SSL, TLS, STARTTLS - with so many email encryption acronyms, it's not hard to get confused. So let's explain these protocols and why they are so important.
SSL and TLS - what are they about?
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are standard protocols used to secure email transmissions. These protocols encrypt connections between two computers over the internet. This stops any third parties from spying on these conversations.
TLS is the most frequent term that people come upon when setting up their email program or app, and it is based on SSL 3.0 - SSL was the Netscape acronym, before an RFC (Request For Comment) was designed for the matter.
TLS is backed by all modern and secure systems that handle internet traffic. Transport Layer Security bypasses the complicated time drain that is per email encryption, while still ensuring security. It is a minimum requirement for email security best practice.
The first step to implement TLS is to identify what email server is in use and if the server can enable TLS (most of them will). For as long as the destination has TLS enabled on the server, emails will be protected from potential attacks.
Because TLS operates as Application Layer protocols, senders and receivers should be aware that they are being used to encrypt emails during transit. That's where STARTTLS kicks in.
The difference between STARTTLS and TLS/SSL protocols is that it is not a protocol at all, but actually, a command issued between an email program and server,
STARTTLS is a Channel Security Upgrade for safer delivery of message. It tells an email server that an email client (including an email client running in a web browser) wants to turn an existing insecure connection into a secure one. Though it literally means 'Start TLS,' it doesn't mean it only works with this security protocol. It works with SSL protocol too.
How does TLS work?
The differences between the two protocols are mostly minor and technical. While TLS uses stronger encryption algorithms than SSL, SSL can work on different ports.
Both protocols use a combo of symmetric and asymmetric cryptography, as this provides a good compromise between performance and security when transmitting data. With symmetric cryptography, data is encrypted and decrypted with a secret key known to both sender and recipient. In contrast, asymmetric cryptography uses key pairs – a public key and a private key.
With TLS it is also desirable that a client connecting to a server is able to validate ownership of the server’s public key. This is usually done by using an X.509 digital certificate issued by a trusted third party known as a Certificate Authority (CA) which asserts the authenticity of the public key.
There are, however, liabilities, usually around the emission of Certificates - End entity certificates can be incorrectly issued or compromised.
Why do you need TLS in your email security?
These days, data security is golden. The key to keeping your information safe is to secure it with the right tools. These protocols are crucial to the security of your websites and users. Not only does SSL/TLS protect user information by encrypting the connection, but it also verifies if the users are connected to the right server. Therefore, anyone who intercepts your encrypted emails will be left with unusable text because only the client and the email server have the keys to decoding the messages.
Systems, such as our own, require the greatest versions of TLS (1.3 or 1.2) but automatically falls back to whatever version the server has (even deprecated such as 1.0 and 1.1) our ultimately, no encryption at all - which is not desired.
MTA-STS and DANE are the evolving steps for encryption in an Email system. Stay tuned :)) for upcoming posts on the matter.
Author: Miguel Caldeira
Miguel Caldeira is a Head of Engineering at AnubisNetworks with degrees in Master, Electronics, and Telecommunications Engineering. Started on GMV as Software Engineer on aeronautics security projects. He then joined to AnubisNetworks, and then Bitsight Technologies, before returning to Anubis to lead the development of Email Security Solutions.