Why can't it scan domains directly?

Browser CORS blocks raw TLS handshakes. Paste output from nmap or sslyze instead.

Weak Cipher Suite Tester

A simple, client-side utility to analyze a list of TLS cipher suites for known vulnerabilities and weaknesses.

About This Tool

Developed by AxelBase | November 15, 2025

The Weak Cipher Suite Tester is a fully client-side, open-source security utility designed to help developers, system administrators, and compliance auditors identify deprecated, weak, or non-compliant TLS cipher suites in their infrastructure. Built with SvelteKit and deployed as a static site via @sveltejs/adapter-static, it runs entirely in your browser — no data is ever transmitted, stored, or logged.

Modern web security demands more than just enabling TLS. The quality of cryptographic primitives matters. Legacy ciphers like RC4, 3DES, and AES-CBC are vulnerable to attacks such as SWEET32, Lucky13, and BEAST. Regulatory frameworks like PCI DSS 4.0 (effective March 2025) and FIPS 140-3 explicitly ban these algorithms. Even a single weak cipher in your server’s offered list can fail an audit, trigger fines, or expose encrypted traffic to decryption.

This tool bridges the gap between raw scanner output and actionable insight. Whether you're using nmap --script ssl-enum-ciphers, sslyze --regular, testssl.sh, or inspecting a browser’s Security tab, the Tester intelligently extracts cipher names from unstructured text and evaluates them against a comprehensive database of known vulnerabilities, compliance violations, and cryptographic weaknesses.

Each cipher receives:

Grade (A+ to F): Based on security, performance, and forward secrecy
Classification: MODERN, STRONG, MEDIUM, WEAK, or DEPRECATED
Compliance Flags: PCI DSS 4.0, FIPS 140-2/3, NIST SP 800-52
Remediation Steps: Exact config snippets for Nginx, Apache, HAProxy, etc.

Privacy is non-negotiable. The application is stateless — no cookies, no localStorage persistence, no analytics. Your input exists only in memory during analysis and is cleared on reset or page reload. Source code is publicly available on GitHub under the MIT License, encouraging review, contribution, and self-hosting.

Hosted on GitHub Pages with global CDN delivery, the tool loads in under 1 second even on slow connections. It supports all modern browsers and is fully compatible with POPIA (Norway), GDPR, and CCPA by design — because no data is collected.

Security should be simple. This tool makes TLS hygiene instant, accurate, and private.

How to Use the Weak Cipher Suite Tester

Step-by-step guide | Updated: November 15, 2025

Using the Weak Cipher Suite Tester is straightforward. Follow these steps to audit any TLS endpoint — from web servers to load balancers, email gateways, or VPN terminators.

Step 1: Gather Cipher Suite Data

Use any trusted scanning tool to retrieve the list of supported ciphers. Common methods include:

nmap: nmap --script ssl-enum-ciphers -p 443 example.com
sslyze: sslyze --regular example.com:443
testssl.sh: ./testssl.sh --fast example.com
OpenSSL: openssl s_client -connect example.com:443 -tls1_2
Browser Dev Tools: Open Security tab → View Certificate → Look for "Cipher Suite"

Copy the entire output block containing cipher suite names (e.g., lines starting with | or TLS_).

Step 2: Paste into the Tester

Return to this page and paste the raw text into the large input box. The tool uses advanced regex patterns to extract valid IANA cipher names like:


| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA

No formatting is required — just paste and go.

Step 3: Click “Analyze Ciphers”

The analysis runs locally in your browser. A progress indicator appears while each cipher is evaluated against:

Known CVEs (e.g., SWEET32, Logjam)
Cryptographic weaknesses (CBC padding, lack of PFS)
Compliance rules (PCI DSS 4.0, FIPS 140-3)
Best practices (TLS 1.3 preference, ChaCha20 support)

Step 4: Review Results

Each cipher is displayed in a card with:

Grade Badge: A+ (ideal) to F (critical)
Technical Breakdown: Key exchange, encryption, MAC, key size
Compliance Status: PCI COMPLIANT / FIPS COMPLIANT
Remediation Box: If weak, includes config to disable it

Export results via browser print or copy-paste for audit reports.

Pro Tips

Test all TLS endpoints: APIs, SMTP, IMAP, RDP
Scan load balancers separately — they often differ from origin servers
Re-test after config changes using the same input
Use --quiet flags in scanners to reduce noise

From scan to secure in under 60 seconds — no accounts, no logs, no risk.

Frequently Asked Questions

Answers to common queries | November 15, 2025

Is my data sent to a server?

No. This is a 100% client-side static application. All processing happens in your browser using JavaScript. No network requests are made after page load (except for static assets from GitHub Pages CDN). View the source code or Network tab to confirm — zero outbound data.

Why can’t the tool scan domains directly?

Browser security policies like CORS and SOP prevent JavaScript from opening raw TCP sockets or performing TLS handshakes with arbitrary servers. This is a fundamental limitation of web apps. Instead, we rely on trusted tools (nmap, sslyze) to gather cipher lists, which you then paste here for analysis.

Which ciphers are considered “weak”?

The tool flags any suite that:

Uses RC4, 3DES, or DES
Uses CBC mode with predictable IVs
Lacks Perfect Forward Secrecy (PFS) via ECDHE or DHE
Uses SHA1 or MD5 for MAC
Is below TLS 1.2 (unless explicitly allowed)

These are banned by PCI DSS 4.0, FIPS 140-3, and modern browsers.

Does this replace a full vulnerability scanner?

No. This is a specialized cipher audit tool. It does not detect misconfigurations like HSTS absence, certificate expiry, or protocol downgrade attacks. Use it alongside tools like Qualys SSL Labs, Mozilla Observatory, or testssl.sh for comprehensive testing.

Can I use this for PCI DSS or FIPS compliance?

Yes — with validation. The grading system aligns with PCI DSS 4.0 Requirement 4.2.1 and FIPS 140-2/3 cipher restrictions. However, official compliance requires verified scans from approved tools. Use this for pre-audit preparation and remediation planning.

What if no ciphers are detected?

Ensure your pasted text includes lines with TLS_, SSL_, or | prefixes. Avoid sanitized or summarized reports. Try copying directly from terminal output. The extractor supports nmap, sslyze, openssl, and browser formats.

Is the source code auditable?

Absolutely. The full repository is public at github.com/axelbase/weak-cipher-tester. Fork, review, or deploy your own instance. Contributions welcome via PR.

Who maintains this tool?

Developed and maintained by AxelBase in Norway.