SSL Cipher Suites Explained: What They Are and How to Choose
When you check a website with GuardSSL, you might notice a field called "Cipher" showing something like TLS_AES_256_GCM_SHA384 or ECDHE-RSA-AES128-GCM-SHA256. These cryptic strings are cipher suites. Don't let them intimidate you—let's break them down.
What is a Cipher Suite?
A cipher suite is essentially a recipe for secure communication. It tells the browser and server exactly how to protect their conversation.
Every cipher suite contains four key ingredients:
- Key Exchange Algorithm: How to securely exchange encryption keys
- Authentication Algorithm: How to verify the server's identity
- Encryption Algorithm: How to scramble the actual data
- Message Authentication Code (MAC): How to ensure data hasn't been tampered with
Reading Cipher Suite Names
Let's decode a common cipher suite:
ECDHE-RSA-AES256-GCM-SHA384
| Component | Meaning | Purpose |
|---|---|---|
| ECDHE | Key Exchange | Elliptic Curve Diffie-Hellman Exchange—secure and efficient |
| RSA | Authentication | Uses RSA algorithm to verify server identity |
| AES256 | Encryption | 256-bit AES encryption—very secure |
| GCM | Mode | Provides both encryption and integrity verification |
| SHA384 | Hash | For message authentication |
Which Cipher Suites Are Secure?
✅ Recommended
- TLS_AES_256_GCM_SHA384: TLS 1.3 default, excellent security
- TLS_CHACHA20_POLY1305_SHA256: Great performance on mobile devices
- ECDHE-ECDSA-AES256-GCM-SHA384: One of the best choices for TLS 1.2
⚠️ Acceptable but Not Ideal
- Suites using AES-128 (secure but not as robust as AES-256)
- Suites using SHA256 instead of SHA384
❌ Should Be Disabled
- Anything with RC4 (compromised)
- Anything with DES or 3DES (too weak)
- Anything with MD5 (insecure)
- Anything with NULL (no encryption at all!)
- Anything with EXPORT (intentionally weakened)
Real-World Example
Let's say GuardSSL shows your site uses:
TLS_AES_128_GCM_SHA256
What does this mean?
- TLS: This is a TLS 1.3 cipher suite
- AES_128: Uses 128-bit AES encryption
- GCM: Authenticated encryption mode
- SHA256: SHA-256 hashing
This is a secure cipher suite that meets modern standards.
Why Cipher Suites Matter
Think of it like having a safe:
- The encryption algorithm = What the safe is made of (steel vs. cardboard)
- The key length = How complex the lock is (3-digit code vs. 20-digit code)
- The hash algorithm = Anti-forgery measures (can someone copy your key?)
Using a weak cipher suite is like keeping valuables in a cardboard box—technically "protected," but practically useless.
How to Check and Improve
- Scan your website with GuardSSL and look at the Cipher field
- If you spot old or insecure suites, contact your hosting provider or server admin
- For common servers:
- Nginx: Modify the
ssl_ciphersdirective - Apache: Update the
SSLCipherSuiteconfiguration - Cloud platforms: Usually adjustable in SSL/TLS settings
- Nginx: Modify the
Key Takeaways
- Cipher suites determine the security level of your encrypted connections
- TLS 1.3 suites are generally safer and simpler
- Avoid suites containing RC4, DES, MD5, or NULL
- Regularly check and update your cipher configuration
Choosing the right cipher suite is essential for keeping user data safe from eavesdroppers.
Check Your SSL Certificate Now
Want to see these certificate details for your own website? Use our free SSL checker to instantly analyze your certificate's security, validity, and configuration.
No registration required • Instant results • 100% free