Defaults.Exposed

Defaults.Exposed › Reports

Weak and Outdated TLS: Is Your Site Still Serving Old Encryption? (2026)

Published 2026-07-01

Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains; TLS-version figures are the share of domains reachable over HTTPS. TLS is the protocol behind the padlock; “weak” means old versions or ciphers browsers and auditors no longer trust. See how we grade.

The web has largely moved on from old encryption — but a strong padlock isn’t guaranteed, and the weak link today is more often the certificate than the protocol. Of sites reachable over HTTPS, 90.51% now negotiate modern TLS 1.3 and the large majority of the rest use TLS 1.2. So weak protocol versions are the exception, not the rule. Where “weak TLS” still bites is subtler: servers that quietly still accept old versions, weak ciphers, and — most commonly — certificates that are simply broken. Here’s how to tell whether you’re the exception.

What “weak TLS” means in 2026

Where the web actually stands

Best TLS version negotiated, share of HTTPS-reachable domains, as of 2026-06-29:

Best TLS versionShare
TLS 1.3 (current)90.51%
TLS 1.2 (acceptable floor)5.38%
TLS 1.1 / 1.0 (deprecated)0.00%

Protocol-wise the picture is healthy. The gap now is elsewhere: 8.21% of certificates are invalid, and only 78.02% of all domains serve HTTPS at all — so a fifth of the web still isn’t encrypted in the first place.

Why it still matters even though most sites are fine

How to make sure your TLS is strong

  1. Set the minimum version to TLS 1.2 and enable TLS 1.3 at the server or CDN — and confirm old versions are refused, not just unused. See fix TLS.
  2. Modernise ciphers — prefer suites with forward secrecy; drop RC4, 3DES and export-grade ciphers.
  3. Keep the certificate valid — the more common failure. See fix certificate errors.
  4. Force HTTPS and add HSTS so downgrades to plain HTTP are refused.
  5. Re-test from outside — weak TLS is invisible in a browser, so confirm with an external check.

Frequently asked questions

Is my TLS out of date? Probably not by version — 90.51% of HTTPS sites use TLS 1.3. The more likely weakness is a certificate problem (8.21% of certificates are invalid) or a server still accepting old versions behind a modern default.

Is TLS 1.2 still OK? Yes — TLS 1.2 is an acceptable floor and TLS 1.3 is preferred. The concern is anything below 1.2 still being accepted.

Will disabling old TLS break older visitors? Very few modern clients need TLS 1.0/1.1; the compatibility cost is now minimal against the compliance and security benefit.

Does weak TLS show a browser warning? A weak protocol or cipher usually doesn’t — it surfaces in audits and scans. A broken certificate, on the other hand, does warn visitors directly.

Is fixing it free? Yes — it’s a server or CDN configuration change, not a purchase.

Check your TLS configuration free

See your TLS versions, cipher strength, and certificate status — privately, and owner-only.

Check your domain → · Fix TLS → · Why does my website say “Not Secure”? → · How we grade → · Aggregate data only. Data stored and processed in the EU.