Email plays a massive part in today’s business. However email relies on an insecure transport protocol. The TLS (Transport Layer Protocol) can be used to resolve this problem, and provide some security and privacy for email messages.
We use TLS to protect web traffic as well as email, usually known in the form as SSL. The benefits from using TLS are, each email server authenticates to the other and reduces the chances of spoofing. Also the content of each email message is encrypted when in transit, and the encrypted conversation makes it difficult for an attacker to tamper with.
Many spam filter software products support e-mail encryption. This will ensure e-mails are in a none-readable format from sender to receiver. Usually banks and other data sensitive organisations would require the use of this feature within a spam filter. TLS and PGP are two common methods used to encrypt e-mails.
Transport Layer Security (TLS) is a cryptographic protocol which provides secure communication, preventing eavesdropping, tampering and message forgery. TLS with authentication requires a digitally signed certificate, signed by a certificate authority (CA). It provides endpoint authentication and communication privacy. Key benefits from TLS are;
- Strong authentication – Ensuring servers, spam filter products are trusted.
- Message Privacy – Ensuring the e-mail message itself is encrypted (None-readable) while in transit from one end to the other.
- Integrity – Ensuring the e-mail has not been tampered with and changed.
TLS works from gateway to gateway. If there are hops between the protected gateways, then the protection is broken. For example two businesses that communicate frequently, then TLS is a good choice, assuming both gateways talk directly. If email from one company hops to another server before arriving at the other company, (usually a common scenario when using email protection in the cloud as a first layer of defence) then you would need to first secure your email using TLS from your gateway to the upstream host in the cloud, and then from the upstream to the other company. Your business partners would need to do the same if they are using a host in the cloud. A real world example of this is Message Labs, who provide a hosted spam and web security in the cloud.
Both gateways would need to support the use of TLS, inbound and outbound for full protection. The peer server can be identified by the domain name or IP address. Note, TLS supports authentication and encryption. However you would need to use a signed certificate for strong authentication. Without a signed certificate you would only be able to encrypt your email messages, there would be no authentication and non-repudiation.
Also to note your peers should use the same level security settings, so if you set your TLS with a 256 bit key then your peers will need to use 256 bit key or else the TLS will fail and NO email's will be exchanged.
However there is a less secure way around this, in opportunistic TLS. This feature looks to see if the peer uses TLS and if they don’t use TLS it will fallback to unencrypted email. However using this method your guaranteed you will not fall into TLS conversations problems, although it is less secure.
PGP (Pretty Good Privacy)
Pretty Good Privacy (PGP) also provides cryptographic privacy and authentication. PGP avoids centralised authorities, and implements direct trust with other hosts. A term used in this scenario is “Web of Trust”. If Host A trusts the certificate of Host B and Host B trusts the certificate of Host C, then in turn Host A would trust Host C and vice versa. Using this method would result in tighter security, but more work to do.
Wikipedia's guide to Email Encryption