What is really protected by SSL and TLS?
Saturday, April 8th, 2017This question came in via Ask Erik:
Hi Erik,
I stumbled upon your blog while trying to learn a little about SSL/TLS in the context of client/server e-mail sessions, i.e. not web mail which I understand to be an HTTP session. I am just an ordinary user with no special security needs but I find all this news about corporate and government surveillance to be troubling for both philosophical and practical reasons. In any case my questions is quite simple.
My e-mail client, apple mail, and my e-mail service provider both support SSL so my e-mail exchanges between my computer and the server are encrypted. I understand that I can’t control what happens with other e-mail servers. What I am trying to understand is what does it mean to be encrypted? When an e-mail leaves my computer how much of the message is encrypted? Are the e-mail headers encrypted including the sender and recipient e-mail addresses. I would assume so but nobody talks about the details. What metadata trail does a user leave when using SSL/TLS. Is it is as simple as the destination and sending IP address with everything else encrypted? Reading Data and Goliath right now by Bruce Schneider which talks about a lot of this stuff but again doesn’t give quite enough detail. At the end of the day I am trying to understand how much protection SSL really provides.
SSL (now TLS) protects data as it travels across the Internet. To understand in detail how SSL works, we recommend reading: How does Secure Socket Layer (SSL andTLS) work? However, looking at how the protocol works can leave answers to some of these fundamental questions a little unclear. Lets address them one by one.
Read the rest of this post »
Everyone always harps on the necessity of privacy when discussing health care, government, and banking communications. It is surprising how little attention is paid to email security with regards to accounting and tax preparation. There is a real danger of identity theft, unintended information disclosure, as well as invasion of privacy when using tax preparation services or organizations that do not use secure email. Why is this? 
The popularity and prevalence of DKIM in the fight against SPAM is growing such that as of August, 2014, 47% of the most popular domains in the USA are DKIM-enabled (reference); globally, that number is 38%. The trend is steadily upward and we expect DKIM use to be pervasive within a few more years.
