badssl.com - Assessments

FAILING

[ cyphers ] score

TLS Validated by [ cyphers ] scout

FEB 2026

Harden your TLS Now

This endpoint has 7 findings that can be resolved (+120 pts). Choose how you want to proceed.

This is my server Get a free TLS certificate, generate a hardened server config, and verify your score improvement. Launch Remediation Wizard →

I'm connecting to it Use a Cyphers proxy or SDK integration to connect safely with enforced TLS best practices on your side. View Safe Connection Tools →

Connect Safely via Cyphers Proxy

[cyphers] Endpoint Tools allow you to connect safely to a server even though it will allow for insecure connections. Your connection will be secure regardless of the server's security posture.

N8N Cyphers Node

Drop-in workflow node. Routes HTTP requests through Cyphers proxy with enforced TLS 1.2+ and certificate pinning.

Install Node →

Claude Proxy MCP

MCP server for Claude Code / Claude Desktop. Proxies all tool-initiated HTTP calls through a TLS-validated tunnel.

Configure MCP →

OpenAI SDK Toolkit

Python / TypeScript wrapper. Patches the OpenAI SDK transport layer to enforce strict TLS validation on every API call.

View SDK Docs →

These proxies don't modify the remote server — they enforce TLS best practices on your side of the connection. Traffic is routed through the Cyphers proxy network which negotiates the strongest available cipher suite and rejects connections that fall below your configured threshold.

Certificate

Subject *.badssl.com

Issuer R13

Valid From 20/01/2026

Valid Until 20/04/2026

Days Remaining 67

Key RSA 2048-bit

OCSP Stapling No

SCT No

Compliance Status

PCI-DSS 4.2.1

4 failure(s)

NDcPP FCS_TLS_EXT.1

2 failure(s)

HIPAA

Passed

Vulnerabilities Found

2 issues detected

1 Critical 1 Major

CRITICAL BEAST (CVE-2011-3389) CVE-2011-3389

-25 pts ▼

Server vulnerable to BEAST attack

Observed TLS 1.0 enabled with CBC cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Expected TLS 1.0 disabled or CBC ciphers removed Remediation Disable TLS 1.0 or remove CBC ciphers. Prefer TLS 1.2+ with GCM or ChaCha20.

Evidence

TLS 1.0 supported
CBC cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

https://nvd.nist.gov/vuln/detail/CVE-2011-3389

PCI-DSS 4.2.1

MAJOR SWEET32 (CVE-2016-2183) CVE-2016-2183

-15 pts ▼

Server vulnerable to SWEET32 birthday attack on 64-bit block ciphers

Observed 3DES cipher supported: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Expected No 3DES cipher suites Remediation Remove 3DES cipher suites. Use AES-GCM or ChaCha20-Poly1305 instead.

Evidence

3DES cipher: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

https://nvd.nist.gov/vuln/detail/CVE-2016-2183 https://sweet32.info/

Supported Cipher Suites

24 ciphers across 3 protocols — 12 insecure

TLS1.2 12 ciphers 6 insecure

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ACCEPTABLE

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ACCEPTABLE

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ACCEPTABLE

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ACCEPTABLE

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ACCEPTABLE

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ACCEPTABLE

TLS_RSA_WITH_AES_128_GCM_SHA256 INSECURE

TLS_RSA_WITH_AES_256_GCM_SHA384 INSECURE

TLS_RSA_WITH_AES_128_CBC_SHA256 INSECURE

TLS_RSA_WITH_AES_128_CBC_SHA INSECURE

TLS_RSA_WITH_AES_256_CBC_SHA INSECURE

TLS_RSA_WITH_3DES_EDE_CBC_SHA INSECURE

TLS1.1 6 ciphers 3 insecure

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ACCEPTABLE

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ACCEPTABLE

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ACCEPTABLE

TLS_RSA_WITH_AES_128_CBC_SHA INSECURE

TLS_RSA_WITH_AES_256_CBC_SHA INSECURE

TLS_RSA_WITH_3DES_EDE_CBC_SHA INSECURE

TLS1.0 6 ciphers 3 insecure

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ACCEPTABLE

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ACCEPTABLE

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ACCEPTABLE

TLS_RSA_WITH_AES_128_CBC_SHA INSECURE

TLS_RSA_WITH_AES_256_CBC_SHA INSECURE

TLS_RSA_WITH_3DES_EDE_CBC_SHA INSECURE

Protocols

3 of 4 supported

✗ TLS 1.0 Enabled CRITICAL

✗ TLS 1.1 Enabled CRITICAL

✓ TLS 1.2 Enabled OK

✗ TLS 1.3 Disabled

Findings

2 Critical

2 Major

1 Minor

4 Info

Protocol

✗ TLS 1.0 Enabled CRITICAL

-25 pts ▼

TLS 1.0 is enabled - deprecated and insecure

PCI-DSS 4.2.1 NDcPP FCS_TLS_EXT.1

Observed: TLS 1.0 connection accepted

Expected: TLS 1.2 and TLS 1.3 only

Remediation: Disable TLS 1.0 in server configuration. For nginx: ssl_protocols TLSv1.2 TLSv1.3;

References: https://wiki.mozilla.org/Security/Server_Side_TLS, https://www.pcisecuritystandards.org/

WHY THIS MATTERS

Enables downgrade attacks. Large providers keep TLS 1.0 for legacy compatibility with extensive monitoring. Typical servers lack this oversight and are fully exploitable.

Loading fix...

✗ TLS 1.1 Enabled MAJOR

-25 pts ▼

TLS 1.1 is enabled - deprecated and insecure

PCI-DSS 4.2.1 NDcPP FCS_TLS_EXT.1

Observed: TLS 1.1 connection accepted

Expected: TLS 1.2 and TLS 1.3 only

Remediation: Disable TLS 1.1 in server configuration. For nginx: ssl_protocols TLSv1.2 TLSv1.3;

References: https://wiki.mozilla.org/Security/Server_Side_TLS, https://www.pcisecuritystandards.org/

WHY THIS MATTERS

Deprecated protocol with known weaknesses. Should be disabled on all production servers to prevent protocol downgrade attacks.

Loading fix...

! TLS 1.3 Support INFO

-10 pts ▼

TLS 1.3 is not supported

Observed: TLS 1.3 connection failed

Expected: TLS 1.3 supported for optimal security

Remediation: Enable TLS 1.3 in server configuration. For nginx: ssl_protocols TLSv1.2 TLSv1.3;

References: https://wiki.mozilla.org/Security/Server_Side_TLS

WHY THIS MATTERS

Best practice for performance and security, but TLS 1.2 remains secure. Not an immediate security risk.

Loading fix...

Vulnerability

✗ BEAST (CVE-2011-3389) CRITICAL

-25 pts ▼

Server vulnerable to BEAST attack

PCI-DSS 4.2.1

Observed: TLS 1.0 enabled with CBC cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Expected: TLS 1.0 disabled or CBC ciphers removed

Remediation: Disable TLS 1.0 or remove CBC ciphers. Prefer TLS 1.2+ with GCM or ChaCha20.

References: https://nvd.nist.gov/vuln/detail/CVE-2011-3389

WHY THIS MATTERS

Large enterprises like Google mitigate BEAST with hardened implementations and client-side fixes. Most servers don't have these safeguards - if this were your server, traffic could be decrypted.

Loading fix...

✗ SWEET32 (CVE-2016-2183) MAJOR

-15 pts ▼

Server vulnerable to SWEET32 birthday attack on 64-bit block ciphers

Observed: 3DES cipher supported: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

Expected: No 3DES cipher suites

Remediation: Remove 3DES cipher suites. Use AES-GCM or ChaCha20-Poly1305 instead.

References: https://nvd.nist.gov/vuln/detail/CVE-2016-2183, https://sweet32.info/

Loading fix...

Headers

✗ HSTS MINOR

-10 pts ▼

HTTP Strict Transport Security (HSTS) header is not set

PCI-DSS 2.2.7

Observed: Strict-Transport-Security header missing

Expected: HSTS header with max-age >= 31536000

Remediation: Add HSTS header. For nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

References: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

WHY THIS MATTERS

First-time visitors can be intercepted via man-in-the-middle attacks. Critical for authentication endpoints where credentials are transmitted.

Loading fix...

Certificate

✓ Certificate Validity INFO

Certificate is valid for 67 more days

! OCSP Stapling INFO

-5 pts ▼

OCSP stapling is not enabled

Observed: No OCSP response in TLS handshake

Expected: OCSP stapling enabled for faster revocation checks

Remediation: Enable OCSP stapling. For nginx: ssl_stapling on; ssl_stapling_verify on;

References: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling

WHY THIS MATTERS

Performance optimization that reduces latency for certificate revocation checks. Not a security vulnerability, but improves user experience.

Loading fix...

✗ Certificate Transparency (SCT) INFO

-5 pts ▼

No Signed Certificate Timestamps (SCT) found

Observed: No SCT in TLS handshake or certificate

Expected: SCT present for Certificate Transparency compliance

Remediation: Use a CA that supports Certificate Transparency. Most modern CAs include SCTs by default.

References: https://certificate.transparency.dev/

Loading fix...

Risk Summary

This endpoint has 7 findings that affect connection security. When connecting to badssl.com, these risks apply to your client:

TLS 1.3 Support (-10 pts)
TLS 1.0 Enabled (-25 pts)
TLS 1.1 Enabled (-25 pts)
OCSP Stapling (-5 pts)
HSTS (-10 pts)
BEAST (CVE-2011-3389) (-25 pts)
SWEET32 (CVE-2016-2183) (-15 pts)

Recommended Profile

Based on the current score (0), we recommend the Adequate hardening profile for your client-side tools:

Get Config → View Tools →