Skip to main content

SSL/TLS Report

Domain: tesla.com Scanned: 4/4/2026, 2:43:06 PM Score: ⚠️ 76/100 (Fair) Certificates: 424 Hostnames: 338 Endpoints: 297 IP:Port combinations: 172

Open on the web

8 warning, 5 info

Score Breakdown

  • Ciphers: 30/100 (weight 15%, penalty 70) *
  • Future Readiness: 56/100 (weight 5%, penalty 44)
  • Web Hardening: 78/100 (weight 10%, penalty 22)
  • Certificate Health: 81/100 (weight 30%, penalty 19)
  • Confidentiality and Agility: 84/100 (weight 20%, penalty 16)
  • Reliability: 95/100 (weight 5%, penalty 5)
  • Protocols: 100/100 (weight 15%, penalty 0)

Executive Summary

tesla.com scored 74/100 (Fair) with a generally modern TLS posture, including universal TLS 1.2/1.3 usage, forward secrecy across the estate, and broad TLS 1.3 support. At this scale—338 hosts across the domain—the main factor holding the score down is cipher configuration: weak or deprecated cipher suites are available on 97% of hosts, making this an estate-wide consistency and remediation issue rather than an isolated exception. Certificate operations also need immediate attention, with one certificate expiring within 7 days as an explicit outage risk and 10 more expiring within 30 days, while a small number of endpoints are already returning TLS or certificate errors. Secondary hardening gaps are more limited, including missing HTTPS redirects on 4.7% of hosts and missing HSTS on 3.6%, and no CAA policy is published.

Strengths

  • TLS 1.3 support: 279 of 297 endpoints (94%) support TLS 1.3.
  • Strong certificate keys: All 71 active certificates use strong keys (RSA 2048+, P-256+, or Ed25519/Ed448).
  • Certificate issuer diversity: 5 trusted CAs in rotation for non-expired certificates, which supports redundancy and renewal flexibility.
  • Modern TLS versions only: All endpoints use only TLS 1.2 and 1.3; no deprecated SSLv3 or TLS 1.0/1.1.
  • Forward secrecy: All endpoints provide forward secrecy (TLS 1.3 and/or ECDHE/DHE).

Key Findings

🔴 Certificate expiring within 7 days: 1 certificate expiring within 7 days. Renew soon to avoid outages. 🟡 Certificate expiring within 30 days: 10 certificates expiring within 30 days. Plan renewal. 🟡 Weak cipher suites detected (560 hosts, 802 endpoints): 802 endpoints across 560 hosts negotiate weak or deprecated cipher suites, reducing transport security. 🟡 TLS or certificate errors (4 hosts, 9 endpoints): 9 endpoints across 4 hosts returned TLS handshake or certificate errors. These indicate real misconfigurations that should be investigated. 🔵 No CAA policies published: No CAA policies were found. Publishing CAA records can restrict which certificate authorities may issue for this estate. 🔵 Not fully PQC ready (103 hosts, 209 endpoints): 209 endpoints are not yet post-quantum ready. Consider enabling PQC key exchange where supported. 🔵 HTTP redirects not enforced (16 hosts, 16 endpoints): 16 hosts serving HTTP on port 80 do not redirect to HTTPS. 🔵 HSTS not configured (12 hosts, 12 endpoints): 12 hosts do not serve HSTS headers. 🔵 RSA-only hosts (87 hosts, 238 endpoints): 87 hosts present only RSA certificates (no ECDSA certificates observed). Consider enabling ECDSA certificates for modern client performance and agility. 🔵 Unreachable endpoints (229 hosts, 230 endpoints): 229 hosts could not be reached (DNS failures, private address resolution, timeouts, or other connectivity issues).

Detailed CSV Exports Available In The Full Report

The summary omits the raw tables below. The paid full report includes these CSV files so a human or AI agent can inspect exact rows before deciding whether the additional detail is worth the cost.

  • certificates.csv: Full certificate inventory. One row per observed certificate. Columns: Certificate ID, Issuer, Subject, Serial, Not Before, Expires, Key Type, Key Size, Curve, Signature Algorithm, Client Auth EKU, SANs
  • per-ip-details.csv: Per-endpoint TLS inventory. One row per scanned IP and port, with a fallback hostname row when endpoint details were unavailable. Columns: IP, Hostname, Port, TLS Versions, Weak Ciphers, PQC Ready, Revoked, Certificate Subject, Certificate Issuer, Expires
  • missing-tls13.csv: Endpoints missing TLS 1.3. One row per endpoint that does not support TLS 1.3. Columns: Hostname, IP, Port
  • weak-ciphers.csv: Weak cipher findings. One row per affected endpoint and weak cipher pair. Columns: Hostname, IP, Port, Cipher
  • rsa-only.csv: RSA-only host inventory. One row per endpoint on a hostname that served only RSA certificates during the scan. Columns: Hostname, IP, Port
  • http-hardening.csv: HTTP redirect and HSTS gaps. One row per hostname and port with a missing HTTPS redirect, missing HSTS, or both. Columns: Hostname, Port, HTTP Listens, Redirects To HTTPS, HSTS Enabled, HSTS Include Subdomains, HSTS Preload, Issues
  • dns-errors.csv: DNS resolution failures. One row per failing endpoint. Columns: Hostname, Error, IP, Port, Endpoint
  • connection-errors.csv: Connection and timeout failures. One row per failing endpoint. Columns: Hostname, Error, IP, Port, Endpoint
  • certificate-errors.csv: Certificate validation failures. One row per failing endpoint. Columns: Hostname, Error, IP, Port, Endpoint
  • pqc-not-ready.csv: Non-PQC-ready endpoints. One row per endpoint not marked PQC-ready. Columns: Hostname, IP, Port

1. Certificates

Certificates are a common source of operational risk when they are hard to track, inconsistently issued, or close to expiry. This section helps you review the certificates observed on reachable endpoints so you can spot renewal risk, issuer sprawl, and inconsistencies across the estate.

1.1 Certificates Nearing Expiration

Certificates close to expiry increase the risk of avoidable outages and rushed renewals. This section highlights which observed certificates need attention soon so renewal work can be prioritized before service is affected.

  • Expired certificates still being served: 0
  • Total used certificates with dates: 73
  • Expiring within 7 days: 1
  • Expiring within 8-15 days: 4
  • Expiring within 16-30 days: 5
  • Expiring in 31+ days: 63
  • Showing 0 certificates in this report

1.2 Issuer Distribution

Each card shows how many used certificates remain non-expired for a given issuer.

  • DigiCert Inc: 59 non-expired certificates
  • GlobalSign nv-sa: 6 non-expired certificates
  • Amazon: 3 non-expired certificates
  • Let's Encrypt: 3 non-expired certificates
  • Tesla, Inc.: 2 non-expired certificates

1.3 CAA Policies

CAA records let a domain specify which certificate authorities are allowed to issue certificates for it. Use this section to confirm whether issuance is restricted, identify gaps where no policy is published, and spot inconsistent rules across subdomains.

Total policies: 0

2. TLS Protocols & Versions

This section shows which TLS versions are supported across your scanned endpoints. In general, support for modern versions such as TLS 1.2 and TLS 1.3 is expected, while older versions like SSLv3, TLS 1.0, and TLS 1.1 should usually be disabled because they are outdated and may expose you to security, compliance, or compatibility issues.

  • SSLv3: ❌ Not supported (0 endpoints)
  • TLS 1.0: ❌ Not supported (0 endpoints)
  • TLS 1.1: ❌ Not supported (0 endpoints)
  • TLS 1.2: ✅ Supported (292 endpoints)
  • TLS 1.3: ✅ Supported (279 endpoints)

2.3 Missing TLS 1.3

TLS 1.3 is the current baseline for modern HTTPS. This subsection highlights endpoints that still stop at older TLS versions, which can increase latency, limit access to newer security improvements, and leave parts of the estate behind current hardening standards.

Affected: 13 endpoints across 11 hostnames

3. Weak Cipher Suites

This section identifies weak or outdated cipher suites detected across your scanned endpoints. These ciphers can reduce transport security by relying on obsolete encryption, weak key exchange, or legacy integrity mechanisms, which may increase exposure to known attacks and create compliance risk.

  • TLS_RSA_WITH_3DES_EDE_CBC_SHA: 12 endpoints across 10 hostnames
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: 32 endpoints across 31 hostnames
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: 32 endpoints across 31 hostnames
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: 7 endpoints across 7 hostnames
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: 7 endpoints across 7 hostnames
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: 163 endpoints across 70 hostnames
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: 163 endpoints across 70 hostnames
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: 24 endpoints across 24 hostnames
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: 24 endpoints across 24 hostnames
  • TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: 3 endpoints across 3 hostnames
  • TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: 3 endpoints across 3 hostnames
  • TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: 24 endpoints across 24 hostnames
  • TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: 24 endpoints across 24 hostnames
  • TLS_RSA_WITH_AES_128_CCM: 32 endpoints across 31 hostnames
  • TLS_RSA_WITH_AES_128_CCM_8: 32 endpoints across 31 hostnames
  • TLS_RSA_WITH_AES_128_GCM_SHA256: 102 endpoints across 57 hostnames
  • TLS_RSA_WITH_AES_256_CCM: 32 endpoints across 31 hostnames
  • TLS_RSA_WITH_AES_256_CCM_8: 32 endpoints across 31 hostnames
  • TLS_RSA_WITH_AES_256_GCM_SHA384: 54 endpoints across 51 hostnames

3.1 Understanding the Issues

  • 3DES (Triple DES): CVSS 5.9 (Medium): CVE-2016-2183 covers the Sweet32 birthday attack against 64-bit block ciphers after roughly 32GB of traffic. 3DES provides only 112-bit effective security and remains vulnerable to meet-in-the-middle attacks. Its 64-bit block size makes long-lived TLS sessions especially risky. NIST SP 800-131A deprecated 3DES in 2018 and banned new uses by 2023. Disable it immediately and replace it with AES-GCM or ChaCha20-Poly1305.
  • CBC Mode: CVSS 5.9-7.5 (Medium/High): key examples include CVE-2011-3389 for BEAST and CVE-2013-0169 for Lucky Thirteen. CBC mode in TLS 1.0-1.2 has a long history of timing leaks, padding oracles, and related side-channel attacks. Mitigations exist, but they have never made CBC a desirable modern choice. AEAD cipher suites such as AES-GCM and ChaCha20-Poly1305 avoid these structural weaknesses and should be preferred.
  • Static RSA key exchange: TLS_RSA_WITH suites use static RSA key exchange and do not provide forward secrecy. If the server private key is compromised later, recorded TLS sessions can be at risk. Prefer TLS 1.3 or TLS 1.2 ECDHE suites.
  • SHA / SHA1: CVSS 7.5 (High): practical collision work such as SHAttered made SHA-1 unfit for modern trust decisions, and RFC 9155 deprecated it in 2022. In TLS cipher names, SHA often means SHA-1 unless a stronger variant such as SHA256 or SHA384 is named explicitly. SHA-1 is too weak for signatures and certificate-related trust. It should be disabled in modern TLS deployments in favor of SHA-256 or SHA-384.

4. Forward Secrecy Analysis

Forward secrecy means that a server's long-term private key alone should not be enough to decrypt previously recorded TLS sessions. In practice, this usually requires TLS 1.3 or older TLS versions configured with ECDHE or DHE cipher suites.

  • No TLS 1.3, PFS with ECDHE/DHE ciphers: 11 hosts
  • TLS 1.3 and ECDHE/DHE ciphers: 98 hosts

5. Key Analysis

5.1 Key Strength Distribution

  • RSA 2048 bit: 58 certificates (Recommended)
  • EC 256 bit (P-256): 13 certificates (Recommended)

5.2 RSA-Only Hosts

These hosts were observed serving only RSA certificates, with no ECDSA certificate available on the scanned endpoints. That usually means slower handshakes and larger certificates than a modern dual-stack RSA plus ECDSA setup, and it reduces cryptographic agility for future tuning.

RSA-only hosts: 238 endpoints across 87 hostnames

6. HTTP Redirects & Security Headers

These hostname-level results focus on HTTP-to-HTTPS redirects and browser-facing HTTPS security headers observed in HTTPS responses.

  • ⚠️ HTTPS redirect coverage: 25/41
  • ⚠️ HSTS coverage: 96/108

6.1 HTTP Redirect

HTTP Redirect Gaps: Hosts that still answer over HTTP should normally redirect visitors straight to HTTPS. Without that redirect, users and automated clients can remain on an unencrypted endpoint, increasing the chance of downgrade, interception, or inconsistent application behavior.

Missing redirects: 16 endpoints across 16 hostnames

6.2 HSTS

HSTS Gaps: HSTS tells browsers to use HTTPS automatically for future requests and to avoid falling back to HTTP. This helps close downgrade paths after the first secure visit and reduces the risk of users being pushed onto plaintext connections.

Missing HSTS: 12 endpoints across 12 hostnames

7. Connection & Certificate Errors

These errors and warnings prevented SSLBoard from establishing a valid TLS connection. As a result, we could not verify which certificate those endpoints are serving, or whether they are serving the correct one. In most cases, these are operational issues rather than direct security problems, but they can still lead to service disruption or unavailability.

DNS Resolution Errors: 225 endpoints across 225 hostnames Connection & Timeout Errors: 5 endpoints across 4 hostnames Certificate Errors: 9 endpoints across 4 hostnames

8. PQC Readiness Summary

This section summarizes how prepared your scanned endpoints are for post-quantum cryptography. It highlights the proportion of endpoints already aligned with PQC readiness expectations and surfaces the remaining gaps so you can prioritize remediation before quantum-safe requirements become operational or compliance-driven.

Readiness: low Ready: 30% of 297 endpoints Gaps: 209 endpoints not PQC-ready

PQC Groups

  • MLKEM512: 88 endpoints

Non-PQC-ready endpoints: 209 endpoints across 103 hostnames

10. Adjacent Domains

These off-scope SANs were observed on the same certificates but belong to other apex domains.

Download adjacent domains (CSV) CSV format: Adjacent apex-domain inventory. One row per off-scope apex domain observed in certificate SANs, with the number of SAN entries that mapped to it. Columns: Apex Domain, Off-scope SAN Count

  • tesla.cn: 15 SANs

Generated by SSLBoard on 4/4/2026

Loading your security report...

Preparing detailed analysis