SiteAlertAI SiteAlertAI
⬡ Web Scan 🔒 SSL/TLS 📬 MX Record ✉ Email Header 🎣 URL Check 🌍 IP Geo
⬡ Web Scan 🔒 SSL/TLS 📬 MX Record ✉ Email Header 🎣 URL Check 🌍 IP Geo
← All guides

TLS Cipher Strength: Forward Secrecy, AEAD and Weak Ciphers

A valid certificate is only half of TLS security; the negotiated cipher matters too. A modern configuration provides forward secrecy and uses an AEAD cipher, while old ciphers like RC4 and 3DES should be disabled.

Forward secrecy

Forward secrecy (via ECDHE or DHE key exchange, and always in TLS 1.3) means a future compromise of your private key cannot decrypt traffic captured today. Static-RSA key exchange lacks this and should be avoided.

AEAD vs CBC

AEAD ciphers (AES-GCM, ChaCha20-Poly1305) combine encryption and integrity and resist the padding-oracle attacks that affect older CBC-mode ciphers. Prefer AEAD and disable RC4, 3DES, EXPORT and NULL ciphers entirely.

🛰 Grade your TLS →

Related guides

  • What Is HSTS and How Do I Enable It?
  • Content-Security-Policy Explained (and How to Fix a Weak One)
  • Mixed Content: Why Your HTTPS Padlock Breaks
SiteAlertAI · © 2026 All rights reserved · Built for security professionals and developers.
Blog Guides Privacy Terms About Contact Social

⚠ For authorised security testing only. Scanning domains you do not own may violate laws in your jurisdiction. SiteAlertAI accepts no liability for misuse. CVE data is indicative — verify with NVD.