Defaults.Exposed › Reports
Weak and Outdated TLS: Is Your Site Still Serving Old Encryption? (2026)
Published 2026-07-01
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains; TLS-version figures are the share of domains reachable over HTTPS. TLS is the protocol behind the padlock; “weak” means old versions or ciphers browsers and auditors no longer trust. See how we grade.
The web has largely moved on from old encryption — but a strong padlock isn’t guaranteed, and the weak link today is more often the certificate than the protocol. Of sites reachable over HTTPS, 90.51% now negotiate modern TLS 1.3 and the large majority of the rest use TLS 1.2. So weak protocol versions are the exception, not the rule. Where “weak TLS” still bites is subtler: servers that quietly still accept old versions, weak ciphers, and — most commonly — certificates that are simply broken. Here’s how to tell whether you’re the exception.
What “weak TLS” means in 2026
- Legacy protocol versions. TLS 1.0 and 1.1 were deprecated in 2021. As a negotiated version they’re now rare — but a server can default to TLS 1.3 while still accepting a downgrade to 1.0 if asked, which audits flag.
- Weak cipher suites. Old algorithms (RC4, 3DES, export ciphers) and missing forward secrecy weaken a connection even on a modern version.
- A broken certificate. This is the common one: encryption strength and certificate validity are separate, and a valid TLS 1.3 handshake with an invalid certificate still shows visitors a warning. 8.21% of domains presenting a certificate serve an invalid one — see my certificate expired.
Where the web actually stands
Best TLS version negotiated, share of HTTPS-reachable domains, as of 2026-06-29:
| Best TLS version | Share |
|---|---|
| TLS 1.3 (current) | 90.51% |
| TLS 1.2 (acceptable floor) | 5.38% |
| TLS 1.1 / 1.0 (deprecated) | 0.00% |
Protocol-wise the picture is healthy. The gap now is elsewhere: 8.21% of certificates are invalid, and only 78.02% of all domains serve HTTPS at all — so a fifth of the web still isn’t encrypted in the first place.
Why it still matters even though most sites are fine
- Compliance line-items. PCI-DSS, many security questionnaires, and government baselines require TLS 1.2+ and that old versions and weak ciphers are actively disabled — not merely unused-by-default. See what questionnaires check.
- Downgrade exposure. If a server still accepts an old version, an attacker can try to force a weaker connection than either side wanted.
- Silent risk. Weak-but-present TLS and a still-accepted old cipher rarely trigger a browser warning, so they survive until someone actively checks.
How to make sure your TLS is strong
- Set the minimum version to TLS 1.2 and enable TLS 1.3 at the server or CDN — and confirm old versions are refused, not just unused. See fix TLS.
- Modernise ciphers — prefer suites with forward secrecy; drop RC4, 3DES and export-grade ciphers.
- Keep the certificate valid — the more common failure. See fix certificate errors.
- Force HTTPS and add HSTS so downgrades to plain HTTP are refused.
- Re-test from outside — weak TLS is invisible in a browser, so confirm with an external check.
Frequently asked questions
Is my TLS out of date? Probably not by version — 90.51% of HTTPS sites use TLS 1.3. The more likely weakness is a certificate problem (8.21% of certificates are invalid) or a server still accepting old versions behind a modern default.
Is TLS 1.2 still OK? Yes — TLS 1.2 is an acceptable floor and TLS 1.3 is preferred. The concern is anything below 1.2 still being accepted.
Will disabling old TLS break older visitors? Very few modern clients need TLS 1.0/1.1; the compatibility cost is now minimal against the compliance and security benefit.
Does weak TLS show a browser warning? A weak protocol or cipher usually doesn’t — it surfaces in audits and scans. A broken certificate, on the other hand, does warn visitors directly.
Is fixing it free? Yes — it’s a server or CDN configuration change, not a purchase.
Check your TLS configuration free
See your TLS versions, cipher strength, and certificate status — privately, and owner-only.
Check your domain → · Fix TLS → · Why does my website say “Not Secure”? → · How we grade → · Aggregate data only. Data stored and processed in the EU.