Full Findings Report — HelvetiScan · Swiss .ch Domain Security Landscape

Dataset Overview

Full scan of the .ch TLD registry — DNS resolution, HTTP headers, TLS certificates, email authentication (SPF/DMARC/DKIM), TCP port survey, and CVE fingerprinting.

2,549,281

Total .ch domains in scope

1,947,451

Live domains (76.4%)

49

Key findings reported

8

Industry sectors classified

74

CVEs in catalog

130,937

Distinct hosting IPs

394,928

Subdomains discovered

38.4%

Match CISA KEV entries

Domain Availability & Failure Modes

Dataset: 2,549,281 domains — complete coverage. Status 'ok' = any HTTP response received.

76.4%

of .ch domains serve a live HTTP response

74.9%

of all errors are DNS failures (no A record)

5.1%

TLS failures — reachable but broken certificate

Status	Count	Share
Live (ok)	1,947,451	76.4%
Error	601,830	23.6%

Error kind	Count	Share of errors
DNS (no A record)	450,916	74.9%
Timeout	93,913	15.6%
TLS failed	30,925	5.1%
Connection refused	14,482	2.4%
Other	11,594	1.9%

Web Server & HTTP Landscape

Web server market share (1,779,967 domains with Server: header). 91.4% of live domains expose a Server: header. Median response time: 1.1 s. p99: 10.8 s.

38.3%

Apache — largest single server family

10.2%

Cloudflare proxies (US infrastructure)

550K+

Domains serve content over plain HTTP

Server family	Count	Share of live
Apache	682,437	38.3%
nginx / OpenResty	605,026	34.0%
Cloudflare	181,451	10.2%
Other	126,980	7.1%
Pepyaka (Wix)	102,701	5.8%
LiteSpeed	35,038	2.0%
Squarespace	19,853	1.1%
Microsoft IIS	16,525	0.9%
Vercel	9,956	0.6%

CMS Landscape & End-of-Life PHP

CMS: 526,328 installs detected. PHP: 174,706 domains expose X-Powered-By header (9% of live).

71.5%

WordPress — dominant CMS (~19% of all live .ch)

43,473

Live .ch sites advertise end-of-life PHP

PHP 7.4

Most common EOL version — EOL since Nov 2022

CMS	Count	Share of installs
WordPress	376,098	71.5%
Wix	83,246	15.8%
TYPO3	26,372	5.0%
Joomla	23,202	4.4%
Drupal	10,028	1.9%
Other	7,382	1.4%

PHP branch	Count	EOL date
PHP 5.x	16,839	Dec 2018
PHP 7.0–7.3	6,190	Dec 2019–2022
PHP 7.4	20,444	Nov 2022
PHP 8.x (supported)	61,961	—

Hosting Geography

Based on 1,739,441 live domains with GeoLite2 IP geolocation (89.3% of live). Germany driven largely by Wix DE infrastructure.

40.6%

of .ch domains hosted outside Switzerland

13.0%

Hosted in North America (US cloud & Wix)

207,977

Domains fully offshored (foreign DNS + hosting)

Country	Count	Share
Switzerland (CH)	1,033,304	59.4%
Germany (DE)	300,707	17.3%
United States (US)	202,562	11.6%
France (FR)	52,720	3.0%
Italy (IT)	41,992	2.4%
Canada (CA)	22,713	1.3%
Netherlands (NL)	22,181	1.3%
Denmark (DK)	9,788	0.6%
United Kingdom (GB)	9,247	0.5%
Other	44,227	2.5%

Hosting Concentration Risk

130,937 distinct IPs host 1,816,085 live domains — average 13.9 per IP, but heavily skewed to shared-hosting stacks.

133,425

Domains on a single IP (Hostpoint 217.26.48.101)

21%

of all live .ch domains on the top 10 IPs

IP Address	Domains	Provider
217.26.48.101	133,425	Hostpoint AG (CH)
217.26.63.20	43,708	Hostpoint AG (CH)
81.88.58.216	35,747	Register S.p.A (IT)
185.230.63.107	35,031	Wix Ltd (US)
128.65.195.180	32,764	Swisscom AG (CH)
84.16.66.164	29,854	Infomaniak (CH)
185.101.158.113	28,322	Hosttech GmbH (CH)
162.159.128.70	28,171	Cloudflare (US)
185.230.63.171	21,538	Wix Ltd (US)
185.230.63.186	21,107	Wix Ltd (US)

Hosting Sovereignty by Sector

207,977 domains are fully offshored: both foreign DNS operator AND foreign hosting (~8.2% of all live .ch).

49.9%

Pharma CH-hosting rate — lowest of all sectors

75.1%

Government CH-hosting rate — highest sector

13.5%

Pharma US exposure — highest sector

Sector	Domains	CH-hosted	US-hosted
Government	6,887	75.1%	6.7%
Education	13,392	69.8%	8.9%
Legal	6,721	68.0%	9.4%
Healthcare	8,257	60.9%	9.3%
Finance	10,451	60.0%	11.3%
Media	4,696	59.1%	7.7%
Retail	30,563	51.0%	7.0%
Pharma	2,526	49.9%	13.5%

77,676 Wix domains concentrated across three US IPs: 185.230.63.107 (35,031) · 185.230.63.171 (21,538) · 185.230.63.186 (21,107)

US Cloud Infrastructure Exposure

These figures are a lower bound — domains behind Cloudflare often suppress or rewrite the Server: header. The actual count is higher.

10.1%

of live .ch domains route through US cloud

197,587

Domains behind Cloudflare, Vercel, or AWS

US Provider	Domains	Share of live
Cloudflare	181,451	9.3%
Vercel	9,956	0.5%
AWS (ELB/S3)	6,180	0.3%

Sector	Cloudflare	Vercel	AWS
Finance	944	121	39
Healthcare	601	71	14
Government	273	26	14

944 Swiss finance domains and 601 healthcare domains route through Cloudflare — a US-incorporated entity subject to US legal process (CLOUD Act, FISA §702).

HTTPS & TLS Certificate Landscape

Swiss national CA SwissSign covers only 1,270 domains (0.1%). TLS 1.0/1.1 appear extinct in the dataset.

71.7%

of live domains end on HTTPS

28.3%

Still deliver content over plain HTTP (~550K)

71,767

Certs expiring within 30 days

TLS Version	Count	Share
TLS 1.3	1,076,502	92.9%
TLS 1.2	81,980	7.1%

Algorithm	Key size	Domains
RSA	2048	844,699
RSA	4096	129,671
ECDSA P-256	256	164,373
ECDSA P-384	384	13,907

Certificate Authority	Count	Share
Let's Encrypt	962,746	83.1%
Other	145,398	12.5%
DigiCert	25,477	2.2%
Sectigo/Comodo	19,465	1.7%
SwissSign	1,270	0.1%

HTTP Security Header Adoption

Legal is worst: 61.6% of legal domains send zero HTTP security headers. Government best at 47.8% with no headers.

49.1%

of live .ch domains send ZERO security headers

7.7%

CSP adoption — the weakest header by far

30.2%

HSTS — despite 71.7% serving HTTPS

Header	Count	Share of live
HSTS	588,872	30.2%
X-Content-Type-Options	470,434	24.2%
X-Frame-Options	460,142	23.6%
Content-Security-Policy	149,180	7.7%
None of the above	955,764	49.1%

Sector	No headers	HSTS
Legal	61.6%	23.6%
Media	58.3%	27.5%
Pharma	58.0%	30.6%
Finance	57.7%	29.0%
Healthcare	55.9%	31.2%
Education	54.5%	29.9%
Retail	48.2%	27.7%
Government	47.8%	38.0%

Email Security & Spoofing Exposure

1,146,818 domains fully spoofable: no SPF, OR permissive SPF + no/p=none DMARC. Finance/pharma worst at 48.5%.

45.0%

of .ch domains can have email impersonated

46.4%

Have no SPF record at all

25.5%

of DMARC-enabled are p=none (no enforcement)

Signal	Count	Share
SPF present	1,365,991	53.6%
DMARC present	714,725	28.0%
DKIM found	174,388	6.8%
SPF too permissive	74,477	2.9%
Fully spoofable	1,146,818	45.0%

Sector	Spoofable %	DMARC enf.
Pharma	48.5%	19.8%
Finance	48.5%	18.5%
Media	48.1%	18.9%
Retail	47.7%	17.4%
Healthcare	44.3%	15.1%
Legal	43.0%	17.8%
Education	40.0%	17.7%
Government	37.0%	21.0%

Dangerous Exposed Services

Port survey across 1,633,972 domains.

313,472

MySQL (3306) — 16% of all live .ch domains

87,292

SMB (445) — ransomware entry vector

1,742

Docker API (2375) — often unauthenticated

Port	Service	Domains exposed	Risk
3306	MySQL	313,472	CRITICAL
21	FTP (cleartext)	688,489	HIGH
445	SMB/CIFS	87,292	CRITICAL
22	SSH	430,272	HIGH
5432	PostgreSQL	17,976	HIGH
3389	RDP	3,718	CRITICAL
9200	Elasticsearch	2,378	CRITICAL
2375	Docker API	1,742	CRITICAL
6379	Redis	2,045	HIGH
5900	VNC	1,910	HIGH
6443	Kubernetes API	2,057	HIGH
23	Telnet	1,440	HIGH

DNS Hygiene & Infrastructure

If Hostpoint's nameservers failed, 14.6% of .ch domains would stop resolving. Top 3 providers control 29.3% of all .ch DNS — a single incident = national-scale outage.

42.2%

DNSSEC signing — above global average

98.5%

No CAA record — any CA can issue freely

14,316

Domains leak full DNS zone via AXFR

DNS Signal	Count	Share of total
DNSSEC signed	1,075,048	42.2%
No CAA record	2,511,838	98.5%
Wildcard DNS enabled	771,104	30.2%
SPF with no MX record	350,229	13.7%
AXFR zone transfer leaking	14,316 domains	—
Subdomains via AXFR	164,117	—

DNS Operator	Domains	Share
Hostpoint	314,457	14.6%
Infomaniak	242,089	11.2%
cyon.ch	72,060	3.4%
wixdns.net	61,715	2.9%
GoDaddy	54,348	2.5%

CVE & CISA Known Exploited Vulnerabilities

Version-unaware matching: any domain running a covered technology is flagged regardless of installed version. Verification required to confirm actual vulnerability.

38.4%

of all .ch domains match a CISA KEV entry

977,666

Unique domains with at least one KEV match

61

Max distinct CVEs on a single domain

Technology	Domains	CRITICAL CVEs	HIGH CVEs
Apache	682,438	39	1
nginx	516,211	0	3
WordPress	376,098	4	3
PHP	108,926	9	1
PHP (EOL)	43,473	9	1
TYPO3	26,372	2	1
Joomla	23,202	3	0
Drupal	10,028	4	0
OpenSSL	7,805	1	2

Sector Risk Benchmarks

Risk score 0–100, higher = better security. Government scores lowest mean despite leading on HSTS — dragged down by weak DMARC enforcement (79% weak/absent).

66.6

Finance — highest mean risk score (0–100)

26.9%

Healthcare below 50/100 — worst tail risk

25.6%

Government below 50/100 — second worst tail

Sector	Domains	Risk score (mean)	HSTS	DMARC	DNSSEC
Finance	13,761	66.6	55.4%	18.5%	36.8%
Retail	38,230	66.2	58.8%	17.5%	37.8%
Legal	8,539	65.2	53.5%	17.9%	42.4%
Pharma	3,296	64.9	52.4%	19.8%	34.0%
Media	6,060	64.5	52.2%	18.9%	39.6%
Education	16,110	63.6	56.7%	17.8%	42.8%
Healthcare	9,925	62.1	54.2%	15.1%	39.6%
Government	7,893	61.9	60.5%	21.0%	40.7%

Critical Findings: Finance & Healthcare

Maximum-exposed population — version-unaware CVE matching. Healthcare has proportionally more TYPO3 exposure (7.3%) than finance (1.7%).

3,945

Finance domains running Apache with CRITICAL CVE

2,954

Healthcare domains running Apache with CRITICAL CVE

15.1%

Healthcare DMARC coverage — lowest of any sector

Sector	Technology	CRITICAL CVE domains
Finance	Apache	3,945
Finance	WordPress	2,017
Finance	PHP	698
Finance	Drupal	258
Healthcare	Apache	2,954
Healthcare	WordPress	2,575
Healthcare	TYPO3	493
Healthcare	PHP	631

Sector	Below 50 (risk score)	% below
Healthcare	2,672	26.9%
Government	2,022	25.6%
Education	3,853	23.9%
Legal	1,789	21.0%
Finance	2,177	15.8%

DNS Concentration & National Infrastructure Risk

Infomaniak appears under two operator names; combined it controls ~11.2% (242,089 domains). The top 3 distinct providers (Hostpoint + Infomaniak + cyon.ch) collectively serve 29.3% of .ch — a single incident at any one = national-scale DNS outage.

14.6%

of .ch domains depend on Hostpoint nameservers

29.3%

Controlled by top 3 providers combined

18,985

Distinct NS operators across the TLD

NS Operator	Domains	Share	Cumulative
Hostpoint	314,457	14.6%	14.6%
Infomaniak (current)	136,225	6.3%	21.0%
Infomaniak (legacy)	105,864	4.9%	25.9%
cyon.ch	72,060	3.4%	29.3%
wixdns.net	61,715	2.9%	32.2%
GoDaddy	54,348	2.5%	—

Key Takeaways

01

Email impersonation is trivially easy. 45% of .ch domains are fully spoofable — any sender can forge email from nearly half of all Swiss .ch addresses with no technical barrier.

02

Apache is the dominant attack surface. 682K domains match Apache; 39 CRITICAL CVEs in catalog + CISA KEV confirmation. A single Apache vulnerability affects 38% of live .ch.

03

Half of all sites have zero HTTP security headers. 49% send nothing. Legal (61.6%) and pharma (58%) sectors are worst. CSP adoption at 7.7% leaves most sites open to XSS.

04

DNS concentration creates systemic fragility. A Hostpoint outage alone takes 14.6% offline. The top 3 NS providers control 29.3% — well beyond acceptable single-point-of-failure tolerance.

05

Hosting sovereignty is eroding — especially in sensitive sectors. 40.6% abroad; pharma at 49.9% domestic. 944 finance and 601 healthcare domains route through a US-controlled CDN (CLOUD Act / FISA §702 exposure).

Methodology & Data Quality Notes

Scope

Full .ch TLD registry — 2,549,281 domains attempted. No pending entries; scan is complete.

Email Auth

DNS-level checks for SPF, DMARC, DKIM across all 2.5M domains.

HTTP Scanning

Custom HTTP client with Range header (explains 40% 206 Partial Content responses — scanner artifact).

CVE Matching

Version-unaware: any domain running a covered technology is flagged regardless of installed version. Treat as 'possibly vulnerable — requires verification.' 74 CVEs seeded; CISA KEV entries imported.

Port Scanning

1,633,972 domains scanned. Covers ports: 21, 22, 23, 25, 80, 443, 445, 587, 3306, 3389, 5432, 5900, 6379, 6443, 8080, 8443, 9200, 11211, 27017.

Geolocation

MaxMind GeoLite2 database. 89.3% of live domains resolved to a country. Foreign IPs counted against Swiss sovereignty.

TLS

1,158,482 domains with successful TLS handshake. Certificate key inventory: no RSA < 2048 found.

Sector Classification

103,814 domains classified across 8 sectors via keyword and DNS pattern matching. Cloudflare (181K), Wix (103K), Squarespace (20K), Vercel (10K) excluded from CVE exposure — operators cannot patch underlying infrastructure.