SSLBoard - Frequently Asked Questions

SSLBoard scans a domain's public endpoints and reports on its TLS health. Paste in a domain and you get a full breakdown: certificates, protocol versions, cipher suites, forward secrecy, key strength, HSTS, and post-quantum readiness. No account, no subscription.

No. Your first scan of any domain is free: no account, no email, no payment info. You get the full report.

SSLBoard is pay-per-use. Your first scan of any domain is free: no credit card, no account. The only thing you pay for is a re-scan: a fresh analysis of a domain you've already scanned, usually after you've fixed something and want to confirm it.

Re-scan pricing:
- Fewer than 10 endpoints: $5
- 10 or more endpoints: $20

You see the exact price before you pay. No hidden fees, no subscriptions, no automatic renewals.

Everything, on your first scan. That means the full report: score, findings, affected hostnames, IP:port combinations, certificate inventory, per-endpoint TLS version breakdowns, weak cipher details, forward secrecy gaps, key strength analysis, HSTS/redirect status, connection errors, post-quantum readiness, DNSSEC status, adjacent domain discovery, and export. All of it, at no cost, the first time you scan a domain.

The report is split into ten sections:
1. Certificates: Expiration dates, issuer distribution, and CAA policy verification
2. TLS Versions: Which protocol versions each endpoint supports, with deprecated version warnings
3. Weak Cipher Suites: Insecure ciphers in use (3DES, RC4, NULL, EXPORT, CBC) with CVE references
4. Forward Secrecy: PFS support across all endpoints
5. Key Analysis: RSA key sizes, ECC curves, and RSA-only hosts
6. Web Hardening: HTTPS redirect and HSTS policy status
7. Connection Errors: DNS failures, timeouts, and certificate validation issues
8. Post-Quantum Readiness: Hybrid key exchange (MLKEM) support per endpoint
9. DNSSEC: Whether the domain's DNS is protected against spoofing and manipulation
10. Adjacent Domains: Other domains covered by your certificates (SAN analysis)

SSLBoard pulls your certificates from Certificate Transparency logs, then connects directly to every discovered endpoint to test actual TLS handshakes. It checks protocol versions, cipher suites, key exchanges, certificate deployment, HSTS headers, and HTTP redirects across every IP address and port combination for each hostname. The whole thing takes a few minutes.

No. We scan your public endpoints from the outside, the same way an attacker or auditor would. Nothing to install, no firewall rules to change, no credentials to share.

It depends on how many endpoints we find. A domain with 400 endpoints takes about 90 seconds. Most domains are smaller than that, so under a minute is typical. If you don't want to wait around, enter your email before starting and we'll send you a link when the report is ready.

Yes, with a caveat. The report covers your SSL/TLS inventory, certificate verification, weak cipher identification, deprecated TLS version usage, and revocation status. All things PCI DSS cares about under its strong cryptography requirements. You can export the data or share the report link with your QSA or auditor as supporting evidence. See our compliance page for a breakdown of how SSLBoard maps to specific frameworks.

That said, SSLBoard is not a certified auditing tool. It doesn't constitute formal compliance assessment or certification under PCI DSS, GDPR, HIPAA, NIS2, SOC 2, or any other framework. Getting certified is still your job.

Every report includes a weighted TLS score from 0 to 100, graded as Poor, Fair, Good, or Excellent. The score is built from seven categories, each weighted by how much it affects real-world security:

- Certificate health: 30% (expired or revoked certificates hit hardest)
- Confidentiality and agility: 20% (forward secrecy, DNSSEC)
- Weak cipher suites: 15%
- Deprecated protocols: 15% (SSLv3, TLS 1.0, TLS 1.1)
- Web hardening: 10% (HSTS, HTTP redirect)
- Reliability: 5%
- Future readiness: 5% (TLS 1.3, ECC, post-quantum)

If your score is low, fix certificates and forward secrecy first — they carry the most weight. Protocol and cipher issues are next.

Yes. Once you've fixed something, run a fresh scan to confirm it. Re-scans are paid per use (see pricing), no subscription. Each one produces a new, independent report so you can see exactly what changed.

SSLBoard only uses publicly available data: Certificate Transparency logs and standard TCP/TLS connections to your public endpoints. We don't collect anything sensitive, install anything on your infrastructure, or build a profile of you or your organization.

Scan results are stored indefinitely so your report link keeps working. The URL isn't indexed or published anywhere — only people you share the link with can access it.

Yes. The report link works for anyone who has it — no login, no account required. It doesn't expire. The URL isn't indexed or listed anywhere, so it's only accessible to people you send it to.

You can also export the full report in Markdown, CSV, or JSON if you need to drop it into a ticket, a spreadsheet, or your own tooling.

Free SSL checkers like SSL Labs test a single hostname. SSLBoard discovers every endpoint across your domain by pulling from Certificate Transparency logs — every IP, every port — and scores them across ten TLS health categories with CVE references, cipher-level detail, and export. The scope is closer to what a penetration tester would cover than a quick certificate lookup.

Post-quantum readiness is whether your endpoints support hybrid key exchanges — like X25519+MLKEM768 — that a quantum computer couldn't break. This isn't purely a future concern: NIST finalized the ML-KEM standard in 2024, Chrome and Firefox already negotiate it, and enterprise procurement requirements are starting to ask about it. SSLBoard checks every endpoint and tells you which ones are already negotiating post-quantum key exchange and which aren't, so you have a concrete list to work from.