" tls Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘tls’

TLS 1.0 to 1.2 and NIST TLS Cipher Updates: Email Program and Web Browser Compatibility Issues

Thursday, June 7th, 2018

It happens at least every few years: system administrators need to update the security configuration of their servers to keep up with the latest best practices and to close newly found security issues(i.e., via changes to recommended TLS ciphers and protocols).  These updates can be rocky. Change often introduces incompatibilities that prevent certain systems or programs from being able to connect to the updated systems.

TLS Encryption Compatibility

In this article we are going to look at what email program an web browser incompatibilities arise when you migrate from using the “old standard:” TLS v1.0+ and the ciphers recommend by NIST 800-52r1 to using either TLS v1.0+ and the new NIST 800-52r2 ciphers or TLS v1.2+ and the new NIST 800-52r2 ciphers.

Why?

  1. PCI requires that servers that need to be PCI complaint use only TLS v1.1+ (which really means v1.2+) by the end of June, 2018.
  2. NIST 800-52r2 is in draft, but its updated cipher list removes many ciphers from revision 1 that are now considered “weak” and introduces a number of new, better ciphers.  Administrators should be moving towards NIST 800-52r2 cipher support as a best practice.
  3. Organizations that require HIPAA compliance should also follow the NIST guidelines and prepare NIST 800-52r2 support and, where possible, eventually eliminate pre-TLS 1.2 support. See: What level of TLS is required for HIPAA compliance?

Read the rest of this post »

What Level of SSL or TLS is Required for HIPAA Compliance?

Saturday, June 2nd, 2018

SSL and TLS are not actually monolithic encryption entities that you either use or do not use to connect securely to email servers, web sites, and other systems.  SSL and TLS are evolving protocols which have many nuances to how they may be configured.  The “version” of the protocol you are using and the ciphers used directly impact the level of security achievable through your connections.

Some people use the terms SSL and TLS interchangeably, but TLS (version 1.0 and beyond) is actually the successor of SSL (version 3.0). … see SSL versus TLS – what is the difference?  In 2014 we saw that SSL v3 was very weak and should not be used going forward by anyone (see the POODLE attacks, for example); TLS v1.0 or higher must be used.

Among the many configuration nuances of TLS, protocol versions supported (e.g., 1.0, 1.1, or 1.2) anf which “ciphers” are permitted have the greatest impact on security.  A “cipher” specifies encryption algorithm to be used,  the secure hashing (message fingerprinting / authentication) algorithm to be used, and other related things such as how encryption keys are negotiated.   Some ciphers that have long been used, such as RC4, have become weak over time and should never be used in secure environments.  Other ciphers provide protection against people who record a secure conversation from being able to decrypt it in the future if somehow the server’s private keys are compromised (perfect forward secrecy).

What level of TLS is required by HIPAA?

Given the many choices of ciphers and TLS protocol versions, people are often at a loss as to what is specifically needed for HIPAA compliance for an appropriate and compliant level TLS security.  Simply “turning on TLS” without also configuring it appropriately is likely to leave your transmission encryption non-complaint.  

Read the rest of this post »

SSL versus TLS – What’s the difference?

Saturday, May 12th, 2018

SSL versus TLS

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers in scenarios where that data is being sent across an insecure network, such as checking your email (How does the Secure Socket Layer work?). The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1. With this said though, is there actually a practical difference between the two?

SSL versus TLS: What is the differenc?

See also our Infographic which summarizes these differences.

Read the rest of this post »

TLS Exclusive: HIPAA-compliant email marketing just got a whole lot better

Thursday, May 10th, 2018

If you are a healthcare organization and have to abide by HIPAA regulations, you may be struggling with HIPAA-compliant email marketing.  Besides getting patient consent, there is the whole concern that the marketing email messages need to be secured, as in many cases the marketing messages plus the addresses or list being used imply something about the recipients … something ePHI-related.

SMTP TLS Exclusive

It is a best practice to use a HIPAA-compliant email marketing service to send healthcare-related email marketing messages, newsletters, appointment reminder emails, etc.  Such a service signs the required HIPAA Business Associate Agreement with you, takes care of your data, and ensures that your email messages go securely to your recipients.

Read the rest of this post »

When can sending TLS-Secured Email be NOT HIPAA Compliant?

Tuesday, May 1st, 2018

In a question recently submitted to “Ask Erik,” John asked:

“How does sending a TLS-encrypted email sometimes become non-compliant?  Lets says I send an email from my Office 365 Business account to a gmail.com account which both support TLS encryption.  Is it because I do not know what path and what servers the email has to go through?  Does each server have to decrypt the email and is that when it becomes non-compliant?  I love the Luxsci forms by the way!”

What is TLS email not HIPAA compliant?
This is a great question!  In a recent survey that LuxSci did, less than 50% the people interested in secure email even knew what TLS is and how it works.  So it is not surprising that there is a lot of confusion out there about what is acceptable for compliance and what is not.

Read the rest of this post »

Ask Erik: Is misaddressed email a HIPAA breach?

Friday, December 8th, 2017

Read the rest of this post »

SMTP TLS: All About Secure Email Delivery over TLS

Monday, October 2nd, 2017

TLS stands for “Transport Layer Security” and is the successor of “SSL” (Secure Socket Layer). TLS is one of the standard ways that computers on the Internet transmit information over an encrypted channel. In general, when one computer connects to another computer and uses TLS, the following happens:

  1. Computer A connects to Computer B (no security)
  2. Computer B says “Hello” (no security)
  3. Computer A says “Lets talk securely over TLS” (no security)
  4. Computer A and B agree on how to do this (secure)
  5. The rest of the conversation is encrypted (secure)

In particular:

  • The meat of the conversation is encrypted
  • Computer A can verify the identity of Computer B (by examining its SSL certificate, which is required for this dialog)
  • The conversation cannot be eavesdropped upon (without Computer A knowing)
  • The conversation cannot be modified by a third party
  • Other information cannot be injected into the conversation by third parties.

Basic email security starts with SMTP TLS

TLS (and SSL) is used for many different reasons on the Internet and helps make the Internet a more secure place, when used. One of the popular uses of TLS is with SMTP for transmitting email messages between servers in a secure manner.  See also:

Read the rest of this post »

Is email message transport over MAPI or HTTPS secure?

Tuesday, September 5th, 2017

Our latest “Ask Erik” question involves understanding what email headers save about secure message transport … especially when they list MAPI or HTTPS instead of TLS.

Read the rest of this post »

Neutralizing and protecting against rogue TLS certificates in the wild

Thursday, August 17th, 2017

Techniques for fighting mis-issuance of TLS certificates

The web has reached the tipping point where encrypted traffic – connections protected by HTTPS, which is HTTP over SSL/TLS – has overtaken unencrypted (HTTP) traffic. There are many reasons for this change, variously called HTTPS Everywhere or Always-On SSL, which we described in a previous FYI blog post. While this move certainly improves the security and privacy of interactions on the web, there still remains the Achilles’ heel of this ecosystem – the problem of mis-issuance of cryptographically legitimate certificates to rogue site operators. This blog post describes recent steps taken to guard against such occurrences, using techniques which can raise the necessary alarms before much harm propagates.

The Achilles’ heel of internet security is the mis-issuance of cryptographically legitimate certificates to rogue site operators.

 

SSL and TLS Certificates

The entire edifice of SSL/TLS-based security rests on certificates issued to the legitimate operators of websites, so that browser indicators (the secure lock icon, for example) based on various cryptographic checks can reassure users that they are communicating with their intended destination. Mis-issued certificates, whether available through lax procedures at a certificate authority (CA) or by a malignant act, removes that critical trust. A browser’s cryptographic checks cannot distinguish a duly-vetted legitimate server from a man-in-the-middle that has improperly obtained a cryptographically valid certificate. The latter might arise owing to the (mis)placed trust in a compromised root CA embedded in the browser or one issued by a corrupted intermediate CA that is in a legitimate chain of trusted certificates.  This is, for example, why Google is reducing trust in SSL certificates issued by Symantec and why even Microsoft is the latest and last browser vendor to no longer going to trust anything issued by the WoSign/StartCom certificate authorities.

Some CAs make mistakes and fix them; some have a habit not well controlling certificate issuance.  This seriously damages our trust in a secure internet.

Read the rest of this post »

Why Choose OV TLS Certificates? The dilemma of the middle child

Wednesday, August 9th, 2017

Choosing amongst the different certificate types

Imagine three brothers. The youngest is nimble, outgoing, and popular. He’s also growing very rapidly and will soon be the tallest in the family. The oldest is steady, thoughtful, and circumspect. He’s a high achiever, in a job with lots of responsibilities and makes loads of money. But what about the middle sibling? The classic middle child syndrome would have him struggling to find his niche between these two exemplars.

It’s much the same (as far as analogies go) with the three types of SSL/TLS certificates – Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV) – available for use in the internet security ecosystem.

TLS Certificate Validity

First, just like siblings, all three share the same genes. That is, from a cryptographic point of view, all three certificates provide exactly the same level of confidentiality and integrity protection of the communications channel by using standard security technologies (private/public keys, cipher suites, encryption algorithms, etc.) in exactly the same way using SSL/TLS. The difference, as with siblings, is how they interact with their environment and take advantage of the opportunities presented to create and project their public persona. The choice of a certificate type for a website aims at projecting a particular image of its trustworthiness and dependability.  Is the site trustworthy enough to interact with for the purposes the end user has in mind?     

Read the rest of this post »