Episode 13 · Module 4 · Transport

TLS and HTTPS from Scratch

18 May 2026 · 9:30 · Security for Legal SaaS

0:00 9:30

Every developer knows they need HTTPS. Few understand what happens behind the padlock. Alice and Dan take TLS apart — the 1.3 handshake, forward secrecy, certificate lifecycle, Let’s Encrypt automation, cipher suite selection, and why supporting TLS 1.0 for a legacy court system should never degrade your entire application’s security posture.

Today’s Lesson

Security for Legal SaaS — Episode 13: TLS and HTTPS from Scratch

The Illusion of “Just Add HTTPS”

Every developer knows their application needs HTTPS. Few understand what that actually means at a protocol level — which cipher suites are negotiated, how certificate validation works, what happens when certificates expire at 2am on a Friday, and why TLS 1.0 connections from a court’s legacy system represent a genuine security risk. TLS is the single most important transport security mechanism on the internet, and for legal SaaS carrying privileged communications, getting it right is non-negotiable.

Key stat: SSL Labs' SSL Pulse survey consistently finds that approximately 25-30% of surveyed sites still have TLS configuration issues — from supporting deprecated protocols to using weak cipher suites. These aren't obscure services; they include enterprise SaaS platforms handling sensitive data.

For legal tech specifically, the data in transit includes attorney-client privileged communications, litigation strategy documents, client financial records, and court filings. A TLS misconfiguration doesn’t just expose data — it potentially waives privilege and triggers regulatory obligations.

How TLS Actually Works

The Handshake (TLS 1.3)

TLS 1.3, finalised in 2018, reduced the handshake from two round-trips to one:

Step	Client	Server
1	ClientHello: supported cipher suites + key share
2		ServerHello: chosen cipher, certificate, key share
3	Verify certificate chain → derive session keys
4	Application data (encrypted)	Application data (encrypted)

The critical security properties:

- Forward secrecy — Ephemeral Diffie-Hellman key exchange means even if the server’s private key is later compromised, past sessions cannot be decrypted

- Authenticated encryption — Only AEAD cipher suites (AES-GCM, ChaCha20-Poly1305) are permitted in TLS 1.3

- No legacy baggage — RSA key exchange, CBC mode ciphers, MD5, SHA-1 — all removed

Certificate Validation

When your browser connects to app.lawfirm.com, the server presents a certificate chain. The browser validates:

1. The certificate is signed by a trusted Certificate Authority (CA)

2. The certificate hasn’t expired

3. The domain name matches the certificate’s Subject Alternative Name

4. The certificate hasn’t been revoked (via CRL or OCSP)

If any check fails, the connection is refused. This is why expired certificates cause outages — not warnings, outages.

Let’s Encrypt and Automated Certificates

Let’s Encrypt fundamentally changed TLS deployment by providing free, automated certificates with a 90-day validity period. The short lifetime is a feature — it forces automation and limits the window if a private key is compromised.

Automation with Certbot/ACME

Component	Role
ACME protocol	Standardised certificate issuance automation
Certbot / acme.sh	Client tools that handle challenge-response and renewal
HTTP-01 challenge	Prove domain control by serving a file at `/.well-known/acme-challenge/`
DNS-01 challenge	Prove control by creating a DNS TXT record (required for wildcards)

Best practice: Configure automated renewal with at least 30 days before expiry. Monitor certificate expiry dates with alerting. A certificate that expires at 3am during a court filing deadline is not a theoretical risk — it's a known failure mode.

Common Misconfigurations

1. Supporting Deprecated Protocols

TLS 1.0 and 1.1 were deprecated by RFC 8996 in 2021. Known vulnerabilities include BEAST, POODLE, and Lucky 13. Yet some legal SaaS platforms maintain support for legacy court systems that haven’t upgraded.

The risk: An attacker performing a downgrade attack forces the connection to TLS 1.0 and exploits known vulnerabilities. POODLE demonstrated this by recovering encrypted content one byte at a time.

The fix: Disable TLS 1.0 and 1.1 entirely. If a court system requires them, use a dedicated proxy with network-level isolation — don’t expose your entire application to downgrade attacks for one integration.

2. Weak Cipher Suites

Avoid	Use Instead
RC4 (biased keystream)	AES-256-GCM
DES/3DES (64-bit block)	ChaCha20-Poly1305
CBC mode without encrypt-then-MAC	AEAD suites only
RSA key exchange (no forward secrecy)	ECDHE key exchange

3. Mixed Content

Loading HTTP resources (scripts, stylesheets, images) on an HTTPS page. Modern browsers block mixed active content (scripts, iframes) but may allow mixed passive content (images). A single HTTP-loaded script gives an attacker full control of the page.

4. Certificate Expiry

In 2020, Microsoft Teams suffered a global outage because a certificate expired. The fix took hours. For legal SaaS with filing deadlines, hours of downtime can mean missed court dates.

TLS 1.3: Why It Matters

TLS 1.3 isn’t just faster — it’s fundamentally more secure:

Feature	TLS 1.2	TLS 1.3
Handshake round-trips	2	1
Forward secrecy	Optional (depends on cipher)	Mandatory
Cipher suites	300+ (many insecure)	5 (all secure)
0-RTT resumption	No	Yes (with replay caveats)
CBC mode	Permitted	Removed
RSA key exchange	Permitted	Removed

0-RTT resumption caveat: 0-RTT data is replayable. For legal SaaS, never allow state-changing operations (document sharing, payment processing) in 0-RTT — only idempotent reads.

Testing with SSL Labs

Qualys SSL Labs Server Test is the industry standard for TLS configuration assessment. It grades your configuration A through F and identifies specific issues.

What an A+ Grade Requires

Criterion	Requirement
Protocol support	TLS 1.2+ only (TLS 1.3 preferred)
Key exchange	ECDHE with P-256 or X25519
Cipher strength	128-bit+ AEAD only
Certificate	SHA-256+, 2048-bit+ RSA or P-256 ECDSA
HSTS	Configured with long max-age
No known vulnerabilities	BEAST, POODLE, Heartbleed, ROBOT all patched

Run this test after every infrastructure change. Automate it in your deployment pipeline — testssl.sh provides a command-line alternative for CI/CD integration.

Legal-Specific TLS Considerations

Court Integration Endpoints

Some court e-filing systems run legacy TLS configurations. When integrating:

- Never downgrade your main application’s TLS to accommodate them

- Use a dedicated outbound proxy with strict network isolation

- Log all connections to legacy endpoints for audit purposes

- Maintain a deprecation timeline and communicate it to court IT

Client Portal Certificate Pinning

For high-value clients (large litigation, M&A), consider certificate pinning in custom client applications — ensuring the app only accepts your specific certificate, not any CA-signed certificate for your domain.

Conclusion

TLS is not a checkbox — it’s a living configuration that requires monitoring, testing, and maintenance. Certificates expire, cipher suites become deprecated, and protocol vulnerabilities are discovered. For legal SaaS, where a single intercepted communication can waive attorney-client privilege, your TLS configuration is as critical as your authentication system. Test it today. Automate the testing. Alert on degradation.

Next episode: API Gateway Patterns and Rate Limiting — where we’ll see how a single enforcement point protects your entire API surface.

Alice: Welcome back to Security for Legal SaaS. I’m Alice.

Dan: And I’m Dan. Episode 13 — TLS and HTTPS from Scratch. Alice, every developer knows they need HTTPS — HTTP over TLS, meaning the regular web protocol wrapped in an encrypted layer. What don’t they know?

Alice: They don’t know what’s actually happening when that padlock appears. They don’t know which cipher suites — the sets of encryption algorithms — their server negotiates. They don’t know whether their configuration provides forward secrecy. And they definitely don’t know what happens when their certificate expires at 3am on the night before a court filing deadline.

Dan: Let’s start with the basics. What is TLS actually doing?

Alice: TLS — Transport Layer Security — provides three things. Authentication — proving the server is who it claims to be. Confidentiality — encrypting the data so nobody between client and server can read it. Integrity — ensuring data isn’t modified in transit. The handshake establishes all three before any application data flows.

Dan: Walk me through what happens when a browser connects to a legal SaaS application over HTTPS.

Alice: TLS 1.3 — the current version, finalised in 2018. The client sends a ClientHello containing its supported cipher suites and a key share. The server picks a cipher suite, sends back its certificate and its own key share. The client validates the certificate chain — is it signed by a trusted CA — a Certificate Authority, a trusted organisation that verifies server identities and issues digital certificates — is the domain correct, has it expired, has it been revoked. If everything checks out, both sides derive session keys from the combined key shares. One round trip. Application data flows encrypted.

Dan: That’s faster than previous versions?

Alice: TLS 1.2 took two round trips. TLS 1.3 also removed all the insecure options — no more RSA key exchange — an older method of sharing encryption keys — no CBC mode ciphers — an older encryption technique with known weaknesses — no MD5 or SHA-1, which are outdated hash functions that can now be forged. The protocol only allows five cipher suites, all of them using AEAD — authenticated encryption with associated data, which provides both confidentiality and tamper-proofing in one operation. You literally cannot negotiate an insecure configuration in TLS 1.3.

Dan: What about forward secrecy? I hear that term a lot.

Alice: Forward secrecy means that even if your server’s private key is compromised tomorrow, every past session remains secure. This works because each connection uses ephemeral — temporary — Diffie-Hellman key pairs. Diffie-Hellman is a mathematical method that lets two parties agree on a shared secret over an insecure channel without ever transmitting the secret itself. The session keys are derived from these ephemeral keys, not from the server’s long-term key. Once the connection closes, the ephemeral keys are discarded. In TLS 1.3, forward secrecy is mandatory. In TLS 1.2, it depends on the cipher suite — RSA key exchange doesn’t provide it.

Dan: Let’s talk about certificates. Let’s Encrypt made them free — what’s the catch?

Alice: No catch, but a responsibility. Let’s Encrypt certificates expire every 90 days. That short lifetime is intentional — it forces automation and limits the damage window if a key is compromised. The ACME protocol — Automated Certificate Management Environment — automates the entire process — domain validation, certificate issuance, installation, renewal. Tools like Certbot handle this. But you must set up monitoring. If renewal fails silently and the certificate expires, your application goes down hard. Browsers don’t show a degraded warning anymore — they block access entirely.

Dan: Real-world example of that going wrong?

Alice: Microsoft Teams. February 2020. A certificate expired and the entire service went down globally. For hours. Now imagine that happening to your e-filing platform on a court deadline. The filing doesn’t go through because browsers refuse to connect. Your client’s motion is late. Opposing counsel moves for default judgement. And the root cause was — nobody set up a renewal alert.

Dan: What are the common misconfigurations you see in legal SaaS deployments?

Alice: Four big ones. First — still supporting TLS 1.0 or 1.1. These were formally deprecated in 2021. They have known vulnerabilities — BEAST, POODLE, Lucky 13 — these are named attacks that exploit weaknesses in how older TLS versions encrypt data, allowing attackers to gradually recover the contents of encrypted communications. An attacker can force a downgrade and exploit them. Disable completely. Second — weak cipher suites. RC4, DES, 3DES, CBC mode without proper MAC — Message Authentication Code, a check that data hasn’t been tampered with — — all exploitable. Only allow AEAD ciphers. Third — mixed content. Your HTTPS page loads a script over HTTP. That single HTTP script gives a man-in-the-middle — an attacker positioned between the user and the server who can intercept traffic — full control of the page. Fourth — no HSTS header, so the browser doesn’t enforce HTTPS and a network attacker can SSL-strip the connection — silently downgrading it from encrypted HTTPS to unencrypted HTTP.

Dan: What about legacy court systems? Some of them haven’t upgraded their TLS in years.

Alice: Never downgrade your main application to accommodate them. Instead — dedicated outbound proxy with strict network isolation. That proxy speaks TLS 1.0 to the legacy court system and TLS 1.3 to your application internally. Log every connection. Maintain a deprecation timeline. Communicate to court IT that their configuration has a hard deadline. Your security posture doesn’t degrade because one integration partner is behind.

Dan: How should teams test their TLS configuration?

Alice: Qualys SSL Labs Server Test. Free, web-based, gives you a letter grade A through F with specific findings. An A+ requires TLS 1.2 or higher only, ECDHE key exchange — Elliptic Curve Diffie-Hellman Ephemeral, the modern method for securely agreeing on encryption keys — AEAD ciphers, valid SHA-256 certificate, and HSTS configured. For CI/CD integration, testssl.sh runs from the command line — you can fail a deployment if the TLS grade drops below A.

Dan: What about TLS 1.3’s zero round-trip resumption? I’ve heard that has security tradeoffs.

Alice: It does. 0-RTT lets a returning client send application data in the very first packet — before the handshake completes. Great for performance. But that data is replayable. An attacker who captures a 0-RTT request can replay it. For legal SaaS — never allow state-changing operations in 0-RTT. Document sharing, payment processing, filing submissions — these must require the full handshake. Only idempotent reads should use 0-RTT.

Dan: Any other legal-specific considerations?

Alice: Certificate pinning for high-value client applications. If you build a dedicated portal for a major litigation client, you can pin your specific certificate in the app — so even if an attacker compromises a CA and issues a fraudulent certificate for your domain, the pinned app rejects it. This is high-assurance territory, appropriate for clients where the stakes justify the operational complexity.

Dan: The summary here — TLS isn’t set-and-forget.

Alice: It’s a living configuration. Certificates expire. Cipher suites get deprecated. Protocol vulnerabilities are discovered. Test regularly. Automate renewal. Monitor continuously. For legal SaaS carrying privileged communications, your TLS configuration is as critical as your authentication system.

Dan: Next episode — API Gateway Patterns and Rate Limiting. How a single enforcement point protects your entire API surface from abuse.

Alice: Until then, I’m Alice.

Dan: And I’m Dan.

Alice: Security for Legal SaaS is a series written with AI assistance. Alice and Dan are AI-generated voices — no professional advice here, just education.

Security for Legal SaaS is a series written with AI assistance. Alice and Dan are AI-generated voices — no professional advice here, just education.