Defaults.Exposed › Reports
The Misconfiguration Hall of Fame: The Web's Weirdest Security Records (2026)
Published 2026-06-29
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. Every figure below is a real, recurring pattern — not a one-off. See how we grade.
Most security failures are boring: a setting left off. A few are genuinely funny — the digital equivalent of shipping the building with the “INSERT TENANT NAME” sign still in the window. We graded 261 million domains; here are the records that made us look twice.
1. The certificate nobody renamed
When you generate a TLS certificate with the default OpenSSL prompts and just hit enter, the organisation name becomes a placeholder. Those placeholders are supposed to be replaced before going live. They weren’t:
| “Issued by” name on the live certificate | Sites |
|---|---|
| Internet Widgits Pty Ltd | 244,468 |
| MyCompany Inc. | 226,830 |
| TRAEFIK DEFAULT CERT | 108,348 |
| localhost | 106,086 |
“Internet Widgits Pty Ltd” is the literal default in OpenSSL’s example config — and 244,468 public sites are serving a certificate stamped with it. Across all the obvious placeholder and default names, 685,732 sites never changed the sign. Every one of them is also self-signed, so visitors get a browser warning — they’re shipping the placeholder and the error.
2. DMARC, lost in translation
A DMARC policy only works if it reads exactly p=none, p=quarantine, or p=reject. 48,648 domains published something else — the policy word misspelled, or written in another language entirely (the live data includes Spanish, French and Portuguese renderings of “none”). The intent was right; the exact spelling wasn’t — and DMARC accepts only the English keyword, so all of them provide zero protection. (Full, current list with counts: the internet’s most common DMARC typos.)
3. The SPF welcome mat
SPF’s whole job is to say which servers may send mail as you. 36,014 domains end their record in +all — which means the exact opposite: “any server on the internet is authorised to send as me.” It’s the security equivalent of taping your key to the door. Another 7,958 quietly break their SPF by exceeding the 10-DNS-lookup limit, voiding it entirely. (More: the SPF misconfiguration report.)
4. Honourable mention: the self-signed millions
Beyond the funny names, 3,378,080 sites serve a self-signed certificate — one they issued to themselves, which browsers reject. Usually a router, a test box, or an internal tool that accidentally got pointed at the public internet and never got a real certificate.
What the funny ones have in common
Every entry here is the same root cause as the boring failures: a default left untouched, a step skipped, a copy-paste not finished. The web doesn’t fail dramatically — it fails by inertia, one un-renamed placeholder at a time. The upside: every one of these is a five-minute fix.
Frequently asked questions
Why do so many certificates say “Internet Widgits Pty Ltd”? It’s the default organisation name in OpenSSL’s example configuration. When someone generates a certificate and accepts the defaults, that placeholder ends up on the live cert. 244,468 public sites never changed it.
Does a DMARC policy in another language do anything?
No. DMARC only recognises the exact keywords none, quarantine, and reject. A record with the policy word misspelled or written in another language is invalid and ignored — the domain stays spoofable.
What does SPF +all do? It authorises every server on the internet to send email as your domain — worse than having no SPF at all. 36,014 domains have it, almost always by mistake.
Are these rare edge cases? No — each is hundreds of thousands to millions of domains, found consistently across a 261-million-domain census. They’re common defaults, not freak accidents.
Check your domain isn’t in the next edition
Most of these are one-line fixes. Check your domain privately and free — see your certificate, DMARC and SPF exactly as the internet sees them.
Check your domain → · DMARC typos → · SPF misconfiguration report → · The certificate error report → · Aggregate data only. Data stored and processed in the EU.