TLS & certificates

Legacy TLS Protocols & Weak Ciphers

Why still accepting old TLS versions or weak ciphers undermines your encryption, and how WebGuard reports them.

Last updated June 9, 2026

What it is

A TLS connection is negotiated using a protocol version (SSL 2.0/3.0, TLS 1.0 through 1.3) and a cipher suite. The older versions and several legacy ciphers have known cryptographic weaknesses, yet servers often keep accepting them for backwards compatibility long after they should be turned off.

Why it matters

SSL 2.0 and 3.0 are broken and TLS 1.0/1.1 are deprecated; continuing to accept them lets an attacker who can influence the connection force a weak handshake. Legacy ciphers (NULL, export-grade, RC4, MD5-based, and DES/3DES) similarly weaken or remove the protection HTTPS is supposed to provide. Disabling them is a one-time configuration change with no downside for modern clients.

How WebGuard checks it

WebGuard inspects the TLS handshake your endpoint offers and reports legacy protocol versions (SSL 2.0/3.0 as critical, TLS 1.0/1.1) and weak cipher suites (NULL, export-grade, RC4, MD5, DES/3DES). It observes the handshake your server already presents. This is read-only, with no exploitation.

A sensible starting configuration:

Minimum protocol: TLS 1.2 (prefer TLS 1.3). Disable RC4, 3DES, export-grade, and NULL ciphers.

Check this on your own domain

WebGuard reviews this alongside the rest of your external exposure in a single read-only pass. Run a free review, or see everything it covers.