← Back to Assessments

www.vestd.com

TLS Security Assessment Details

Compare Scans Download PDF
5
FAILING

[ cyphers ] score

TLS Validated by [ cyphers ] scout
FEB 2026

Harden your TLS Now

This endpoint has 4 findings that can be resolved (+95 pts). Choose how you want to proceed.

This is my server Get a free TLS certificate, generate a hardened server config, and verify your score improvement. Launch Remediation Wizard
I'm connecting to it Use a Cyphers proxy or SDK integration to connect safely with enforced TLS best practices on your side. View Safe Connection Tools

Connect Safely via Cyphers Proxy

[cyphers] Endpoint Tools allow you to connect safely to a server even though it will allow for insecure connections. Your connection will be secure regardless of the server's security posture.

N8N Cyphers Node
Drop-in workflow node. Routes HTTP requests through Cyphers proxy with enforced TLS 1.2+ and certificate pinning.
Install Node
Claude Proxy MCP
MCP server for Claude Code / Claude Desktop. Proxies all tool-initiated HTTP calls through a TLS-validated tunnel.
Configure MCP
OpenAI SDK Toolkit
Python / TypeScript wrapper. Patches the OpenAI SDK transport layer to enforce strict TLS validation on every API call.
View SDK Docs

These proxies don't modify the remote server — they enforce TLS best practices on your side of the connection. Traffic is routed through the Cyphers proxy network which negotiates the strongest available cipher suite and rejects connections that fall below your configured threshold.

Certificate

Subject www.vestd.com
Issuer WE1
Valid From 20/01/2026
Valid Until 20/04/2026
Days Remaining 67
Key ECDSA 256-bit
OCSP Stapling Yes
SCT No

Compliance Status

PCI-DSS 4.2.1
3 failure(s)
NDcPP FCS_TLS_EXT.1
2 failure(s)
HIPAA
Passed

Vulnerabilities Found

2 issues detected
1 Critical 1 Major
CRITICAL BEAST (CVE-2011-3389) CVE-2011-3389
-25 pts
Server vulnerable to BEAST attack
Observed TLS 1.0 enabled with CBC cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Expected TLS 1.0 disabled or CBC ciphers removed Remediation Disable TLS 1.0 or remove CBC ciphers. Prefer TLS 1.2+ with GCM or ChaCha20.
Evidence
  • TLS 1.0 supported
  • CBC cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
PCI-DSS 4.2.1
MAJOR SWEET32 (CVE-2016-2183) CVE-2016-2183
-15 pts
Server vulnerable to SWEET32 birthday attack on 64-bit block ciphers
Observed 3DES cipher supported: TLS_RSA_WITH_3DES_EDE_CBC_SHA Expected No 3DES cipher suites Remediation Remove 3DES cipher suites. Use AES-GCM or ChaCha20-Poly1305 instead.
Evidence
  • 3DES cipher: TLS_RSA_WITH_3DES_EDE_CBC_SHA

Supported Cipher Suites

30 ciphers across 4 protocols — 11 insecure
TLS1.3 3 ciphers
TLS_AES_128_GCM_SHA256 STRONG
TLS_AES_256_GCM_SHA384 STRONG
TLS_CHACHA20_POLY1305_SHA256 STRONG
TLS1.2 17 ciphers 5 insecure
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ACCEPTABLE
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ACCEPTABLE
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ACCEPTABLE
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ACCEPTABLE
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ACCEPTABLE
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ACCEPTABLE
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ACCEPTABLE
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ACCEPTABLE
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ACCEPTABLE
TLS_RSA_WITH_AES_128_GCM_SHA256 INSECURE
TLS_RSA_WITH_AES_128_CBC_SHA INSECURE
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ACCEPTABLE
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ACCEPTABLE
TLS_RSA_WITH_AES_256_GCM_SHA384 INSECURE
TLS_RSA_WITH_AES_256_CBC_SHA INSECURE
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ACCEPTABLE
TLS_RSA_WITH_AES_128_CBC_SHA256 INSECURE
TLS1.1 5 ciphers 3 insecure
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ACCEPTABLE
TLS_RSA_WITH_AES_128_CBC_SHA INSECURE
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ACCEPTABLE
TLS_RSA_WITH_AES_256_CBC_SHA INSECURE
TLS_RSA_WITH_3DES_EDE_CBC_SHA INSECURE
TLS1.0 5 ciphers 3 insecure
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ACCEPTABLE
TLS_RSA_WITH_AES_128_CBC_SHA INSECURE
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ACCEPTABLE
TLS_RSA_WITH_AES_256_CBC_SHA INSECURE
TLS_RSA_WITH_3DES_EDE_CBC_SHA INSECURE

Protocols

4 of 4 supported
TLS 1.0 Enabled CRITICAL
TLS 1.1 Enabled CRITICAL
TLS 1.2 Enabled OK
TLS 1.3 Enabled GOOD

Findings

2 Critical
2 Major
0 Minor
5 Info
Protocol
TLS 1.0 Enabled CRITICAL
-25 pts
TLS 1.0 is enabled - deprecated and insecure
PCI-DSS 4.2.1 NDcPP FCS_TLS_EXT.1
Observed: TLS 1.0 connection accepted
Expected: TLS 1.2 and TLS 1.3 only
Remediation: Disable TLS 1.0 in server configuration. For nginx: ssl_protocols TLSv1.2 TLSv1.3;
References: https://wiki.mozilla.org/Security/Server_Side_TLS, https://www.pcisecuritystandards.org/
WHY THIS MATTERS
Enables downgrade attacks. Large providers keep TLS 1.0 for legacy compatibility with extensive monitoring. Typical servers lack this oversight and are fully exploitable.
Loading fix...
TLS 1.1 Enabled MAJOR
-25 pts
TLS 1.1 is enabled - deprecated and insecure
PCI-DSS 4.2.1 NDcPP FCS_TLS_EXT.1
Observed: TLS 1.1 connection accepted
Expected: TLS 1.2 and TLS 1.3 only
Remediation: Disable TLS 1.1 in server configuration. For nginx: ssl_protocols TLSv1.2 TLSv1.3;
References: https://wiki.mozilla.org/Security/Server_Side_TLS, https://www.pcisecuritystandards.org/
WHY THIS MATTERS
Deprecated protocol with known weaknesses. Should be disabled on all production servers to prevent protocol downgrade attacks.
Loading fix...
TLS 1.3 Support INFO
TLS 1.3 is supported
Vulnerability
BEAST (CVE-2011-3389) CRITICAL
-25 pts
Server vulnerable to BEAST attack
PCI-DSS 4.2.1
Observed: TLS 1.0 enabled with CBC cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Expected: TLS 1.0 disabled or CBC ciphers removed
Remediation: Disable TLS 1.0 or remove CBC ciphers. Prefer TLS 1.2+ with GCM or ChaCha20.
References: https://nvd.nist.gov/vuln/detail/CVE-2011-3389
WHY THIS MATTERS
Large enterprises like Google mitigate BEAST with hardened implementations and client-side fixes. Most servers don't have these safeguards - if this were your server, traffic could be decrypted.
Loading fix...
SWEET32 (CVE-2016-2183) MAJOR
-15 pts
Server vulnerable to SWEET32 birthday attack on 64-bit block ciphers
Observed: 3DES cipher supported: TLS_RSA_WITH_3DES_EDE_CBC_SHA
Expected: No 3DES cipher suites
Remediation: Remove 3DES cipher suites. Use AES-GCM or ChaCha20-Poly1305 instead.
References: https://nvd.nist.gov/vuln/detail/CVE-2016-2183, https://sweet32.info/
Loading fix...
Certificate
Certificate Validity INFO
Certificate is valid for 67 more days
OCSP Stapling INFO
OCSP stapling is enabled
Certificate Transparency (SCT) INFO
-5 pts
No Signed Certificate Timestamps (SCT) found
Observed: No SCT in TLS handshake or certificate
Expected: SCT present for Certificate Transparency compliance
Remediation: Use a CA that supports Certificate Transparency. Most modern CAs include SCTs by default.
References: https://certificate.transparency.dev/
Loading fix...
Headers
HSTS INFO
HSTS is enabled with max-age=31536000 seconds
Risk Summary

This endpoint has 4 findings that affect connection security. When connecting to www.vestd.com, these risks apply to your client:

  • TLS 1.0 Enabled (-25 pts)
  • TLS 1.1 Enabled (-25 pts)
  • BEAST (CVE-2011-3389) (-25 pts)
  • SWEET32 (CVE-2016-2183) (-15 pts)
Recommended Profile

Based on the current score (5), we recommend the Adequate hardening profile for your client-side tools:

Adequate
Development and testing environments
TLS 1.2+ • Compatible ciphers • No revocation check
Get Config View Tools

Score History

Scan History

Scan ID Score Tier Findings Time
sc_5958d8df7469 5/100 Failing 0 2/12/2026, 10:25:52 AM
sc_1332ebd6834e 5/100 Failing 0 2/12/2026, 10:21:16 AM
sc_1caf394fa29d 5/100 Failing 0 2/12/2026, 10:20:15 AM
sc_d2b9b495c81b 5/100 Failing 0 2/12/2026, 10:19:34 AM
sc_9d38be2b9582 5/100 Failing 0 2/11/2026, 5:53:58 PM
sc_d05eacd6d7c3 95/100 Exceptional [] 0 2/11/2026, 5:31:04 PM
sc_2d736b14fdcd 95/100 Exceptional [] 0 2/11/2026, 4:36:12 PM