Do I need to Buy an SSL Certificate to use Secure Email?

Our sales staff have been asked this question countless times.  It is a natural assumption that because SSL and TLS encryption of email (and web sites) requires use of an “SSL certificate“, that one must buy an SSL certificate in order to use such a service.  Fortunately, the answer is always

You do not need to buy your own SSL certificate to use secure email.

We’ll explain why.

How do SSL and TLS work?

At its most basic level, SSL works as follows (TLS works similarly — what is the difference?):

1. A user connects to a server that supports SSL
2. The server sends its SSL Certificate back to the user’s computer
3. The user verifies that the certificate is for the company/domain that it is trying to connect to (the certificate is signed by a trusted third party, like Verisign or Thawte).
4. If the user trusts the certificate, the user’s computer sends the server a list of encryption methods that it supports
5. The server picks one that it also supports
6. The server and the user’s computer communicate henceforth over an encrypted channel using the chosen encryption method.

That is a little technical and terse; for a much more verbose and down to earth overview of how this works, see: How does Secure Socket Layer (SSL or TLS) Work? However, the main point is that the only certificate involved is the one that resides on the server owned by the service provider and which is sent to the user when s/he connects.  Since the user never needs to send his/her own certificate, there is no need to own it.

But without a certificate, how does the server know who I am?

In most cases, when your SSL session is completed, the next step in sending or receiving email is to send your username and password.  The server uses this information to determine your identity and verify your access.  This information is secure and protected by the established SSL security connection.

You do not need your own SSL certificate to establish your identity.

But is not using a client-side SSL certificate more secure than a username and password?

Ah ha! This is the crux of some people’s confusion.

It is indeed possible to have an SSL certificate on your computer and to use this to authenticate yourself with a server, providing that the server supports this kind of authentication.  It can be much more secure than a username and password, as it is tied to your computer and cannot be stolen without physical access to your machine and your account on it.

However, most email services do not support identity authentication via client-side SSL certificates.  This is much more common with secure web sites.  I.e. some OpenID providers, like “myopenid.com”, allow you to authenticate with them using a free client-side SSL certificate. This gives you better security with your OpenID than you get with usernames and passwords.  It also means that you do not have to remember another password … the client-side SSL certificate is your effective “password”.

LuxSci itself does not support use of SSL client-side certificates for any kind of login … though it does support OpenID for WebMail access, and thus supports any kind of excellent authentication accessible in that way.

Ok, when do I need to buy an SSL certificate of my own?

Here is the real question.  As far as LuxSci is concerned, you might need to buy your own SSL certificate in the following cases:

• You have your own web site and you would like to have some or all of it secured by SSL.  You will then need to get an SSL certificate for your web site’s domain name.
• You have Private Labeling with LuxSci and wish to use your own domain name in the browser address bar when users are logged in to your branded WebMail securely (i.e., instead of them seeing https://luxsci.com/…).  You would then need an SSL certificate for something like “webmail.yourdomain.com“.
• You have Private Labeling with LuxSci and wish to use your own domain name in your users’ email clients for their secure IMAP, POP, or SMTP connections to your email server (i.e., instead of them using something like “secure-email.luxsci.com“).  You would then need an SSL certificate for something like “mail.yourdomain.com“.

LuxSci can purchase these SSL certificates for you through its partner, Thawte; or, you can buy them yourself and provide them to LuxSci (let us generate the CSRs  — certificate signing requests — for you to make things easier, however).  Its up to you which way to go; however, if we buy the certificate for you, a lot of leg work will be taken care of on your behalf and we will ensure that the certificate doesn’t expire without your permission. Read more as to why.