HTTPS Isn't Enough: What Your TLS Configuration Is Getting Wrong

You've got the padlock icon. Your site loads over HTTPS. Job done, right? Not quite. HTTPS means you have a TLS certificate, but it tells you nothing about the quality of your TLS configuration. Plenty of sites with valid certificates are still vulnerable to protocol downgrade attacks, weak cipher exploitation, and man-in-the-middle interception.

TLS 1.0 and 1.1 are dead — disable them

TLS 1.0 dates back to 1999 and TLS 1.1 to 2006. Both have known vulnerabilities including BEAST, POODLE, and CRIME attacks. Every major browser dropped support for them in 2020. If your server still accepts TLS 1.0 or 1.1 connections, you're maintaining compatibility with nothing except attack tools. PCI DSS has required TLS 1.2 as a minimum since June 2018.

# Nginx — only allow TLS 1.2 and 1.3
ssl_protocols TLSv1.2 TLSv1.3;

# Apache
SSLProtocol -all +TLSv1.2 +TLSv1.3

Cipher suites matter more than you think

Even with TLS 1.2, the cipher suite determines the actual strength of the encryption. Weak ciphers like RC4, DES, and 3DES can be brute-forced. Ciphers without forward secrecy mean that if your private key is ever compromised, all past traffic can be decrypted retroactively. You want ECDHE key exchange (forward secrecy) with AES-GCM or ChaCha20 encryption.

# Nginx — modern cipher configuration
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

HSTS: force HTTPS from the browser side

Your server redirects HTTP to HTTPS, but that initial HTTP request is still unencrypted and interceptable. HSTS (HTTP Strict Transport Security) tells browsers to never even attempt an HTTP connection. After the first visit, the browser upgrades to HTTPS automatically before any network request is made. Without HSTS, every session starts with a vulnerable window.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

For maximum protection, submit your domain to the HSTS preload list at hstspreload.org. This hardcodes HTTPS enforcement directly into browsers, protecting even first-time visitors.

Certificate issues beyond expiration

An expired certificate is obvious — browsers will block the connection. But subtler issues fly under the radar. Certificates issued for the wrong hostname, missing intermediate certificates that break the chain on some devices, and certificates using SHA-1 signatures are all problems that won't necessarily trigger a browser warning but weaken your security posture. Automated renewal via Let's Encrypt or your CDN eliminates most expiration issues, but you should still monitor your full certificate chain.

Test your TLS now

KrakenProbe's TLS scanner checks your protocol versions, cipher strength, certificate chain, and HSTS configuration in seconds. Run a free scan to see exactly what needs fixing.