SSL Is Not Enough: Understanding HTTPS, HSTS, and Modern TLS

The padlock in the browser bar has become a baseline expectation. But many site owners assume that having an SSL certificate means their site is secure. It's a starting point—not a destination. Here's what a genuinely secure TLS setup looks like in 2026.

TLS 1.0 and 1.1 Are Dead

TLS 1.0 and 1.1 have been deprecated by every major browser since 2020 and are banned by PCI DSS 4.0. If your server still negotiates these versions for compatibility, you're running a security liability. TLS 1.2 is the current minimum; TLS 1.3 should be the default. TLS 1.3 is faster (fewer round trips), more secure (removes weak cipher suites entirely), and mandatory for HTTP/3.

Certificate Types Matter Less Than Configuration

The difference between a free Let's Encrypt certificate and an expensive Extended Validation certificate is largely marketing. Browsers stopped showing the green company name bar in EV certs in 2019. What matters is how your certificate is configured: key size (at least 2048-bit RSA or P-256 ECDSA), signature algorithm (SHA-256 or better), and whether OCSP stapling is enabled.

HSTS: Preventing Protocol Downgrade Attacks

HTTPS Strict Transport Security (HSTS) tells browsers to only ever connect to your site over HTTPS—even if someone types http:// in the address bar. Without it, a visitor's first unencrypted request is an opportunity for a man-in-the-middle attack. Add the Strict-Transport-Security header with a long max-age (at least 31536000 seconds) and consider submitting your domain to the HSTS preload list, which bakes your HTTPS-only policy directly into browser source code.

Mixed Content Still Breaks Things

A page loaded over HTTPS that references resources (images, scripts, iframes) over HTTP generates mixed content warnings and, in many cases, actively blocks those resources. Modern browsers block active mixed content entirely. Check for mixed content with browser DevTools or tools like WhyNoPadlock.

Certificate Auto-Renewal

Let's Encrypt certificates expire every 90 days. Manual renewal processes fail—it's a question of when, not if. Your hosting setup should automate renewal and alert you (or your provider) if a certificate is approaching expiry without having renewed. An expired certificate is indistinguishable to most visitors from a malicious site.

Testing Your Setup

Run your domain through SSL Labs for a comprehensive grade. Aim for A+. Anything below A is worth investigating.

TLS configuration is one of those things a good managed host handles for you. If you're manually managing certificates and cipher suites, you're spending time that could go to your actual business.