methodology / Security / #87
Modern cipher suite preference
#87 · Recommended · Web Quality · weighted · Security · impl todo · source Negotiated cipher suite name observed from the live TLS handshake (Container probe via Go's tls.CipherSuiteName, or URL Scanner securityDetails when our Worker can't reach the server directly).
Web Quality factor
This factor is part of Web Quality — the weighted 0..100 score that sits above Web Standards. Its weight depends on what kind of site is being measured. Web Standards items take priority; this factor only enters the score once Web Standards passes.
- Base weight
- 0.7 applied to every site type unless overridden below
- Why this weight
- Modern cipher preference — moderate baseline, higher for high-trust sites.
Per-site-type overrides
| Site type | Weight | Δ vs base |
|---|---|---|
| E-commerce | 0.9 | +0.2 |
| Personal site | 0.3 | -0.4 |
| Government | 1.0 | +0.3 |
Site types not listed inherit the base weight.
What this means for your business
Inside every encrypted connection there's a recipe — newer recipes are bank-grade, older ones have known weaknesses. If your server still falls back to the old ones, security scanners and cyber-insurance audits will flag it.
Plain title: The padlock uses strong, modern math
Want the long version? Read the full explainer with examples →
What we measure
We measure whether your server prefers AEAD cipher suites (AES-GCM, ChaCha20-Poly1305) over weaker alternatives. AEAD ciphers are the 2026 baseline — they protect against entire classes of cryptographic attacks (padding oracles, BEAST) by design. CBC suites are still allowed in TLS 1.2 but are considered legacy. RC4 and 3DES are flat-out broken and should never be negotiated.
How to improve your score
Configure your server to prefer AEAD-only suites in TLS 1.2. On Nginx: `ssl_ciphers ECDHE+AESGCM:ECDHE+CHACHA20:!aNULL:!MD5:!DSS;` and `ssl_prefer_server_ciphers on;`. On Apache: similar via `SSLCipherSuite`. On Cloudflare: SSL/TLS → Edge Certificates → Cipher Suites → Modern. TLS 1.3 only allows AEAD ciphers by protocol, so enabling 1.3 is itself a mostly-equivalent fix.
Facts
Implementation notes
pass=100: AEAD-only (AES-GCM, ChaCha20-Poly1305). warn=60: CBC suites still negotiated (acceptable but not modern). fail=0: RC4 or 3DES negotiated.
Scoring
Scoring formulas are versioned with the methodology. The current method maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.
Version history
| Version | Change | Date |
|---|---|---|
| v0.1 | Factor introduced. Status: proposed. Scoring impl: todo. | 2026-04-25 |