IMAP (port 143)

IMAPS (port 993)

POP3 (port 110)

POP3S (port 995)

Modbus (port 502)

EIBnet/IP (port 3671)

BACnet/IP (port 47808)

Open ports in the Time of Corona

Jan Kopriva — Thu, 02 Apr 2020 08:59:20 +0200

One of the side effects of social distancing and self-quarantining due to COVID-19 was a large increase in the use of VPNs (and, in some cases, different remote access protocols, such as RDP or SSH) by companies around the world, so that their employees might work from home.
I was wondering how large this increase would be when compared to the usual state of affairs. To determine this, I took a look at data I gathered from Shodan over the course of March and made couple of - hopefully interesting - charts.

Before we get to them, however, I should mention that simply looking at absolute numbers gathered from Shodan wouldn’t give us much due to the way Shodan operates (for more details, take a look at my diary about patching BlueKeep). Therefore, while Shodan saw a significant absolute increase in open ports/detected IPs in March (almost 12% rise in detected IP addresses globally), we will take a look at both absolute and the relative values - counts as well as percentages of all IPs globally/in a specific country, which have a certain port open.

If you’re interested in how the situation looked before, I’ll add that Shodan itself recently released an article with analysis of some of the trends they saw from the start of July 2019 to the end of January 2020. You may find it here.

One last thing I will mention before we get to “the good stuff” is that I didn’t include all the countries, for which I have data, in the charts, since that would make the post too large. If data for your country isn’t included in the charts and you would like to see how the situation changed where you live, get in touch with me and if I have the data, I’ll try to add a chart for your country as well.

Now, let’s take a look at the charts themselves. I picked the ports which have seen a high significant absolute increase globally - namely ports 22 (SSH), 80 (HTTP), 443 (HTTPS and many TLS-based services and VPN solutions) and 3389 (RDP). Unfortunatelly, I don’t have data for the usual VPN ports and related services (IKE, PPTP, etc.), but I assume that the jump in those was similarly significant as the one in TLS.

Here is the list of countries for which charts are available:

Global situation

In addition to the ports mentioned above, on a global level we will take a look at SMB as well. There has been a signifficant increase in SMB open to the internet and, unfortunatelly, that was true even for SMBv1 on Windows.

As we may see, although there was a significant absolute increase in IPs which offer the protocols and services we were interested in, the percentage of IPs offering these protocols actually went down in cases of SSH and RDP. As the following charts demonstrate, this trend held for some countries as well, but not all of them.

Australia

Canada

Czech Republic

Great Britain

Germany

China

Italy

Netherlands

Romania

Russia

Slovakia

Spain

USA

Most visited adult sites actually beat some e-banking portals when it comes to encryption

Jan Kopriva — Wed, 01 Jan 2020 12:09:20 +0100

After I finished the analysis of SSL/TLS configuration of almost 1400 internet banking portals (see the relevant ISC Diary, a question came to me. Internet banking portals should be among the best secured systems put online, yet not all of them made the mark when it came to encryption used to secure HTTP traffic. Would the situation be even worse for sites which are commonly assumed to lack proper security measures?

Websites with adult content seemed to be the ideal starting place to determine this, so I tried to look for a list of the most popular ones. Contrary to my expectations, I wasn’t able to find any current list with more than “Top 10” or “Top 25” sites, so I turned to Alexa. Among other information, Alexa offers “Top 500 sites” lists for the following categories:

Adult
Arts
Business
Computers
Games
Health
Home
Kids and Teens
News
Recreation
Reference
Regional
Science
Shopping
Society
Sports

Unfortunately, without a paid account, one may only access first 50 sites of the Top 500 list for each category. Although I originally wanted our sample to be much larger, it was not to be… But the limitation gave me an idea. Since one may access list of the top 50 sites in each category, why not scan all the 50 sites for each of the 16 categories? Of course, with such a small sample size, the results could not be considered anywhere near representative, but they might be interesting nonetheless.

With the plan set, I put it into action on 25 December 2019. I used the same methodology as in the case of the banking portals - I conducted an Nmap scan using the “ssl-enum-ciphers” and “sslv2” scripts which enabled me to determine which SSL/TLS protocols were supported by the servers (except for TLSv1.3) as well as the weakest supported ciphersuite (once again, see the Diary for more details). In the end, the scans managed to gather information about 790 of the 800 domains (the 10 errors were mostly due to second level domains not having an A record set).

In contrast to the case of internet banking portals, none of the servers in the “Top 50” lists supported SSLv2 (which 0.8% of tested internet banking servers did) or supported a ciphersuite marked with an F (as was the case with 0.29% of e-banking servers). So in this regard (and actually several others), even the 50 most visited adult sites were actually better configured than some of the internet banking portals.

Apart from that, the results were a bit of a mixed bag, as you may see from the following table of results. I added the numbers for the internet banking sites as well, so you may judge the resulting grades for yourselves.

Category	A	C	D	F
Business	78.72	17.02	4.26	0.00
Health	75.00	25.00	0.00	0.00
Reference	75.00	22.92	2.08	0.00
Science	74.42	23.26	2.33	0.00
Kids and Teens	73.91	21.74	4.35	0.00
Regional	72.34	23.40	4.26	0.00
Shopping	72.34	25.53	2.13	0.00
Society	71.74	28.26	0.00	0.00
Internet Banking	70.47	24.29	4.95	0.29
Home	67.35	32.65	0.00	0.00
News	67.35	32.65	0.00	0.00
Recreation	66.67	31.11	2.22	0.00
Adult	63.27	34.69	2.04	0.00
Games	63.04	32.61	4.35	0.00
Arts	61.70	34.04	4.26	0.00
Sports	61.70	31.91	6.38	0.00
Computers	52.00	46.00	2.00	0.00

Besides the marks for different categories, protocol support was interesting as well. As was already mentioned, none of the tested sites supported SSLv2, however one further point that should be mentioned is that on average, more internet banking sites still supported SSLv3 than servers in any of the Alexa categories and less of banking sites supported TLSv1.2 than even the sites in the Adult category. Since the sample sizes varied widely between the analyses, this should be considered more of an interesting observation than anything else, but I think it does merit at least this small remark.

Category	SSLv3	TLSv1.0	TLSv1.1	TLSv1.2
Computers	0.00	74.00	82.00	100.00
Adult	2.00	68.00	80.00	98.00
News	2.00	68.00	76.00	98.00
Home	0.00	52.00	64.00	98.00
Sports	0.00	68.75	85.42	97.92
Internet Banking	3.49	47.64	57.75	96.65
Reference	0.00	52.00	70.00	96.00
Arts	2.04	63.27	71.43	95.92
Society	2.08	47.92	58.33	95.83
Health	0.00	46.94	67.35	93.88
Shopping	0.00	36.73	63.27	93.88
Business	2.04	36.73	53.06	93.88
Kids and Teens	0.00	56.00	78.00	92.00
Regional	0.00	56.00	78.00	92.00
Recreation	2.04	42.86	63.27	91.84
Games	2.00	66.00	82.00	90.00
Science	0.00	44.90	67.35	87.76

When it came to vulnerabilities, several servers in Society and Adult categories were found to be vulnerable to POODLE, couple in the Science category still supported the use of RC4 and quite a large number of sites in all categories supported ciphersuites vulnerable to SWEET32.

Category	SWEET32	RC4	POODLE
Society	27.08	0.00	2.08
Adult	36.00	0.00	2.00
Internet Banking	30.55	0.51	0.07
Science	20.41	2.04	0.00
Computers	48.00	0.00	0.00
Sports	37.50	0.00	0.00
Arts	36.73	0.00	0.00
Games	34.00	0.00	0.00
News	34.00	0.00	0.00
Home	32.00	0.00	0.00
Recreation	30.61	0.00	0.00
Shopping	26.53	0.00	0.00
Regional	26.00	0.00	0.00
Health	24.49	0.00	0.00
Kids and Teens	24.00	0.00	0.00
Reference	24.00	0.00	0.00
Business	20.41	0.00	0.00

The last thing, which should be mentioned is that on average only 23.54% of the sites from the Alexa’s categories were configured in accordance with the current security best practices (i.e. they only supported TLSv1.2 and possibly TLSv1.3). Percentages for all of the categories tested may be found in the following chart.

SANS ISC Diary - Internet banking sites and their use of TLS... and SSLv3... and SSLv2?!

Jan Kopriva — Fri, 13 Dec 2019 08:22:37 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at the use of TLS (and SSL) on banking sites all over the world.