" tls Archives - Page 4 of 10 - LuxSci

Posts Tagged ‘tls’

What Level of SSL or TLS is Required for HIPAA Compliance?

Thursday, January 2nd, 2020

SSL and TLS are not monolithic encryption entities that you use or do not use to securely connect to email servers, websites, and other systems. SSL and TLS are evolving protocols with many nuances to how they may be configured. The “version” of the protocol and the ciphers used directly impact the level of security achievable through your connections.

Some people use the terms SSL and TLS interchangeably, but TLS (version 1.0 and beyond) is the successor of SSL (version 3.0). See SSL versus TLS – what is the difference? In 2014 we saw that SSL v3 was very weak and should not be used going forward by anyone; TLS v1.0 or higher must be used.

Among the many configuration nuances of TLS, the protocol versions supported (e.g., 1.0, 1.1, 1.2, and 1.3) and which “ciphers” are permitted significantly impact security. A “cipher” specifies the encryption algorithm, the secure hashing (message fingerprinting / authentication) algorithm to be used, and other related things such as how encryption keys are negotiated. Some ciphers that have long been used, such as RC4, have weakened over time and should never be used in secure environments. Other ciphers protect against people who record a secure conversation from being able to decrypt it in the future if somehow the server’s private keys are compromised (perfect forward secrecy).

Given the many choices of ciphers and TLS protocol versions, people are often at a loss as to what is specifically needed for HIPAA compliance. Simply “turning on TLS” without configuring it appropriately is likely to leave your transmission encryption non-compliant.

Read the rest of this post »

Tags: AES256, cipher, ePHI, hipaa, NIST 800-52, ssl, sslv3, tls, tls v1.0, tls v1.2
Posted in LuxSci Library: HIPAA, LuxSci Library: Security and Privacy
No comments »

What is TLS? Secure Email 101

Tuesday, November 27th, 2018

Transport Layer Security (TLS) is a widely used protocol in email security, the other being Secure Sockets Layer (SSL). Both are used to encrypt a communication channel between two computers over the internet.

An email client uses the Transport Control Protocol (TCP) – which enables two hosts to establish a connection and exchange data – via the transport layer to initiate a handshake with the email server before actual communication begins. The client tells the server the version of SSL or TLS it is running as well as the cipher suite (a set of algorithms that help in securing a network connection that uses SSL or TLS) it wants to use.

After this initial process, the email server verifies its identity to the client by sending a certificate the email client trusts. Once this trust is established, the client and server exchange a key, allowing messages exchanged between the two to be encrypted.

What parts of a message does TLS encrypt?

 The protocol encrypts the entire email message, including the header, body, attachments, email header, sender and receiver. TLS does not encrypt your IP address, server IP address, the domain you are connecting to, and the server port. The visible metadata informs where you are coming from, where you are connecting to and the service you’re connecting with, such as sending email or accessing a website. This article explains what is really protected by TLS and SSL.

Read the rest of this post »

Tags: ssl and tls, ssl vs tls, tls, tls vs ssl, what is TLS
Posted in LuxSci Library: HIPAA, LuxSci Library: Security and Privacy
No comments »

Stronger Email Security with SMTP MTA STS: Strict Transport Security

Wednesday, July 25th, 2018

Email transmission between servers has historically been extremely insecure. A new draft internet standard called “SMTP Strict Transport Security” or “SMTP MTA STS” is aiming to help all email providers upgrade to a much more secure system for server-to-server mail transmission. This article lays out where we are currently in terms of email transmission security and how SMTP MTA STS will help.

Email servers (a.k.a. Mail Transmission Agents or “MTAs”) talk to each other using the Simple Mail Transmission Protocol (SMTP). This protocol, developed in 1982, originally lacked any hint of security. As a result, a lot of the email shooting around the internet is still transmitted in plain text.  It is easily eavesdropped on, easily modified, untrusted and not private.

Back in 2002, an extension to SMTP called “STARTTLS” was standardized. This extension permitted servers to “upgrade” SMTP communications from plain text to an encrypted TLS-secured channel, when both servers supported compatible levels of TLS. This process is known as SMTP TLS. In principle, this security addition was really great. The “TLS” used is the same encryption method used by your web browsers to talk to secure web sites (e.g., banks, Amazon, your email provider, etc.). Your web browsers do relatively good job making sure that connections to these secure sites are safe.  I.e., they seek to ensure that there is encryption, that the encryption is sufficiently strong, and that there is no one actively eavesdropping on your connections.

Read the rest of this post »

Tags: smtp, SMTP MTA STS, STS, tls
Posted in LuxSci Library: Security and Privacy
No comments »

SSL versus TLS – What’s the difference?

Saturday, May 12th, 2018

SSL versus TLS

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers when that data is sent across an insecure network. The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is, in fact, the predecessor of the other. SSL 3.0 served as the basis for TLS 1.0, which, as a result, is sometimes referred to as SSL 3.1. With this said, is there a practical difference between the two?

SSL versus TLS: What is the differenc?

See also our Infographic which summarizes these differences.

Read the rest of this post »

Tags: beast, compliance, email security, poodle, secure email, secure socket layer, security, ssl, ssl vs tls, sslv3, tls, tls vs ssl, transport layer
Posted in LuxSci Library: Security and Privacy, Popular Posts
9 Comments »

When can sending TLS-Secured Email be NOT HIPAA Compliant?

Tuesday, May 1st, 2018

In a question recently submitted to “Ask Erik,” John asked:

“How does sending a TLS-encrypted email sometimes become non-compliant?  Lets says I send an email from my Office 365 Business account to a gmail.com account which both support TLS encryption.  Is it because I do not know what path and what servers the email has to go through?  Does each server have to decrypt the email and is that when it becomes non-compliant?  I love the Luxsci forms by the way!”

This is a great question!  In a recent survey that LuxSci did, less than 50% the people interested in secure email even knew what TLS is and how it works.  So it is not surprising that there is a lot of confusion out there about what is acceptable for compliance and what is not.

Read the rest of this post »

Tags: hipaa, portal pickup, smtp, tls
Posted in LuxSci Library: HIPAA
No comments »

« Older Entries
Newer Entries »