The Ins and Outs of TLS Encryption

Featured article by LuxSci founder Erik Kangas

Transport Layer Security (TLS) is a protocol that offers a high level of security to help authenticate and encrypt information between a client and server for both inbound and outbound email (and website) traffic. Encryption protocols such as TLS help create secure connections for communications that must transfer across unsecured networks. Although there are others, SSL and TLS are two of the most popular security protocols of their kind.

Benefits and Limitations

TLS is a simple and seamless means by which to secure messages during transfer between sender and recipient. TLS is an inexpensive method of security that has experienced high adoption in recent years, and does not inhibit an email gateway’s capacity to protect against threats such as content violations, spam, or viruses. While TLS works with self-signed certifications (warning: these can leave traffic open to man-in-the-middle attacks), use of proper third-party signed certificates enable verification of a remote email gateway’s identity prior to data sharing. Use of TLS is possible without the need for dedicated TCP/IP ports as protocols such as SMTP, POP, and IMAP enable “upgrading” connections from insecure to secure once the client and server determine that a TLS-secured connection is possible.

TLS is the de facto standard for transport data encryption on the internet; however, it does have some limitations.

For example, TLS cannot establish the identity of the data sender unless “client side certificates” are used, nor does it encrypt data at rest. Only messages in transit are secured by TLS, and this use of only transport security is not a sufficient means of implementing security under certain regulations such as PCI compliance (sending and receiving credit card data). Email data is still at risk when downloaded, archived, or housed in inboxes and outboxes. Because the physical technology itself is often the most susceptible to theft, additional security measures must be implemented to guarantee comprehensive security.

As well, there are specific requirements for implementation when it comes to data that is protected under HIPAA regulations. For example, HIPAA compliance requirements insist on TLS v1.0 use over SSL v3.0 (and folks should be considering moving to TLS 1.2 soon as well). Although a TLS security version may be acceptable, the number of configurable nuances within each version is broad enough to require specific configurations to meet government guidelines for HIPAA security.

Outside of the hard and fast rules required under HIPAA and PCI compliance regulations, institutions and individuals bear the burden of deciding for themselves if TLS security is sufficient for their data protection needs.

Differences between SSL and TLS

SSL stands as the predecessor to TLS. Both can use similar ciphers and message digests, but newer versions of TLS establish communications with a higher level of security and include improved ciphers and message digests. This higher level of security is achieved by a better use of more secure ciphers, and an enhanced negotiation during the process of encrypting connections. If a server supports TLS, it should always be configured to use TLS encryption vs SSL v3.0, as SSL no longer provides an adequate level of security.

When to Use Each Protocol

The determination of which protocol to use is negotiated between the client and server, based on the available software installed and configured on each side of the communication. This explicitly mapped out process can be found in more detail in this handy infographic.

There are a multitude of ways to send protected email, all with varying levels of security. Transport Layer Security is one way that provides email transmission secure enough to comply with most regulations. It is one of the simplest and easiest methods by which to encrypt email transmissions, offering a high level of security without being difficult to use or implement. Although it cannot encrypt data at rest, TLS can safely encrypt email messages while still allowing a gateway to protect against unwanted threats. TLS enables automatic and seamless email encryption and is being enabled on most email servers. You should definitely configure your servers with TLS support, as lack of support will affect your server reputation in the future.

LuxSci founder Erik Kangas has an impressive mix of academic research and software architecture expertise, including: undergraduate degree from Case Western Reserve University in physics and mathematics, PhD from MIT in computational biophysics, senior software engineer at Akamai Technologies, and visiting professor in physics at MIT. Chief architect and developer at LuxSci since 1999, Erik focuses on elegant, efficient, and robust solutions for scalable email and web hosting services, with a primary focus on Internet security. Lecturing nationally and internationally, Erik also serves as technical advisor to Mediprocity, which specializes in mobile-centric, secure HIPAA-compliant messaging. When he takes a break from LuxSci, Erik can be found gleefully pursuing endurance sports, having completed a full Ironman triathlon and numerous marathons and half Ironman triathlons.