I spent the weekend scanning the TLS configurations of 50 popular B2B SaaS tools using CertRadar.net. My goal was simple: find out whether the vendors we trust with our data are actually practicing good TLS hygiene.
The short answer? No disasters. The longer answer reveals some interesting gaps — particularly from vendors who should know better.
Methodology
I scanned the primary marketing domain for each vendor (e.g., okta.com, slack.com) using CertRadar’s SSL analyzer. I collected data on:
- TLS protocol versions supported
- Cipher suite configurations
- HSTS implementation
- OCSP stapling
- CAA DNS records
- Certificate details
All scans were conducted on January 26, 2026. I evaluated 50 vendors across seven categories: Identity & Security, DevOps, Communication, CRM, HR & Finance, Infrastructure, and Document Storage.
Important: These results reflect configurations at the time of scanning. Vendors may update their configurations at any time, and this report should not be considered a current assessment of any vendor’s security posture. Always verify current configurations before making security decisions.
The Good News
Let’s start with what the industry is doing right.
100% TLS 1.3 adoption. Every single vendor supports TLS 1.3. This was genuinely surprising — I expected at least a few stragglers still stuck on TLS 1.2 only.
Zero TLS 1.0 or 1.1. Not a single vendor still supports these deprecated protocols. Given that TLS 1.0 and 1.1 were officially deprecated in 2021, this is table stakes in 2026 — but it’s still good to confirm nobody’s lagging.
No weak ciphers. Zero vendors were offering RC4, 3DES, or export-grade ciphers. The days of POODLE and BEAST vulnerabilities being exploitable in the wild are behind us, at least for this cohort.
90% HSTS adoption. 45 out of 50 vendors have HTTP Strict Transport Security enabled. This header tells browsers to only connect via HTTPS, preventing downgrade attacks.
The Gaps
Now for the interesting parts.
Five Vendors Missing HSTS
HSTS is a free security win. You add one HTTP header and browsers will refuse to connect over plaintext HTTP. Yet five vendors haven’t implemented it:
| Vendor | Category |
|---|---|
| LastPass | Password Manager |
| JumpCloud | Identity/Directory |
| BeyondTrust | Privileged Access |
| Brex | Corporate Finance |
| DigitalOcean | Cloud Infrastructure |
Three of these are security vendors. LastPass, in particular, guards people’s passwords — yet doesn’t enforce HTTPS at the transport layer. JumpCloud manages enterprise directories. BeyondTrust sells privileged access management.
Is this a critical vulnerability? No. These sites do serve over HTTPS by default. But HSTS protects against man-in-the-middle attacks that attempt HTTP downgrades. For security-focused companies, omitting it is an unforced error.
The Forward Secrecy Gap
Here’s where things get nuanced. 49 out of 50 vendors have partial forward secrecy — meaning some of their cipher suites support it, but not all.
The culprit? Legacy ciphers like AES256-SHA and AES128-SHA that don’t use ephemeral key exchange. These ciphers exist for compatibility with ancient clients, but they mean that if a server’s private key is ever compromised, past traffic encrypted with these ciphers could theoretically be decrypted.
Only PagerDuty achieved full forward secrecy across all offered ciphers.
In practice, modern browsers will negotiate ECDHE-based ciphers first, so this is more of a theoretical concern than an active risk. But if you’re handling sensitive data and want defense-in-depth, consider disabling non-PFS ciphers entirely.
OCSP Stapling: Mixed Picture
Only 23 out of 50 vendors (46%) have OCSP stapling enabled.
OCSP stapling improves performance and privacy by having the server include a cached certificate revocation status, rather than forcing clients to query the CA directly. Without it, browsers either make slow OCSP requests or skip revocation checking entirely.
Caveat: Let’s Encrypt has deprecated OCSP in favor of short-lived certificates and CRLs. Vendors using Let’s Encrypt certificates won’t have OCSP stapling — and that’s now expected behavior, not a misconfiguration.
Notable vendors without OCSP stapling include:
- GitHub
- Slack
- Stripe
- 1Password
- Dropbox
- Zendesk
- Netlify
- Heroku
CAA Records: Half the Industry
Certificate Authority Authorization (CAA) records specify which CAs are allowed to issue certificates for your domain. They’re a defense against misissuance — if an attacker tries to get a certificate from an unauthorized CA, the CA should refuse.
Only 25 out of 50 vendors (50%) have CAA records configured. Those without include:
- Auth0
- Salesforce
- HubSpot
- Workday
- Heroku
- DocuSign
Setting up CAA records takes about five minutes and costs nothing. There’s no good reason to skip it.
Results by Category
Identity & Security (8 vendors)
| Vendor | Grade | HSTS | HSTS Preload | OCSP | CAA |
|---|---|---|---|---|---|
| Okta | A | ✓ | — | ✓ | ✓ |
| Auth0 | A | ✓ | — | — | — |
| 1Password | A | ✓ | ✓ | — | ✓ |
| LastPass | A | — | — | ✓ | ✓ |
| Duo Security | A | ✓ | ✓ | ✓ | — |
| JumpCloud | A | — | — | ✓ | — |
| CyberArk | A | ✓ | ✓ | — | — |
| BeyondTrust | A | — | — | ✓ | ✓ |
The irony of security vendors missing basic headers isn’t lost on me. LastPass, JumpCloud, and BeyondTrust should fix their HSTS situation yesterday.
DevOps & Engineering (12 vendors)
| Vendor | Grade | HSTS | HSTS Preload | OCSP | CAA |
|---|---|---|---|---|---|
| GitHub | A | ✓ | ✓ | — | ✓ |
| GitLab | A | ✓ | ✓ | ✓ | ✓ |
| Bitbucket | A | ✓ | — | — | ✓ |
| Atlassian | A | ✓ | — | ✓ | ✓ |
| Linear | A | ✓ | ✓ | — | — |
| CircleCI | A | ✓ | — | ✓ | — |
| Datadog | A | ✓ | ✓ | ✓ | — |
| PagerDuty | A | ✓ | ✓ | — | ✓ |
| Sentry | A | ✓ | — | — | ✓ |
| LaunchDarkly | A | ✓ | ✓ | — | ✓ |
| Terraform Cloud | A | ✓ | — | — | — |
| Snyk | A | ✓ | ✓ | ✓ | ✓ |
Snyk and GitLab are the only vendors in this category with a clean sweep across all four additional security measures.
Communication & Collaboration (7 vendors)
| Vendor | Grade | HSTS | HSTS Preload | OCSP | CAA |
|---|---|---|---|---|---|
| Slack | A | ✓ | ✓ | — | ✓ |
| Zoom | A | ✓ | — | ✓ | ✓ |
| Notion | A | ✓ | ✓ | ✓ | — |
| Asana | A | ✓ | — | — | — |
| Monday.com | A | ✓ | — | ✓ | — |
| Miro | A | ✓ | ✓ | ✓ | ✓ |
| Loom | A | ✓ | ✓ | ✓ | — |
Miro is the standout here with full marks.
CRM & Sales (6 vendors)
| Vendor | Grade | HSTS | HSTS Preload | OCSP | CAA |
|---|---|---|---|---|---|
| Salesforce | A | ✓ | ✓ | ✓ | — |
| HubSpot | A | ✓ | — | ✓ | — |
| Pipedrive | A | ✓ | — | ✓ | ✓ |
| Zendesk | A | ✓ | ✓ | — | — |
| Intercom | A | ✓ | — | — | — |
| Gong | A | ✓ | ✓ | — | ✓ |
HR & Finance (8 vendors)
| Vendor | Grade | HSTS | HSTS Preload | OCSP | CAA |
|---|---|---|---|---|---|
| Workday | A | ✓ | — | — | — |
| BambooHR | A | ✓ | — | ✓ | — |
| Gusto | A | ✓ | ✓ | — | — |
| Rippling | A | ✓ | ✓ | ✓ | — |
| Stripe | A | ✓ | ✓ | — | ✓ |
| Bill.com | A | ✓ | ✓ | — | — |
| Brex | A | — | — | — | — |
| Ramp | A | ✓ | — | ✓ | ✓ |
Brex is the only vendor in the entire audit missing all four additional security measures (HSTS, preload, OCSP, CAA). For a company handling corporate finances, that’s not a great look.
Infrastructure (6 vendors)
| Vendor | Grade | HSTS | HSTS Preload | OCSP | CAA |
|---|---|---|---|---|---|
| DigitalOcean | A | — | — | ✓ | ✓ |
| Linode | A | ✓ | — | — | — |
| Cloudflare | A | ✓ | ✓ | ✓ | ✓ |
| Vercel | A | ✓ | ✓ | — | ✓ |
| Netlify | A | ✓ | ✓ | — | ✓ |
| Heroku | A | ✓ | — | — | — |
Cloudflare — unsurprisingly, given their business — has the cleanest config in this category.
Document & Storage (3 vendors)
| Vendor | Grade | HSTS | HSTS Preload | OCSP | CAA |
|---|---|---|---|---|---|
| Dropbox | A | ✓ | — | — | ✓ |
| Box | A | ✓ | ✓ | — | ✓ |
| DocuSign | A | ✓ | — | — | — |
Summary Statistics
| Metric | Count | Percentage |
|---|---|---|
| TLS 1.3 Enabled | 50/50 | 100% |
| TLS 1.0 Disabled | 50/50 | 100% |
| TLS 1.1 Disabled | 50/50 | 100% |
| No Weak Ciphers | 50/50 | 100% |
| HSTS Enabled | 45/50 | 90% |
| HSTS Preload | 27/50 | 54% |
| OCSP Stapling | 23/50 | 46% |
| CAA Records | 25/50 | 50% |
| Full Forward Secrecy | 1/50 | 2% |
Recommendations
If you’re evaluating vendors or hardening your own infrastructure, here’s what to look for:
HSTS with preload — Not just the header, but actually submitted to the browser preload lists. Check at hstspreload.org.
CAA records — Five minutes to set up, prevents certificate misissuance. No excuses.
OCSP stapling — Improves performance and client privacy. Easy to enable in nginx/Apache, though note that Let’s Encrypt has deprecated OCSP in favor of CRLs.
Disable non-PFS ciphers — If you don’t need IE6 compatibility (you don’t), drop
AES256-SHAandAES128-SHA.Regular auditing — TLS configs drift. Set up monitoring to catch regressions.
Final Thoughts
The industry baseline is solid. Nobody’s running TLS 1.0, nobody’s offering export ciphers, and TLS 1.3 adoption is universal. That’s genuinely good news.
But “no active vulnerabilities” isn’t the same as “defense in depth.” Half the industry is missing CAA records. Half is missing OCSP stapling. A tenth is missing HSTS entirely — including three vendors whose entire business is security.
The vendors who stand out aren’t the ones without vulnerabilities. They’re the ones who’ve implemented every available protection: GitLab, Snyk, Cloudflare, Miro, and PagerDuty all scored full marks or close to it.
Your vendor’s TLS config is a proxy for their security culture. If they can’t be bothered to add an HSTS header, what else are they cutting corners on?
Want to audit your own vendors? Try CertRadar.net — it’s free.
Need continuous monitoring for your SSL certificates? Check out SSLGuard.net.