Let's Encrypt turned ten this month. Free TLS certificates, automated renewal, no excuses. And yet the TLS findings I write on SMB scans are almost always the same three things.
TLS 1.0 or 1.1 still enabled. Certificate covers the bare domain but not www, or the other way round. Certificate renewal is manual and set to expire in 14 days because nobody remembers it's their job.
That's it. That's the post. But since you're here.
What to actually turn on
On the server side, disable SSL 3, TLS 1.0, and TLS 1.1. Keep TLS 1.2 and 1.3. If you're on Cloudflare, there's a toggle under SSL/TLS >Edge Certificates called "Minimum TLS Version". Set it to 1.2. If you're on Fastly or CloudFront it's the same dropdown in a slightly different place. If you're on self-hosted nginx and you're not sure, Mozilla's SSL Configuration Generator spits out the right config block in twenty seconds.
Use modern cipher suites with forward secrecy. Do not hand-pick them. The "Modern" preset in any CDN or the Mozilla Intermediate profile for self-hosted is fine. The days of cipher tuning are over.
Automate renewal. Let's Encrypt with certbot or acme.sh renews every 60 days. If you're on Cloudflare, AWS ACM, Fastly, or Vercel, renewal is invisible. If you're on a traditional hosting panel and someone is pasting a cert into a form every twelve months, that person is one holiday away from taking your site down.
HSTS done right
HSTS is the header that says "never speak HTTP to me again". I wrote about it in the headers post. Short version: start at six months, move to two years with preload once you're confident. If you're not sure whether all your subdomains are HTTPS-ready, don't setincludeSubDomains yet. Fix the subdomains first.
Certificate transparency is your friend
Every public certificate goes into Certificate Transparency logs. You can search them at crt.sh. Put your domain in and look at every cert ever issued. If you see one you don't recognise, that's a finding. Either a staff member set up a cloud service under your domain without telling anyone, or someone else got a cert for your hostname, which is worse.
This also tells you everywhere TLS is in use across your estate, which is useful for the "what do I actually own" exercise I keep banging on about.
The one thing I still see break in 2026
Mixed content. The site is on HTTPS, but the HTML loads images or scripts over plain HTTP. The browser throws warnings, sometimes blocks the content, and the experience gets worse for users while looking broken on laptops with strict settings. Grep your CMS forhttp:// in asset URLs and replace with https:// or protocol-relative. WordPress plugins exist for this. One query in phpMyAdmin does it for most CMS databases.
If you want a summary of your TLS setup as it looks from outside, the free check grades it in a few seconds. No login.