be Smart.
be Secure.
Phone: 800-441-6612

Did You Know? S/MIME is like SSL for Email Encryption

S/MIME is a popular technology for end-to-end email encryption and is analogous to PGP in the way that it works.  It is commonly available in most modern email programs and in many server-side email and WebMail encryption services like LuxSci SecureLine.

Folks are used to thinking about Internet security and encryption in terms of web site security. E.g. the “https://” that secures our everyday life working in our web browsers is the signal that SSL/TLS is being used to encrypt traffic between ourselves and the web server.  People are even becoming used to the fact that TLS (with SMTP) is also commonly used to secure the transport of email messages from server-to-server.

These are all good things!

S/MIME (like PGP) is different — it encrypts the email message before it is sent and the message stays encrypted until the recipient opens it.  It “doesn’t matter” how this message is transported to the recipient … its secure the whole way.[1]  But did you know that S/MIME is really just an application of the same SSL/TLS technology that secures your traffic to securing your messages?

[1] S/MIME (and PGP) do not secure your message headers (e.g. the subject, recipients, etc.), it only secures the message body and attachments.  So, the added security of SMTP over TLS does serve to protect those things that S/MIME does not protect.

How can S/MIME be SSL?

Well, it is not strictly SSL.  But it is conceptually SSL.  If we review how SSL works (see how in more detail) from 100 feet away:

  1. Way ahead of time: The server is issued a certificate from a “universally trusted authority” for a web site.
  2. You connect to the web site/server and “do the SSL dance” (your browser talking to the server):
    1. Get the server’s certificate
    2. Decide if its valid and you trust it
    3. Agree on cryptographic algorithms to use for message digests, symmetric encryption, etc.
    4. Agree on an encryption key for this session of secure dialog
  3. You then talk to the server over this secure channel using the agreed-upon crypto

This works very well and is the fundamental way that traffic on Internet is currently secured.  Many bugs and flaws have been found (and will be found) in this and they have been and are fixed as fast as possible; its the best we have at the moment.

So — What does this have to do with S/MIME email encryption?

S/MIME works much like the above description of SSL, except there can be no “dialog” between client and server due to the time delay between sending and opening the message.

With S/MIME:

  1. Way ahead of time: The recipient gets a certificate which can be from a “trusted authority”
    1. This certificate is exactly the same as an SSL certificate.  The difference lines in the fact that it is issued for an email address like “” instead of a web site like “”.
    2. Also, people are usually less concerned about getting certificates for S/MIME from a universally trusted source — but the trust mechanisms are the same as they are for SSL.
  2. The public part of the is recipient’s certificate is somehow communicated to the sender before the emailmessageis sent
    • This is the “hard part.”  It could be sent in another email, be published in DNS, available through the sender’s email service provider, etc.
  3. The sender (actually his email system) constructs a secure message using S/MIME
    1. Pick cryptographic algorithms to use for message digests, symmetric encryption, etc.
      1. The choice of algorithms used here is exactly the same as those used for SSL/TLS.
    2. Choose an encryption key for the message
    3. Encrypt that encryption key using the recipient’s S/MIME certificate (so only the recipient can open it and thus open the meat of the message)
    4. Encrypt the message body and sign it using the chosen crypto.
    5. Format all that in an “S/MIME” way so that it becomes a regular email message and can be recognized by the recipient as S/MIME.
  4. The encrypted message is sent.


S/MIME is exactly like SSL/TLS in that:

  1. They use the same kinds of certificates (x.509) to identify SSL servers and S/MIME recipients and to handle trust
  2. They use the same kinds of cryptographic hashes (e.g. SHA1 or SHA256, etc.)
  3. They use the same kinds of symmetric encryption functions  (e.g. AES256. etc.)
  4. The symmetric encryption key is communicated to the recipient using the same the recipient’s public S/MIME key in an analogous way to how this happens with SSL/TLS.
  5. Both mechanisms can encrypt your email in transit: however, TLS/SSL does a more complete job of this.

S/MIME differs from SSL/TLS in that:

  1. There is no real-time dialog
    • This is a really important difference for security, as we will see in our next post.
  2. The sender and recipient do not get to agree on what cryptographic algorithms are used as part of the sending process … the sender picks ones that will be compatible with the recipient’s S/MIME key and which the sender thinks are secure enough and compatible enough for use.
  3. Senders usually place more implicit trust in recipient S/MIME keys than they do in the certificates offered by web sites
    • This is because there is much less of an issue with man-in-the-middle attacks with S/MIME due to the fact that these certificates are usually communicated out-of-band, before the message is sent.
  4. S/MIME secures your messages at rest — while they are sitting around in email folders and backups (but only the bodies and attachments).

Hold On!

If S/MIME is so much like SSL (indeed the universal open source “openssl” library is often used for both SSL, TLS, and S/MIME), how secure is it?  Is S/MIME subject to any of the problems we have seen over the past years related to SSL/TLS?  E.g. BEAST, POODLE, HeartBleed, etc?  Should we worry or use PGP or something else instead?

See followup post: Can S/MIME be Trusted?


Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries