" tls Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘tls’

Update: LuxSci upgrading all Systems to support only TLS v1.2+ only

Monday, June 17th, 2019

LuxSci has pushed back the general date of the transition to TLS 1.2 only support to January 1st, 2020.  This matches the timeline set my most browser vendors and others for abandoning the old versions of TLS and gives existing customers more time to upgrade their systems.  However, new dedicated LuxSci customers will be placed on servers that support only TLS 1.2+ starting this week.  The rolling update window is now January 1st through January 31st, 2020.

That said, LuxSci will still be transitioning to requiring TLS 1.2+ support for email transmission (“Forced TLS”) during the July-August, 2019 window.

Additionally, any dedicated customer that would like to transition to TLS 1.2+ sooner, may do so at any time my asking LuxSci support.

See the original blog post: LuxSci to upgrade all Systems to support only TLS v1.2+ only

LuxSci to upgrade all Systems to support only TLS v1.2+ only

Monday, April 8th, 2019

Update 6/17/2019: LuxSci has pushed back the general date of the transition to TLS 1.2 only support to January 1st, 2020.  This matches the timeline set my most browser vendors and others for abandoning the old versions of TLS.  However, new dedicated LuxSci customers will be placed on servers that support only TLS 1.2+ starting this week.  The rolling update window is now January 1st through January 31st, 2020.

That said, LuxSci will still be transitioning to requiring TLS 1.2+ support for email transmission (“Forced TLS”) during the July-August, 2019 window.

Additionally, any dedicated customer that would like to transition to TLS 1.2+ sooner, may do so at any time my asking LuxSci support.

LuxSci will be removing the remaining support for TLS v1.0 and TLS v1.1 from its services starting July 1st, 2019. This update will be a rolling change to all servers that will take place between July 1st and August 31st, 2019.

TLS v1.0 and TLS v1.1 are very old transport security protocols that have been succeeded by the much more secure TLS v1.2, which came out way back in 2008. All major web browsers released in the last 6+ years support TLS 1.2. Older web browsers may or may not support it (check your browser); however, less than 1% of web traffic across the world actually use the older protocols

Read the rest of this post »

What is TLS? Secure Email 101

Tuesday, November 27th, 2018

Transport Layer Security (TLS) is a widely used protocol in email security, the other being Secure Sockets Layer (SSL). Both are used to encrypt a communication channel between two computers over the internet.

An email client uses the Transport Control Protocol (TCP) – which enables two hosts to establish a connection and exchange data – via the transport layer to initiate a handshake with the email server before actual communication begins. The client tells the server the version of SSL or TLS it is running as well as the cipher suite (a set of algorithms that help in securing a network connection that uses SSL or TLS) it wants to use.

After this initial process, the email server verifies its identity to the client by sending a certificate the email client trusts. Once this trust is established, the client and server exchange a key, allowing messages exchanged between the two to be encrypted.

what is TLS

What parts of a message does TLS encrypt?

 The protocol encrypts the entire email message, including the header, body, attachments, email header, sender and receiver. TLS does not encrypt your IP address, server IP address, the domain you are connecting to, and the server port. The visible metadata informs where you are coming from, where you are connecting to and the service you’re connecting with, such as sending email or accessing a website. This article explains what is really protected by TLS and SSL.

Read the rest of this post »

Stronger Email Security with SMTP MTA STS: Strict Transport Security

Wednesday, July 25th, 2018

Email transmission between servers has historically been extremely insecure.   A new draft internet standard called “SMTP Strict Transport Security” or “SMTP MTA STS” is aiming to help all email providers upgrade to a much more secure system for server-to-server mail transmission.    This article lays out where we are currently in terms of email transmission security and how SMTP MTA STS will help.

Email servers (a.k.a. Mail Transmission Agents or “MTAs”) talk to each other using the Simple Mail Transmission Protocol (SMTP). This protocol, developed in 1982, originally lacked any hint of security. As a result, a lot of the email shooting around the internet is still transmitted in plain text.  Its easily eavesdropped on, easily modified, untrusted and not private.

SMTP MTA STS

Back in 2002, an extension to SMTP called “STARTTLS” was standardized.  This extension permitted servers to “upgrade” SMTP communications from plain text to an encrypted TLS-secured channel, when both servers supported compatible levels of TLS.  This process is known as SMTP TLS. In principle, this security addition was really great.  The “TLS” used is the same encryption method used by your web browsers to talk to secure web sites (e.g., banks, Amazon, your email provider, etc.).  Your web browsers do relatively good job making sure that connections to these secure sites are safe.  I.e., they seek to ensure that there is encryption, that the encryption is sufficiently strong, and that there is no one actively eavesdropping on your connections.

Read the rest of this post »

TLS 1.0 to 1.2 and NIST TLS Cipher Updates: Email Program and Web Browser Compatibility Issues

Thursday, June 7th, 2018

It happens at least every few years: system administrators need to update the security configuration of their servers to keep up with the latest best practices and to close newly found security issues(i.e., via changes to recommended TLS ciphers and protocols).  These updates can be rocky. Change often introduces incompatibilities that prevent certain systems or programs from being able to connect to the updated systems.

TLS Encryption Compatibility

In this article we are going to look at what email program an web browser incompatibilities arise when you migrate from using the “old standard:” TLS v1.0+ and the ciphers recommend by NIST 800-52r1 to using either TLS v1.0+ and the new NIST 800-52r2 ciphers or TLS v1.2+ and the new NIST 800-52r2 ciphers.

Why?

  1. PCI requires that servers that need to be PCI complaint use only TLS v1.1+ (which really means v1.2+) by the end of June, 2018.
  2. NIST 800-52r2 is in draft, but its updated cipher list removes many ciphers from revision 1 that are now considered “weak” and introduces a number of new, better ciphers.  Administrators should be moving towards NIST 800-52r2 cipher support as a best practice.
  3. Organizations that require HIPAA compliance should also follow the NIST guidelines and prepare NIST 800-52r2 support and, where possible, eventually eliminate pre-TLS 1.2 support. See: What level of TLS is required for HIPAA compliance?

Read the rest of this post »

LUXSCI