← Back to Assessments

www.google.com

TLS Security Assessment Details

Download PDF
0
FAILING

[ cyphers ] score

TLS Validated by [ cyphers ] scout
FEB 2026

Harden your TLS Now

This endpoint has 6 findings that can be resolved (+110 pts). Choose how you want to proceed.

This is my server Get a free TLS certificate, generate a hardened server config, and verify your score improvement. Launch Remediation Wizard
I'm connecting to it Use a Cyphers proxy or SDK integration to connect safely with enforced TLS best practices on your side. View Safe Connection Tools

Connect Safely via Cyphers Proxy

[cyphers] Endpoint Tools allow you to connect safely to a server even though it will allow for insecure connections. Your connection will be secure regardless of the server's security posture.

N8N Cyphers Node
Drop-in workflow node. Routes HTTP requests through Cyphers proxy with enforced TLS 1.2+ and certificate pinning.
Install Node
Claude Proxy MCP
MCP server for Claude Code / Claude Desktop. Proxies all tool-initiated HTTP calls through a TLS-validated tunnel.
Configure MCP
OpenAI SDK Toolkit
Python / TypeScript wrapper. Patches the OpenAI SDK transport layer to enforce strict TLS validation on every API call.
View SDK Docs

These proxies don't modify the remote server — they enforce TLS best practices on your side of the connection. Traffic is routed through the Cyphers proxy network which negotiates the strongest available cipher suite and rejects connections that fall below your configured threshold.

Certificate

Subject www.google.com
Issuer WR2
Valid From 19/01/2026
Valid Until 13/04/2026
Days Remaining 59
Key ECDSA 256-bit
OCSP Stapling No
SCT No

Compliance Status

PCI-DSS 4.2.1
4 failure(s)
NDcPP FCS_TLS_EXT.1
2 failure(s)
HIPAA
Passed

Vulnerabilities Found

2 issues detected
1 Critical 1 Major
CRITICAL BEAST (CVE-2011-3389) CVE-2011-3389
-25 pts
Server vulnerable to BEAST attack
Observed TLS 1.0 enabled with CBC cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Expected TLS 1.0 disabled or CBC ciphers removed Remediation Disable TLS 1.0 or remove CBC ciphers. Prefer TLS 1.2+ with GCM or ChaCha20.
Evidence
  • TLS 1.0 supported
  • CBC cipher: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
PCI-DSS 4.2.1
MAJOR SWEET32 (CVE-2016-2183) CVE-2016-2183
-15 pts
Server vulnerable to SWEET32 birthday attack on 64-bit block ciphers
Observed 3DES cipher supported: TLS_RSA_WITH_3DES_EDE_CBC_SHA Expected No 3DES cipher suites Remediation Remove 3DES cipher suites. Use AES-GCM or ChaCha20-Poly1305 instead.
Evidence
  • 3DES cipher: TLS_RSA_WITH_3DES_EDE_CBC_SHA

Supported Cipher Suites

22 ciphers across 4 protocols — 6 insecure
TLS1.3 3 ciphers
TLS_AES_128_GCM_SHA256 STRONG
TLS_AES_256_GCM_SHA384 STRONG
TLS_CHACHA20_POLY1305_SHA256 STRONG
TLS1.2 5 ciphers
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ACCEPTABLE
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ACCEPTABLE
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ACCEPTABLE
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ACCEPTABLE
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ACCEPTABLE
TLS1.1 7 ciphers 3 insecure
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ACCEPTABLE
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ACCEPTABLE
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ACCEPTABLE
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ACCEPTABLE
TLS_RSA_WITH_AES_128_CBC_SHA INSECURE
TLS_RSA_WITH_AES_256_CBC_SHA INSECURE
TLS_RSA_WITH_3DES_EDE_CBC_SHA INSECURE
TLS1.0 7 ciphers 3 insecure
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ACCEPTABLE
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ACCEPTABLE
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ACCEPTABLE
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ACCEPTABLE
TLS_RSA_WITH_AES_128_CBC_SHA INSECURE
TLS_RSA_WITH_AES_256_CBC_SHA INSECURE
TLS_RSA_WITH_3DES_EDE_CBC_SHA INSECURE

Protocols

4 of 4 supported
TLS 1.0 Enabled CRITICAL
TLS 1.1 Enabled CRITICAL
TLS 1.2 Enabled OK
TLS 1.3 Enabled GOOD

Findings

2 Critical
2 Major
1 Minor
4 Info
Protocol
TLS 1.0 Enabled CRITICAL
-25 pts
TLS 1.0 is enabled - deprecated and insecure
PCI-DSS 4.2.1 NDcPP FCS_TLS_EXT.1
Observed: TLS 1.0 connection accepted
Expected: TLS 1.2 and TLS 1.3 only
Remediation: Disable TLS 1.0 in server configuration. For nginx: ssl_protocols TLSv1.2 TLSv1.3;
References: https://wiki.mozilla.org/Security/Server_Side_TLS, https://www.pcisecuritystandards.org/
WHY THIS MATTERS
Enables downgrade attacks. Large providers keep TLS 1.0 for legacy compatibility with extensive monitoring. Typical servers lack this oversight and are fully exploitable.
Loading fix...
TLS 1.1 Enabled MAJOR
-25 pts
TLS 1.1 is enabled - deprecated and insecure
PCI-DSS 4.2.1 NDcPP FCS_TLS_EXT.1
Observed: TLS 1.1 connection accepted
Expected: TLS 1.2 and TLS 1.3 only
Remediation: Disable TLS 1.1 in server configuration. For nginx: ssl_protocols TLSv1.2 TLSv1.3;
References: https://wiki.mozilla.org/Security/Server_Side_TLS, https://www.pcisecuritystandards.org/
WHY THIS MATTERS
Deprecated protocol with known weaknesses. Should be disabled on all production servers to prevent protocol downgrade attacks.
Loading fix...
TLS 1.3 Support INFO
TLS 1.3 is supported
Vulnerability
BEAST (CVE-2011-3389) CRITICAL
-25 pts
Server vulnerable to BEAST attack
PCI-DSS 4.2.1
Observed: TLS 1.0 enabled with CBC cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Expected: TLS 1.0 disabled or CBC ciphers removed
Remediation: Disable TLS 1.0 or remove CBC ciphers. Prefer TLS 1.2+ with GCM or ChaCha20.
References: https://nvd.nist.gov/vuln/detail/CVE-2011-3389
WHY THIS MATTERS
Large enterprises like Google mitigate BEAST with hardened implementations and client-side fixes. Most servers don't have these safeguards - if this were your server, traffic could be decrypted.
Loading fix...
SWEET32 (CVE-2016-2183) MAJOR
-15 pts
Server vulnerable to SWEET32 birthday attack on 64-bit block ciphers
Observed: 3DES cipher supported: TLS_RSA_WITH_3DES_EDE_CBC_SHA
Expected: No 3DES cipher suites
Remediation: Remove 3DES cipher suites. Use AES-GCM or ChaCha20-Poly1305 instead.
References: https://nvd.nist.gov/vuln/detail/CVE-2016-2183, https://sweet32.info/
Loading fix...
Headers
HSTS MINOR
-10 pts
HTTP Strict Transport Security (HSTS) header is not set
PCI-DSS 2.2.7
Observed: Strict-Transport-Security header missing
Expected: HSTS header with max-age >= 31536000
Remediation: Add HSTS header. For nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
References: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
WHY THIS MATTERS
First-time visitors can be intercepted via man-in-the-middle attacks. Critical for authentication endpoints where credentials are transmitted.
Loading fix...
Certificate
Certificate Validity INFO
Certificate is valid for 59 more days
! OCSP Stapling INFO
-5 pts
OCSP stapling is not enabled
Observed: No OCSP response in TLS handshake
Expected: OCSP stapling enabled for faster revocation checks
Remediation: Enable OCSP stapling. For nginx: ssl_stapling on; ssl_stapling_verify on;
References: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
WHY THIS MATTERS
Performance optimization that reduces latency for certificate revocation checks. Not a security vulnerability, but improves user experience.
Loading fix...
Certificate Transparency (SCT) INFO
-5 pts
No Signed Certificate Timestamps (SCT) found
Observed: No SCT in TLS handshake or certificate
Expected: SCT present for Certificate Transparency compliance
Remediation: Use a CA that supports Certificate Transparency. Most modern CAs include SCTs by default.
References: https://certificate.transparency.dev/
Loading fix...
Risk Summary

This endpoint has 6 findings that affect connection security. When connecting to www.google.com, these risks apply to your client:

  • TLS 1.0 Enabled (-25 pts)
  • TLS 1.1 Enabled (-25 pts)
  • OCSP Stapling (-5 pts)
  • HSTS (-10 pts)
  • BEAST (CVE-2011-3389) (-25 pts)
  • SWEET32 (CVE-2016-2183) (-15 pts)
Recommended Profile

Based on the current score (0), we recommend the Adequate hardening profile for your client-side tools:

Adequate
Development and testing environments
TLS 1.2+ • Compatible ciphers • No revocation check
Get Config View Tools