This question came in via Ask Erik:
I stumbled upon your blog while trying to learn a little about SSL/TLS in the context of client/server e-mail sessions, i.e. not web mail which I understand to be an HTTP session. I am just an ordinary user with no special security needs but I find all this news about corporate and government surveillance to be troubling for both philosophical and practical reasons. In any case my questions is quite simple.
My e-mail client, apple mail, and my e-mail service provider both support SSL so my e-mail exchanges between my computer and the server are encrypted. I understand that I can’t control what happens with other e-mail servers. What I am trying to understand is what does it mean to be encrypted? When an e-mail leaves my computer how much of the message is encrypted? Are the e-mail headers encrypted including the sender and recipient e-mail addresses. I would assume so but nobody talks about the details. What metadata trail does a user leave when using SSL/TLS. Is it is as simple as the destination and sending IP address with everything else encrypted? Reading Data and Goliath right now by Bruce Schneider which talks about a lot of this stuff but again doesn’t give quite enough detail. At the end of the day I am trying to understand how much protection SSL really provides.
SSL (now TLS) protects data as it travels across the Internet. To understand in detail how SSL works, we recommend reading: How does Secure Socket Layer (SSL andTLS) work? However, looking at how the protocol works can leave answers to some of these fundamental questions a little unclear. Lets address them one by one.
Read the rest of this post »