Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Passive security measurement of 10,020 .it domains: CSP, cookies, TLS and email authentication

0
Medium
Security-newscybersecurityreddit
Published: 07/12/2026 (07/12/2026, 14:52:36 UTC)
Source: Reddit Cybersecurity

Description

This report summarizes a passive security measurement study of 10,020 .it domains focusing on HTTP security headers, Content Security Policy (CSP), cookies, TLS, and email authentication. The study found low adoption rates of key security headers and cookie attributes, widespread use of unsafe CSP directives, and partial deployment of email authentication standards. No active probing or exploitation was performed. The study highlights security configuration weaknesses but does not identify a specific vulnerability or exploit.

Reddit Discussion

r/cybersecurity·posted by u/Joman1102
00

I recently finished a passive security measurement study of .it domains and wanted to share some of the results here for feedback.

The dataset includes 10,020 successfully scanned .it domains, covering essentially the entire .it slice of the Tranco Top 1M list (snapshot: 2026-07-08).

The study is strictly passive. It only performs standard HTTP requests, TLS handshakes and DNS lookups. No exploitation, brute forcing, vulnerability scanning or any other active probing.

Some headline results:

HTTP security headers

- X-Frame-Options: 41.8%

- HSTS: 32.8%

- CSP: 18.7%

- Permissions-Policy: 11.2%

Content Security Policy

- 1,646 CSPs parsed at directive level

- only 0.7% met a documented restrictiveness criterion

- 45.4% still included unsafe-inline

Cookies (7,240 observed)

- ~52% missing SameSite

- ~52% missing HttpOnly

- ~48% missing Secure

TLS

- No weak cipher suites observed

- 87.3% of domains already support TLS 1.3

Email authentication

- SPF: 55.5%

- DMARC: 43.8%

- DKIM: 36.6%

The DKIM figure should be interpreted as a lower bound because the methodology uses a fixed selector list rather than active selector enumeration.

security.txt

-present on 2.4% of domains

To check for sampling bias, I also ran the same pipeline against a manually selected set of 105 well-known Italian sites. As expected, they showed a noticeably stronger security configuration than the random Tranco sample, which supports using the latter as a representative cross-section of Tranco-indexed .it domains.

The paper reports Wilson 95% confidence intervals throughout, and the analysis pipeline and a pseudonymized dataset are publicly available.

Working paper (not peer reviewed):
https://doi.org/10.5281/zenodo.21322437

Dataset:
https://doi.org/10.5281/zenodo.21323346

I'd appreciate feedback on two points in particular:

- is there a better passive approach for estimating DKIM deployment without active selector enumeration?

- for people who have released large-scale measurement datasets, how do you balance reproducibility with limiting the disclosure of contextual metadata (for example, sector classifications)?

If anyone knows of comparable passive measurement studies for other ccTLDs, I'd also be interested in reading them.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/12/2026, 15:02:36 UTC

Technical Analysis

A passive security measurement was conducted on 10,020 .it domains using standard HTTP requests, TLS handshakes, and DNS lookups without active scanning or exploitation. Key findings include that only 41.8% of domains use X-Frame-Options, 32.8% use HSTS, 18.7% implement CSP with only 0.7% meeting restrictiveness criteria, and 45.4% include unsafe-inline in CSP. Cookie security attributes SameSite and HttpOnly are missing in approximately 52% of cookies, and Secure is missing in about 48%. TLS configurations are strong with no weak cipher suites and 87.3% supporting TLS 1.3. Email authentication adoption is moderate with SPF at 55.5%, DMARC at 43.8%, and DKIM at 36.6%. The study also notes that only 2.4% of domains publish a security.txt file. The data is representative of the .it ccTLD and is publicly available for further analysis.

Potential Impact

The study reveals that many .it domains have suboptimal security configurations, such as missing or weak HTTP security headers, insecure cookie attributes, and incomplete email authentication deployment. These weaknesses can increase the risk of web-based attacks like clickjacking, cross-site scripting, session hijacking, and email spoofing. However, the study itself does not report any active exploitation or vulnerabilities, only the presence or absence of security controls.

Mitigation Recommendations

This is a passive measurement study and not a vulnerability report; no direct patch or fix is applicable. Organizations managing .it domains should consider improving their security posture by adopting recommended HTTP security headers (e.g., X-Frame-Options, HSTS, CSP with restrictive policies), setting secure cookie attributes (SameSite, HttpOnly, Secure), upgrading to TLS 1.3, and fully implementing email authentication standards (SPF, DMARC, DKIM). The study's dataset and methodology are publicly available for reference. No immediate action is required based on this report alone.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Source Type
reddit
Subreddit
cybersecurity
Reddit Score
0
Discussion Level
minimal
Content Source
reddit_link_post
Post Type
link
Domain
null
Newsworthiness Assessment
{"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
Has External Source
true
Trusted Domain
false

Threat ID: 6a53ac8168715ace436b4d0f

Added to database: 07/12/2026, 15:02:25 UTC

Last enriched: 07/12/2026, 15:02:36 UTC

Last updated: 07/12/2026, 17:17:19 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses