Back to Home

Qualys SSL Labs

Our A+ Rating – What does it mean and how did we get it?

Qualys SSL Labs A+

1. The Qualys SSL Labs – what is it and why does it matter?

Qualys SSL Labs is the de facto industry standard for evaluating TLS/SSL configurations. It has been operating since 2009 and has become the world's most recognized web security testing tool: security researchers, system administrators, PCI-DSS auditors, compliance engineers, and enterprise vendor assessment processes all refer to its results. The tool is free, publicly available, and provides the single most reliable reference on whether a web server's TLS implementation meets current security expectations.

The essence of the test is that it does not merely check if a site uses HTTPS – which is now a basic requirement for most of the internet – but whether the cryptographic configuration behind the HTTPS connection is truly secure. A poorly configured TLS server remains just as vulnerable to man-in-the-middle, protocol downgrade, and oracle-based attacks as if it were not encrypting at all.

SSL Labs exclusively examines publicly available, remotely detectable information – it performs no active penetration attempts and requires no access to code or server configurations. Everything that a well-prepared external attacker or a security auditor can see remotely is also seen and evaluated by SSL Labs.

2. What does Qualys SSL Labs test?

The evaluation consists of four steps: certificate validation, numerical scoring across three categories, calculating an overall grade, and then applying grade modifiers. The final step – the system of rule-based modifiers – is what makes the test truly strict and professionally credible: certain severe shortcomings instantly and unconditionally result in the lowest grade, regardless of how high the server scored in other areas.

2.1. Certificate validation

The first step of the evaluation is validating the server's TLS certificate. Certain certificate errors immediately exclude the server from normal (A–F) grading and result in a special grade:

2.2. Numerical scoring – the three categories

The base numerical score is calculated as a weighted average of three categories. In each category, 0–100 points can be achieved, and a score of 0 in any of them automatically pulls the total score down to 0.

Category Weight What does it measure?
Protocol support30%Which TLS/SSL versions are active on the server
Key Exchange30%The cryptographic strength of the key exchange algorithm
Cipher Strength40%The strength of the symmetric encryption suite

Protocol support (30%)
The algorithm: the average score of the strongest and the weakest supported protocols. This means that enabling a single outdated protocol drastically degrades the result, even if the server otherwise supports the most modern protocols.

Key Exchange strength (30%)
This category measures the cryptographic strength of the key exchange mechanism used during the TLS handshake. Key aspects include:

Cipher suite strength (40%)
The algorithm: the average score of the strongest and the weakest supported cipher suite – similarly to protocol support, this implies that enabling a single weak cipher suite degrades the overall result.

3. The grading system

An A–F grade is fundamentally derived from the combined numerical score. However, this can be overridden by rule-based modifiers – automatic F-thresholds, grade caps, and rewards for exceptional configuration. The most important rule: the A+ grade can only be achieved in a positive manner, meaning it is only awarded to those who already achieve an A grade based on their base score AND fulfill the requirements for an exceptional configuration.

Numerical Score Grade Evaluation
≥ 80A (base)Strong base configuration
≥ 65BAdequate – with minor shortcomings
≥ 50CWeak – with outdated elements
≥ 35DSerious problems
≥ 20ESevere shortcomings
< 20FExploitably vulnerable
— (overrides)A+Exceptional config: A + valid HSTS (≥6 mo) + TLS 1.3
— (overrides)A−Good, but with a warning (e.g. missing TLS 1.3, missing HSTS)
— (overrides)TCertificate not trusted (unknown CA)
— (overrides)MHostname does not match the certificate
— (overrides)F (immediate)Revoked certificate, critical vulnerability

3.1. Conditions triggering an immediate F grade

Any of the following errors and vulnerabilities immediately result in an F grade, regardless of the numerical score:

Triggering condition Effect
Revoked certificateImmediate F
Expired certificateImmediate F
Untrusted CA (self-signed, etc.)Grade T
SSL 2.0 supportedF
Insecure renegotiation enabledF
Heartbleed (CVE-2014-0160)F
POODLE TLS (CVE-2014-3566 TLS version)F
DROWN (SSLv2 cross-protocol attack)F
ROBOT (Bleichenbacher oracle)F
Zombie/Sleeping POODLE, GOLDENDOODLE, CVE-2019-1559F
Export cipher suite enabledF
Insecure DH parameter (< 1024 bit)F

3.2. Grade caps

The following configuration deficiencies do not result in an immediate F, but cap the server at a specified maximum grade:

Condition Maximum grade
TLS 1.0 or TLS 1.1 supportedB (cap)
SSL 3.0 supportedB (cap)
Forward Secrecy not supportedB (cap)
AEAD encryption not supportedB (cap)
RC4 supportedB (cap)
Weak DH parameter (< 2048 bit)B (cap)
TLS 1.2 not supportedC (cap) – older rule
3DES in CBC mode with TLS 1.1+C (cap)
CRIME vulnerabilityC (cap)
TLS 1.3 not supported (since 2009r, May 2025)A− (with warning)
HSTS missing or invalid (since 2009r, May 2025)A− (with warning)

3.3. Conditions for an A+ grade (2009r, May 2025)

According to the current 2009r version of the grading methodology (last updated: May 16, 2025), the conditions for an A+ grade are:

4. How do websites generally perform?

The SSL Labs SSL Pulse project continuously monitors the 150,000 most popular TLS-enabled websites globally. According to the latest data from June 2025:

Important context: SSL Pulse monitors the most popular, and therefore typically the best-maintained websites on the internet. A general average of the web – including smaller, less maintained sites – would show significantly worse results.

5. What does our A+ rating mean?

Obtaining the A+ grade means that our site's TLS/SSL configuration complies with every single condition of the current (2009r, May 2025) grading methodology. Specifically:

From the perspective of the 2009r (May 2025) revision, this is particularly important: with the latest update, TLS 1.3 support and valid HSTS became mandatory conditions for an A+. Many servers that previously achieved an A+ grade now only receive an A−, as they do not meet these newer expectations. We fulfill all new conditions as well.

6. The limitations of SSL Labs – what the test does not measure

SSL Labs – similarly to the MDN Observatory – exclusively evaluates configuration problems that can be automatically detected remotely. The following, equally important security areas are not part of the assessment:

These limitations do not diminish the value of SSL Labs – on the contrary: the tool is extremely thorough and reliable in the areas it covers. A+ is the highest verifiable level regarding TLS/SSL configuration quality; in our case, the comprehensive security picture is completed by our 130/100 MDN Observatory result and our 100% Internet.nl rating.

7. Summary

Qualys SSL Labs is the most recognized and authentic TLS/SSL configuration testing tool in the industry, whose results are accepted as a reference by compliance frameworks, security audits, and enterprise vendor assessment processes alike.

Our A+ rating – measured against the 2009r (May 2025) methodology – means that our server:

Achieving the A+ grade is technically non-trivial: according to 2025 data, only about 14% of the world's 150,000 most popular websites reach this level, and with the recent 2009r update, the conditions became even stricter. This result verifies the highest achievable quality level of our server's TLS configuration.

Source: Qualys SSL Labs – ssllabs.com/ssltest · Rating Guide: github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
Current methodology version: 2009r · Last updated: May 16, 2025.