Due to feedback of our readers, we just published part 0 of our web server security series:


This part covers important considerations before actually setting up your new server.

We also updated some other parts of this series to address the release of Debian 10 and current security recommendations. The series consists of 8 parts at the moment: infosec-handbook.eu/as-wss/


It lists the provider of each IP address. In most cases, you can clearly see whether it's an ISP or a server hosting company. For instance, Altnet s.r.o. provides "pΕ™ipojenΓ­ k internetu" but they don't offer server hosting.

Contrary to this, OVH SAS or Hetzner Online GmbH (companies that are used most often) are well-known server hosting providers.

So, the fact that there are some ISPs on the list doesn't change our findings.

@muppeth @x00

The biggest companies on these lists are well-known server hosting companies. These companies aren't internet service providers.

Mozilla publishes post-mortem analysis after failing to provide a valid certificate for addon signing in May 2019:


– this issue affected Firefox and Firefox-based browsers like Tor Browsers for days
– identified problems: communication/documentation issues, insufficient quality assurance, and no quick updates without Telemetry and Studies

In our article infosec-handbook.eu/blog/onlin, we show pros and cons of online assessment tools for web server security.

As some people don't want to use certain companies, we looked at the hosters. The following tools use such companies:

– Amazon AWS: observatory.mozilla.org
– CloudFlare: www.hardenize.com, securityheaders.com
– Google: csp-evaluator.withgoogle.com, hstspreload.org

@nifker @tobi

We only got a very small sample of Matrix servers and scanned them yesterday: gist.github.com/infosec-handbo

4 out of 14 servers (28%) are hosted by Hetzner. (Hetzner also hosts 17.5% of XMPP servers and 7.66% of Mastodon servers in our tests.)

So, as @Gargron expected, the results are probably similar for most websites.


Actually, is it possible to get city names, however, they are based on IP addresses and this information is mostly not so accurate.

At least, there were 16 servers hosted in Finland in our sample, so they could match your criteria.


Companies that provide virtual/dedicated servers. Most people don't have their physical server at home but somewhere in a data center owned by such companies.


Yes, likely via Amazon AWS, Google Cloud, and Microsoft Azure.

@Gargron @Sp3r4z

Yes, this isn't unique to Mastodon/the Fediverse.

We checked 1000+ XMPP servers several days ago (mastodon.at/@infosechandbook/1) and got nearly the same results.

We also checked Matrix servers (gist.github.com/infosec-handbo), however, we only got 14 domain names, so there are no good statistics here so far.

Cloud oligopoly 


We used a custom Python script to get DNS information for those servers and compiled this list. AFAIK, there are already some websites that offer JSON output, e.g. instances.social/api/doc/


The purpose is to show that logically decentralized networks are actually physically centralized. Your data shows the same as the top 7 providers of your list nearly host 50% of 3,345 servers.


The results are linked in the post. And as mentioned, we took 1000+ RANDOM Mastodon servers.

Physical (de)centralization of Mastodon servers – after our XMPP scan, we took 1000+ random Mastodon servers and looked at their hosters:


– about 50% of these servers are hosted by only 5 companies in 4 countries
– 26% of servers are hosted in Japan, followed by the USA (24%) and France (23%)

GnuPG 2.2.17 ignores all key signatures of key servers by default:


– this could be the end of the the traditional web of trust of GnuPG
– there are additional changes to prefer WKD (tools.ietf.org/html/draft-koch) over key servers


You could also provide WebP images additionally to PNG images, and you could use pngquant for better PNG compression: pngquant --quality=65-80 filename

Compressing Shivering-Isles-Onion-Service-5-hops.png using these parameters resulted in 18 kB instead of 63 kB.


This isn't about the religious war "XMPP vs. Matrix", but about the frequent assumption that such instant messaging systems are mostly decentralized. Obviously this isn't the reality as the majority of servers is hosted by a really small amount of hosters.

As @debacle pointed out, it would be interesting to see the actual number of active users per server. Then, everything could be even more centralized.

(Assumption here: It is the same for Matrix.)

Tor-focussed :tor: operating system Tails 3.15 released:


– updates for Tor Browser (8.5.4), and Thunderbird (60.7.2)
– security updates for several vulnerabilities: tails.boum.org/security/Numero
– bug fixes

Show more

mastodon.at is a microblogging site that federates with most instances on the Fediverse.