Grades Calculation Process

We refer to the SSL Labs rating guide to explain how we calculate grades.

https://www.ssllabs.com/projects/rating-guide/index.html

There are a few differences in the way we assign grades:

  • Certificate View will not penalize the grade under the following conditions:

    • Certificate hostnames do not match the site hostname (SSL Labs drops the grade to T)

    •  Certificate has been revoked (SSL Labs drops the grade to F)

  • SSL Labs runs browser simulation checks and may not penalize the server for using weaker ciphers if the browser simulations determine that the weaker ciphers are not negotiated when establishing the SSL connections. You may therefore see different grades in Certificate View for the following:

    • use of legacy 64-bit block ciphers (Certificate View drops the grade to C)

    • use of ciphers that theoretically support forward secrecy (CertView does not reward the server for using these ciphers)

    • use of CBC ciphers with TLS 1.2 or below (Certificate View drops the grade to F due to the GoldenDoodle vulnerability)

  • Certificate View does not test for forward secrecy and will not penalize a server if it doesn't support forward secrecy.

SSL Labs caps grades to B and penalizes sites if the server does not support forward secrecy. This assessment is made primarily based on the 60+ browser handshake simulations performed during the SSL Labs assessment.

SSL Labs, however, does not penalize sites that use suites that are not capable of providing forward secrecy as long as they are not negotiated during browser handshake simulations Forward secrecy depends on a lot of information that cannot be detected remotely, such as the server caching policy of session tickets or the reuse of DH/ECDH keys. While Certificate View detects the ciphers that theoretically support forward secrecy, merely having such ciphers configured does not actually guarantee forward secrecy.

If the required information to calculate the grade is not available after the scan, the grade summary is considered N/A.

Cipher Suite Categories and Color Coding

Cipher suites are sets of algorithms that secure communication over SSL/TLS. They define how data is encrypted, authenticated, and exchanged between servers and clients. Not all cipher suites offer the same level of security. Some are strong and recommended, while others are outdated or unsafe. To facilitate easy identification to their security level, cipher suites are grouped into four categories, each represented by a distinct color code. This helps you quickly understand which suites to keep, review, or disable for better security.

You can view the color coding for each Cipher suite category in the table below: 

Color Label

Green

Good

Orange

Weak

Red

Insecure

Default (Black)

Neutral

To view the Cipher Suites, go to  Certificates tab > select Certificate > Hosts > Grades Summary > Cipher Suite and click the + icon present in front of the protocol.

View color code in Cipher Suite

Cipher Suite category details

The Cipher suite categories are classified based on the encryption strength, algorithm type, and protocol behavior. Below are the categories and their conditions:

Good Cipher Suites

Cipher suites in this category use modern encryption methods like AEAD (Authenticated Encryption with Associated Data) modes such as AES-GCM, AES-CCM, or ChaCha20-Poly1305. These provide strong confidentiality and integrity and are recommended for all environments.

Examples:

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CCM

Weak Cipher Suites

Weak Cipher Suites rely on older algorithms or have limited effective strength (less than 112 bits). Common cases include 3DES, IDEA, or GOST. These suites may still be used for legacy compatibility but are not advisable for modern deployments.

Examples:

  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • EDH-RSA-DES-CBC3-SHA 
  • TLS_RSA_WITH_IDEA_CBC_SHA
  • TLS_GOSTR341001_WITH_28147_CNT_IMIT

Insecure Cipher Suites 

Insecure Cipher Suites use broken or outdated encryption methods. This includes RC4, export ciphers (EXP, EXP1024, DES40), very low strength (less than 128-bit) and CBC mode in older protocols. These suites are vulnerable to known attacks and must be disabled.

Examples:

  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
  • TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

Default Cipher Suites

The Default Cipher Suites do not match any of the above conditions. They are neither clearly recommended nor flagged as risky. Review them based on your environment and security policies.

Examples:

  • Unusual or custom Cipher Suite names that do not trigger the checks above.

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: January, 2026