ismycodesafe.com

Benchmark Methodology: ismycodesafe vs SSL Labs

How we ran the comparison, which domains we tested, how we measured scan time and issue detection, and how to replicate the results yourself.

Goal

We wanted an honest, reproducible comparison between SSL Labs (by Qualys) and the TLS scanner inside ismycodesafe.com (powered by SSLyze). The benchmark answers three questions:

  • Speed - how long does each tool take to complete a TLS scan?
  • TLS coverage - do both tools detect the same protocol and certificate issues?
  • Overall coverage- what does ismycodesafe check that SSL Labs doesn't?

Tools used

ToolVersionAccess method
SSLyze (ismycodesafe TLS engine)6.3.1Local Python library, called directly
SSL LabsAPI v3 / engine 2.4.2Public REST API, polled every 10s

Test domains

We used two categories of test targets:

  • badssl.com - maintained by the Google Chrome security team specifically for testing TLS scanners. Each subdomain has a deliberately misconfigured certificate or cipher suite. These are purpose-built for this kind of comparison.
  • Real-world production sites - github.com (excellent TLS), wikipedia.org (well-configured), and ismycodesafe.com itself.
DomainCategoryExpected finding
badssl.comReferenceNo issues (clean TLS)
expired.badssl.comDeliberately brokenExpired certificate
self-signed.badssl.comDeliberately brokenSelf-signed certificate (trust failure)
tls-v1-0.badssl.comDeliberately brokenTLS 1.0 supported (deprecated)
rc4.badssl.comDeliberately brokenRC4 cipher (broken)
github.comReal-world (good)No issues
wikipedia.orgReal-world (good)No issues
ismycodesafe.comSelf-scanNo issues

What we measured

1. Scan time

For SSLyze: wall-clock time from scan queue to results completion, measured in Python with time.time(). For SSL Labs: time from initial API call to status: READY response, including all 10-second polling intervals. Both measured in seconds.

2. TLS issue detection

We counted distinct TLS issues flagged by each tool per domain. An issue is a concrete finding: deprecated protocol supported, expired certificate, hostname mismatch, weak cipher, or known vulnerability (Heartbleed, POODLE, CRIME, ROBOT). Informational findings like "TLS 1.3 is supported" were not counted as issues.

Agreement rate = percentage of domains where both tools agreed on whether at least one TLS issue exists (binary: issue found vs no issue found).

3. Coverage beyond TLS

We documented every check category in ismycodesafe.com that SSL Labs does not run. Counted separately since SSL Labs is explicitly TLS-only and doesn't claim to cover them.

What we did NOT measure

  • Cipher suite depth - SSL Labs enumerates more cipher suites per protocol than SSLyze. SSL Labs is more thorough for SSL handshake debugging. We acknowledge this honestly.
  • BEAST, POODLE-TLS, DROWN, FREAK - SSL Labs checks more TLS-specific attack vectors. SSLyze focuses on the highest-impact checks (Heartbleed, CRIME).
  • SSL Labs grade (A+ to F) - proprietary metric. ismycodesafe has its own A-F overall security grade covering more dimensions.

Limitations and honest caveats

  • Point-in-time benchmark (May 2026). Both engines update regularly.
  • SSL Labs has more edge-case TLS checks than SSLyze. For debugging TLS handshake failures or compliance-grading, SSL Labs is more thorough on the TLS dimension.
  • badssl.com domains are purpose-built to trigger known failures - real-world results may differ.
  • ismycodesafe.com's 179 non-TLS checks were not run against these same domains during this benchmark - those figures are from production capability documentation, not this specific test run.

How to replicate

# Requirements: Python 3.12+
pip install sslyze httpx

# SSL Labs API (free, 25 assessments/24h per IP)
curl "https://api.ssllabs.com/api/v3/analyze?host=github.com&startNew=on"

Full raw JSON results are available under /compare/ssl-labs/scan-data, licensed CC BY 4.0.

← Back to comparisonView raw scan data →