tl;dr A marketing report makes incorrect claims about what Internet is and how it is secured. I take a look at the fundamental concepts of Internet, cryptography, and security and discuss why measurement methodology proposed in the report cannot substantiate the results.

Introduction

In December 2025, Whisper Security published a report with a provocative title: “Only 4.7% of the internet is cryptographically secured”. Implying that 95% of the services we use every day, such as online banking, are insecure. You might think “that can’t be right!”, and you are definitely right.

Despite boasting about internet security and the “entire commercial internet”, the report is actually only about the DNSSEC penetration rate. Here, I aim to clarify some inaccurate concepts used throughout the report, before moving on to discuss the methodological shortcomings that weaken the reported findings.

If you are familiar with core concepts of cryptography and information security, you can skip the next esection and jump to the section on methodological deficiencies. If you feel lost at any point because you want to know more about DNS Security, the actual subject of Whisper Security report, take a look at the appendix.

Conceptual Inaccuracies

To understand why the main claim made in the report are misleading, we should first address three questions:

1. What is the Internet?
2. What is cryptography?
3. What is security?

Defining what Internet actually is, helps understanding why “4.7% of the Internet” does not make much sense. Debunking the rest of the claim, i.e., “is cryptographically secured”, then requires an elaboration of cryptography and how it is utilized to secure Internet services.

What is the Internet?

The Internet is the network of networks that communicate with each other using common protocols. An example of such a network is your home network where different devices are all connected within a local network through the home router. This private network is then part of the larger network of the Internet Service Provider (ISP), which in turn is connected with other networks and so on.

The common language on the Internet is the “Internet Protocol” which defines the IP addressing schemes for Internet nodes (hosts) as well as packet routing mechanisms. IP addresses, e.g., 104.18.26.120, are hard to remember, so we use domain or host names, e.g. example.com, as pointers to IP addresses. Beside IP addresses, domain names can be resolved to various other resource records.

Let’s say that we quantify the Internet based on the count of hosts with a unique IP address. Given that the IPv4 address spaces is exhausted by now, 100% of the Internet would be at least 2³² which equals to ~3.7G when subtracting the reserved addresses. This number grows exponentially if IPv6 is also included. In this sense, we could theoretically determine the number of hosts comprising 4.7% of the internet. However, the report actually refers to DNS security, which is measured on a DNS zone basis. The point is that there is no way to know how many DNS zones exist. There are over 1,500 top-level domain names, but not all of them publish information about the domain names they have delegated under their respective namespaces. Without knowing how many DNS zones exist, we cannot say what percentage of them are secure. But can’t we use inferential statistics to make a generalization from a sample set? We’ll get to that in the next section.

What is Cryptography?

If you search for the definition of cryptography online, you will not find a uniform definition. Not even “The Encyclopedia of Cryptography, Security and Privacy” has a definition for it.

Sometimes when people talk about cryptography, they actually mean encryption and decryption. Yet cryptography also encompasses digital signatures, data digests, etc. You could say that the common denominator of cryptographic algorithms is information security. So we can understand Cryptography as a toolbox that serves the security of data.

In context of DNS, digital signatures are used to provide data-origin authenticity. For DNS over TLS or HTTPS, encryption is used to bring confidentiality for DNS queries and responses between clients and recursive resolvers.

What is Security

Internet is a communication network. Security in this context refers to measures put in place to protect the communication, including the exchanged data, from adversaries. Common threats to Internet communication are spoofing, information disclosure, data tampering, and denial of service (see the CIA Triad and STRIDE Threat Model).

Cryptography plays an integral role in the Internet security: encryption brings confidentiality, digital signatures cater for authentication, and data digests are the basis for data integrity.

I should also mention that cryptography does not necessarily equate to security. Security is measured against a threat analysis which describes adversaries, potential threats, attack surfaces, and possible attack vectors. RFC 3833 defines such a threat analysis for DNS. Respective remedies are then proposed in DNS Security Extensions (DNSSEC; see RFC 4033).

Although the report talks about “internet security”, it actually means DNS security through DNSSEC. Security on the Internet involves many moving parts: Web relies on TLS and Web PKI, E-Mail relies on DANE and MTA-STS, and so on. DNSSEC is only one security measure relevant for Internet communication. This reduces the scope of study from security of the Internet to the security of DNS.

Methodological Deficiencies

The report quantifies security and provides a concrete figure: only 4.7% of the Internet is secure. This figure is based on a measurement that I analyse below, discussing why the study method fails to substantiate the aforementioned finding.

Sample ≠ Population

The report proudly highlights a sample size of 209M domain names as “a snapshot of the cryptographic health of the entire commercial internet”. This might sound impressive until you realize that .com¹ namespace alone comprises over 160M domain names. It is simply impossible to enumerate all dns zones and in turn make an statement about the “entire commercial internet”.

Even more comprehensive measurement studies refrain from making such a bold statement. For example, Eric Osterweil, a pioneer in DNSSEC measurement, has been running a longitudinal measurement of DNSSEC since 2009 with a sample set comprising of over 14M DNSSEC enabled zones. And still it is not possible to make a sensible claim on DNS security on the Internet scale, i.e. the acutal population.

Delegation ≠ Deployment

If a domain name is delegated in the wild without being deployed, does its existence impact anyone’s security?² I would argue that this is not the case, specially when we are measuring the security of the “commercial internet”, as Whisper Security aims to do.

People squat, park, and drop-catch domain name everyday. If we are interested in measuring the security of the domains that are practically relevant for Internet users, it is definitely helpful to weed sich inactive or irrelevant domain names from our sample set. This fact, however, is being overlooked in this measurement study.

Domain names in the study are from 3 sources (cited from the PDF version of the report):

• gTLD data obtained from ICANN’s Centralized Zone Data Service (CZDS)
• Tranco Top 1M list (research-grade website ranking)
• Whisper Intelligence Platform for geographic and infrastructure attribution

Let’s ignore the last source, which is a black box for us, as well as the second source, which compromises only a tiny fraction of the sample set. Here, we’ll only focus on the ICANN CZDS zone files as the primary data source. The ICANN Centralized Zone Data Service provides access to zone files for various top-level domains (TLDs). These files contain all domain names registered within the respective TLD namespace, among other information. As you can imagine, not all of the domain names in the zone files are in active use. In fact, research shows that a large portion of delegated domains are inactive. For example, a study by Zirngibl et al. shows that one-third of all delegated domains under .com are parked domains.

The presence of a significant number of irrelevant entries in the sample set undermines the report’s claims. I can imagine that the actual DNSSEC penetration is aroun 10 to 12 percent globally.

Domain Name ≠ DNS Zone

The brief section on methodology in the report mentions only domain names. But measuring DNSSEC succeeds on zone basis and not domain basis (see Appendix).

I cannot tell for certain whether the sample set contains names within the same zones, or if deduplication has been performed if so. However, the emphasis on domain count rather than zone count, and the generalization to the “entire commercial internet”, makes me suspicious that this pitfall may have been overlooked.

Conclusion

Whisper Security claims that less than 5% of the Internet is secure. However, their report is plagued by conceptual inaccuracies, and their measurement method suffers from deficiencies.

DNS is not the Internet. That is the first misconception in the Report. What they actually measure is DNS security, specifically DNSSEC penetration rate. Second, cryptography does not equate security.

The methodological shortcomings start with the fact that the sample size is too small to draw any general conclusions about the DNSSEC landscape, let alone the entire internet. It also contains a significant number of inactive domain names (e.g. parked domains), which distorts the analysis and interpretation of the data. Based on the wording in the report, I also suspect that the measurements were performed at the wrong level — on a domain name basis rather than a zone basis. Overall, I conclude that the data cannot support the opening claim of the report.

Appendix: Measuring Internet DNS Security

To measure how much of the Internet is secure, we must first define what we mean by secure. In the Whisper Security report, security refers to data-origin authentication and data integrity on the Domain Name System (DNS). This is realized through DNSSEC and using digital signatures.

DNSSEC is enabled per DNS zone. A zone is a section of the global DNS namespace under an authority denoted by its apex (DNS is structured hierarchically as a tree). For example, google.com, www.google.com, and mail.google.com all belong to the same zone denoted by google.com:

dig +nocomments +nostats SOA google.com www.google.com mail.google.com

; <<>> DiG 9.18.44 <<>> +nocomments +nostats SOA google.com www.google.com mail.google.com
;; global options: +cmd
;google.com.			IN	SOA
google.com.		52	IN	SOA	ns1.google.com. dns-admin.google.com. 870801610 900 900 1800 60
;www.google.com.			IN	SOA
google.com.		54	IN	SOA	ns1.google.com. dns-admin.google.com. 870801610 900 900 1800 60
;mail.google.com.		IN	SOA
google.com.		54	IN	SOA	ns1.google.com. dns-admin.google.com. 870801610 900 900 1800 60

To see if a zone is DNSSEC-secured, you can query the any of the zone resource records using a DNSSEC-enabled resolver and check if the records are signed:

dig +dnssec @1.1.1.1 example.com SOA

; <<>> DiG 9.18.44 <<>> +dnssec @1.1.1.1 example.com SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63895
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;example.com.			IN	SOA

;; ANSWER SECTION:
example.com.		1800	IN	SOA	elliott.ns.cloudflare.com. dns.cloudflare.com. 2396526872 10000 2400 604800 1800
example.com.		1800	IN	RRSIG	SOA 13 2 1800 20260218215036 20260216195036 34505 example.com. Vl1T9mvYsIwQ9B0UKDL6yxoUYNCPkTrDqayC0MMeGx9iebJNNuvgAj2U Q0EIee2QSVAUtBG02uGd/4pZyoxanw==

;; Query time: 34 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Feb 17 21:50:36 CET 2026
;; MSG SIZE  rcvd: 209

Note the RRSIG records that are delivered in the answer section as well as the ad flag standing for authenticated data. Validating DNSSEC involves a number of steps that are not discussed here. Here, we trust Cloudflare (1.1.1.1 resolver) to perform it properly for us.