Qualys SSL Labs
Our A+ Rating – What does it mean and how did we get it?
Table of Contents
1. The Qualys SSL Labs – what is it and why does it matter?
Qualys SSL Labs is the de facto industry standard for evaluating TLS/SSL configurations. It has been operating since 2009 and has become the world's most recognized web security testing tool: security researchers, system administrators, PCI-DSS auditors, compliance engineers, and enterprise vendor assessment processes all refer to its results. The tool is free, publicly available, and provides the single most reliable reference on whether a web server's TLS implementation meets current security expectations.
The essence of the test is that it does not merely check if a site uses HTTPS – which is now a basic requirement for most of the internet – but whether the cryptographic configuration behind the HTTPS connection is truly secure. A poorly configured TLS server remains just as vulnerable to man-in-the-middle, protocol downgrade, and oracle-based attacks as if it were not encrypting at all.
SSL Labs exclusively examines publicly available, remotely detectable information – it performs no active penetration attempts and requires no access to code or server configurations. Everything that a well-prepared external attacker or a security auditor can see remotely is also seen and evaluated by SSL Labs.
2. What does Qualys SSL Labs test?
The evaluation consists of four steps: certificate validation, numerical scoring across three categories, calculating an overall grade, and then applying grade modifiers. The final step – the system of rule-based modifiers – is what makes the test truly strict and professionally credible: certain severe shortcomings instantly and unconditionally result in the lowest grade, regardless of how high the server scored in other areas.
2.1. Certificate validation
The first step of the evaluation is validating the server's TLS certificate. Certain certificate errors immediately exclude the server from normal (A–F) grading and result in a special grade:
- Domain mismatch (Grade M): if the hostname in the certificate does not match the actual domain, the server receives an M (Mismatch) grade.
- Untrusted certificate (Grade T): in the case of a self-signed certificate, an unknown CA, an expired certificate, or a revoked certificate, the server receives a T (Trust) grade – which is worse than the standard evaluation.
- Certificate chain completeness: if the server does not send the complete certificate chain (intermediate CAs), mobile browsers and certain clients will report a certificate error. This caps the final result at a B grade.
- Signature algorithm: Certificates with MD5 or MD5-based signatures result in an immediate F grade. SHA-1 certificates are no longer accepted by browsers (Grade T).
2.2. Numerical scoring – the three categories
The base numerical score is calculated as a weighted average of three categories. In each category, 0–100 points can be achieved, and a score of 0 in any of them automatically pulls the total score down to 0.
| Category | Weight | What does it measure? |
|---|---|---|
| Protocol support | 30% | Which TLS/SSL versions are active on the server |
| Key Exchange | 30% | The cryptographic strength of the key exchange algorithm |
| Cipher Strength | 40% | The strength of the symmetric encryption suite |
Protocol support (30%)
The algorithm: the average score of the strongest and the weakest supported protocols. This means that enabling a single outdated protocol drastically degrades the result, even if the server otherwise supports the most modern protocols.
- SSL 2.0: 0 points – and also results in an immediate F grade.
- SSL 3.0: 80 points – but caps the grade at B.
- TLS 1.0: 90 points – caps the grade at B since the 2009q (2020) revision.
- TLS 1.1: 95 points – also caps the grade at B.
- TLS 1.2: 100 points – this is the expected minimum today.
- TLS 1.3: 100 points – since the 2009r (May 2025) revision, the lack of TLS 1.3 caps the grade at A−.
Key Exchange strength (30%)
This category measures the cryptographic strength of the key exchange mechanism used during the TLS handshake. Key aspects include:
- Forward Secrecy: ECDHE and DHE based key exchange algorithms ensure that even if the private key is compromised, past sessions cannot be decrypted. The lack of Forward Secrecy caps the result at a B grade.
- DH parameter strength: in the case of a DHE key exchange, the strength of the Diffie-Hellman parameters is decisive. DH parameters smaller than 2048 bits cap the grade at B; parameters smaller than 1024 bits result in an F grade.
- ECDHE preference: in modern implementations, ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) is the expected key exchange mechanism, which provides both Forward Secrecy and excellent performance.
- RSA key strength: for RSA-based certificates, a 2048-bit key length is the minimum requirement; a 4096-bit key yields a 100% score in this dimension.
Cipher suite strength (40%)
The algorithm: the average score of the strongest and the weakest supported cipher suite – similarly to protocol support, this implies that enabling a single weak cipher suite degrades the overall result.
- 0-bit encryption (NULL cipher): 0 points.
- Weakness below 128 bits (e.g. 40, 56-bit export ciphers): 20 points – and results in an immediate F.
- 128–255 bits (e.g. AES-128, 3DES): 80 points.
- 256 bits and above (e.g. AES-256, ChaCha20): 100 points.
- RC4: broken algorithm – caps the grade at B.
- 3DES in CBC mode with TLS 1.1+: caps the grade at C (SWEET32 vulnerability).
- AEAD cipher suites (e.g. AES-GCM, ChaCha20-Poly1305): lack of these caps the grade at B.
3. The grading system
An A–F grade is fundamentally derived from the combined numerical score. However, this can be overridden by rule-based modifiers – automatic F-thresholds, grade caps, and rewards for exceptional configuration. The most important rule: the A+ grade can only be achieved in a positive manner, meaning it is only awarded to those who already achieve an A grade based on their base score AND fulfill the requirements for an exceptional configuration.
| Numerical Score | Grade | Evaluation |
|---|---|---|
| ≥ 80 | A (base) | Strong base configuration |
| ≥ 65 | B | Adequate – with minor shortcomings |
| ≥ 50 | C | Weak – with outdated elements |
| ≥ 35 | D | Serious problems |
| ≥ 20 | E | Severe shortcomings |
| < 20 | F | Exploitably vulnerable |
| — (overrides) | A+ | Exceptional config: A + valid HSTS (≥6 mo) + TLS 1.3 |
| — (overrides) | A− | Good, but with a warning (e.g. missing TLS 1.3, missing HSTS) |
| — (overrides) | T | Certificate not trusted (unknown CA) |
| — (overrides) | M | Hostname does not match the certificate |
| — (overrides) | F (immediate) | Revoked certificate, critical vulnerability |
3.1. Conditions triggering an immediate F grade
Any of the following errors and vulnerabilities immediately result in an F grade, regardless of the numerical score:
| Triggering condition | Effect |
|---|---|
| Revoked certificate | Immediate F |
| Expired certificate | Immediate F |
| Untrusted CA (self-signed, etc.) | Grade T |
| SSL 2.0 supported | F |
| Insecure renegotiation enabled | F |
| Heartbleed (CVE-2014-0160) | F |
| POODLE TLS (CVE-2014-3566 TLS version) | F |
| DROWN (SSLv2 cross-protocol attack) | F |
| ROBOT (Bleichenbacher oracle) | F |
| Zombie/Sleeping POODLE, GOLDENDOODLE, CVE-2019-1559 | F |
| Export cipher suite enabled | F |
| Insecure DH parameter (< 1024 bit) | F |
3.2. Grade caps
The following configuration deficiencies do not result in an immediate F, but cap the server at a specified maximum grade:
| Condition | Maximum grade |
|---|---|
| TLS 1.0 or TLS 1.1 supported | B (cap) |
| SSL 3.0 supported | B (cap) |
| Forward Secrecy not supported | B (cap) |
| AEAD encryption not supported | B (cap) |
| RC4 supported | B (cap) |
| Weak DH parameter (< 2048 bit) | B (cap) |
| TLS 1.2 not supported | C (cap) – older rule |
| 3DES in CBC mode with TLS 1.1+ | C (cap) |
| CRIME vulnerability | C (cap) |
| TLS 1.3 not supported (since 2009r, May 2025) | A− (with warning) |
| HSTS missing or invalid (since 2009r, May 2025) | A− (with warning) |
3.3. Conditions for an A+ grade (2009r, May 2025)
According to the current 2009r version of the grading methodology (last updated: May 16, 2025), the conditions for an A+ grade are:
- The base score reaches the A level of 80, and no grade-capping condition is present.
- HTTP Strict Transport Security (HSTS) is validly implemented with a max-age value of at least 6 months (15,768,000 seconds). Under the 2009r revision, missing or invalid HSTS drops the grade to A−.
- TLS 1.3 is supported. Since the 2009r revision (May 2025), the lack of TLS 1.3 caps the grade at A−, meaning A+ is entirely unreachable without TLS 1.3.
- There is not a single warning – the slightest configuration deficiency results in an A− instead of an A, which disqualifies the server from an A+.
4. How do websites generally perform?
The SSL Labs SSL Pulse project continuously monitors the 150,000 most popular TLS-enabled websites globally. According to the latest data from June 2025:
- 134,380 websites were tested: this is the number of sites from the list of approximately 150,000 that actually use HTTPS.
- 28.7% failed to meet basic requirements: 38,605 sites received a B, C, D, or F grade – due to incomplete certificate chains or weak encryption.
- A+ grade: according to available data, only about 14% of the tested sites achieve the A+ level. This is a very narrow field.
- TLS 1.3 adoption: 75.3% of top websites already support TLS 1.3 – but this also means that nearly a quarter still do not, which now translates to an A− for them under the 2009r rules.
- Most common problems: incomplete certificate chain, outdated cipher suites, weak DH parameters, and lack of HSTS.
Important context: SSL Pulse monitors the most popular, and therefore typically the best-maintained websites on the internet. A general average of the web – including smaller, less maintained sites – would show significantly worse results.
5. What does our A+ rating mean?
Obtaining the A+ grade means that our site's TLS/SSL configuration complies with every single condition of the current (2009r, May 2025) grading methodology. Specifically:
- Exclusively TLS 1.2 and TLS 1.3 supported: the outdated SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 protocols are disabled. With this, we achieved a 100% score in the protocol support category and avoided all related grade caps.
- TLS 1.3 is actively supported: one of the strictest updates of the May 2025 2009r revision is that the lack of TLS 1.3 now caps the grade at A−. Our server fulfills this requirement.
- Only modern AEAD cipher suites enabled: AES-256-GCM, AES-128-GCM, ChaCha20-Poly1305. RC4, 3DES, and CBC-mode suites are disabled. This yields a 100% score in the cipher strength category.
- Forward Secrecy ensured on all connections: by exclusively applying ECDHE and DHE based key exchange algorithms. A potential compromise of the server's private key does not allow past sessions to be decrypted.
- Strong cryptographic parameters: at least a 2048-bit RSA key (probably 4096-bit, which yields a 100% score in the key exchange category) or an elliptic curve-based key that is equivalent in strength to a 3072+ bit RSA key.
- HSTS is validly implemented: with a max-age value of at least 6 months. Since 2009r, the lack of HSTS results in an A−, making this a mandatory condition for achieving an A+.
- Full certificate chain: the server sends the certificate along with the intermediate CA certificates, so no warning is generated in any client.
- Not a single vulnerability is detectable: the configuration is protected against Heartbleed, POODLE, DROWN, ROBOT, CRIME, BEAST, and all known SSL/TLS vulnerabilities.
From the perspective of the 2009r (May 2025) revision, this is particularly important: with the latest update, TLS 1.3 support and valid HSTS became mandatory conditions for an A+. Many servers that previously achieved an A+ grade now only receive an A−, as they do not meet these newer expectations. We fulfill all new conditions as well.
6. The limitations of SSL Labs – what the test does not measure
SSL Labs – similarly to the MDN Observatory – exclusively evaluates configuration problems that can be automatically detected remotely. The following, equally important security areas are not part of the assessment:
- Application-level vulnerabilities: SQL injection, XSS, CSRF, insecure direct object reference, and other OWASP Top 10 categories.
- Certificate type quality: the test does not distinguish between DV (Domain Validated), OV (Organization Validated), and EV (Extended Validation) certificates in its scoring.
- HTTP header-level security: Content Security Policy, X-Frame-Options, and similar headers – these are evaluated by the MDN Observatory.
- Software versions and patch levels: vulnerabilities in outdated operating systems, web server software, or open-source libraries.
- Session management: setting Secure/HttpOnly for session cookies, session token handling.
- Post-Quantum Cryptography (PQC): the future risk to RSA and ECC algorithms with the advent of quantum computers – this area is currently under active standardization (NIST PQC) and is not yet evaluated by SSL Labs.
These limitations do not diminish the value of SSL Labs – on the contrary: the tool is extremely thorough and reliable in the areas it covers. A+ is the highest verifiable level regarding TLS/SSL configuration quality; in our case, the comprehensive security picture is completed by our 130/100 MDN Observatory result and our 100% Internet.nl rating.
7. Summary
Qualys SSL Labs is the most recognized and authentic TLS/SSL configuration testing tool in the industry, whose results are accepted as a reference by compliance frameworks, security audits, and enterprise vendor assessment processes alike.
Our A+ rating – measured against the 2009r (May 2025) methodology – means that our server:
- supports exclusively modern, secure TLS protocols (TLS 1.2, TLS 1.3);
- meets the TLS 1.3 requirement mandatory since May 2025;
- applies only strong, AEAD-based cipher suites;
- ensures Forward Secrecy on every connection;
- has a valid and proper HSTS implementation;
- has not a single known SSL/TLS vulnerability;
- and received not a single warning – which is the indispensable condition for an A+ and not merely an A− result.
Achieving the A+ grade is technically non-trivial: according to 2025 data, only about 14% of the world's 150,000 most popular websites reach this level, and with the recent 2009r update, the conditions became even stricter. This result verifies the highest achievable quality level of our server's TLS configuration.
Source: Qualys SSL Labs – ssllabs.com/ssltest · Rating Guide: github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
Current methodology version: 2009r · Last updated: May 16, 2025.