What is TLS? Secure Email 101

November 27th, 2018

Transport Layer Security (TLS) is a widely used protocol in email security, the other being Secure Sockets Layer (SSL). Both are used to encrypt a communication channel between two computers over the internet.

An email client uses the Transport Control Protocol (TCP) – which enables two hosts to establish a connection and exchange data – via the transport layer to initiate a handshake with the email server before actual communication begins. The client tells the server the version of SSL or TLS it is running as well as the cipher suite (a set of algorithms that help in securing a network connection that uses SSL or TLS) it wants to use.

After this initial process, the email server verifies its identity to the client by sending a certificate the email client trusts. Once this trust is established, the client and server exchange a key, allowing messages exchanged between the two to be encrypted.

What parts of a message does TLS encrypt?

 The protocol encrypts the entire email message, including the header, body, attachments, email header, sender and receiver. TLS does not encrypt your IP address, server IP address, the domain you are connecting to, and the server port. The visible metadata informs where you are coming from, where you are connecting to and the service you’re connecting with, such as sending email or accessing a website. This article explains what is really protected by TLS and SSL.

What is the purpose of SSL and TLS?

 The purpose of the two protocols is to provide privacy, integrity and identification.

  • TLS encrypts communication between the sender and recipient. The idea is to ensure that no third party can read or modify the data being exchanged. Without encryption, a middleman could access the contents of emails, such as personally identifiable information, medical billing information and other sensitive data. This information would be available for the middleman to see in plaintext, that is, a human readable format:

Hello,

This is an email text message. We’re writing this email to let you know that our representative is available 9 to 5 Monday through Friday to assist you with any billing issues.

TLS makes information unreadable on its journey to the server, e.g.,

=…I…y….MS…TQ=F/a….A.I..~V.6b……00……i.i….$.e…a…%

….&.j.G%…..RGt..*O.)….=…!….ir….m…>….B.H_t.m,8….1c,….00

Z…7.%…y…<…6>

  • As mentioned earlier, the protocol offers identification between corresponding entities: one or both parties know who they are communicating with. After a secure connection is established, the server sends its TLS certificate to the client, who refers to a Certificate Authority (a trusted third party) to validate the server’s identity.

How different is TLS from SSL?

The two terms are often used interchangeably, although they are actually distinct. TLS is an updated and more secure version of SSL. TLS v1.1, v1.2 and v1.3 are significantly more secure than SSL and address vulnerabilities in SSL v3.0 and TLS v1.0. Fallback to SSL v3.0 is disabled by Microsoft, Mozilla and Google for their Internet Explorer, Firefox and Chrome browsers block the many vulnerabilities present in SSL, such as the POODLE man-in-the-middle attack. If you are configuring an email program, you can choose either TLS or SSL so long as it is supported by your server (because in this context the term “SSL” does not refer to the old SSL v3 protocol, exactly, but how the TLS protocol will be initiated).

What level of TLS security is needed for HIPAA compliance?

Health and Human Services specifies that SSL and TLS usage should adhere to the details described in the National Institute of Standards and Technology (NIST) 800-52 recommendations. Encryption processes weaker than those this publication recommends are non-compliant. The key points to note from the NIST documents are: (a) you must never use SSL v2 and v3 (b) when interoperability with non-government systems is needed, TLS v1.0+ may be considered Ok, and (c) only certain ciphers are acceptable to use. For more information, please refer to this article.

What doesn’t TLS secure?

A message sent using TLS is not entirely secure. The risk starts brewing when your messages start their journey back and forth from your email provider’s servers and your correspondents’ email servers. One risk is that your message could be send insecurely (via plain text) from your email provider to your recipient. Another is that your recipient may insecurely access your message at their email provider. A third risk stems from potential changes to your message at your provider, in transit or at your recipient’s provider, or anywhere else not protected by TLS or some other encryption technology.

For optimal email security, you need end-to-end email encryption.  S/MIME and PGP are the most secure protocols for authentication and privacy of messages over the internet.  PGP does assure Pretty Good Privacy. You have a pair of keys — private and public; the former decrypts messages, the later encrypts them.  Encrypted messages are safe as long as you keep your private key safe. Still, PGP (and S/MIME) are Pretty User-Unfriendly, as you have to use some technology and trade security keys ahead of time and everyone has to be configured and trained to use these technologies.  A reliable escrow system is another option.  Although in some ways it is not as secure as S/MIME and PGP can me, it does allow messages to be retracted after transmission.  For a better understanding of enhanced email security for HIPAA compliance, check out this article.

Want to discuss how LuxSci’s HIPAA-Compliant Email Solutions can help your organization?  Interested in more information about “smart hosting” your email from Microsoft to LuxSci for HIPAA compliance? Contact Us