People send billions of emails each day, but is email technology really safe? Well, it generally is, but things may substantially differ for various systems, applications and usage scenarios. To be sure yours is ok and know what to keep an eye on to stay safe, you’ll need to understand the basics of secure email transmission.
Mail servers communicate in plain text using the Simple Mail Transfer Protocol (SMTP), so in order to keep the exchange from malicious onlookers the entire communication session must be encrypted. Encryption is powered by cryptographic protocols. This article will explain what these protocols entail and the differences between them.
Why Do We Need Encryption?
Emails often contain sensitive information that senders don’t want leaked, e.g., passwords, bank details, social security numbers, etc. Encryption prevents any unauthorized parties from accessing your sensitive information and potentially causing harm.
However, the SMTP protocol by itself is not encrypted at all, which makes it open to anyone capable of intercepting the network traffic. To eliminate this problem, the data must be encrypted at all stages of mail exchange.
What Are TLS, SSL, and StartTLS?
Two main protocols are used to secure email communication.
- SSL (Secure Sockets Layer) was introduced to the public in 1995.
- TLS (Transport Layer Security), an advanced descendant of SSL, has been in use since 1999.
StartTLS is an SMTP protocol command ordering mail servers to change from an unencrypted connection to a secure one, just as the name “Start TLS” suggests.
TLS/SSL
TLS/SSL encrypts an application’s internet traffic to prevent unauthorized parties from snooping in. Without it, your activity will be accessible by anyone with enough resources to look for it. But with a secure connection, any email interference is practically useless because the content is encrypted on your side and can only be decrypted by the recipient.
TLS is just an upgraded version of SSL. It fixed some vulnerabilities in the earlier Secure Sockets Layer protocols, which made it more secure. Every version of SSL has been deprecated in favor of TLS. Yet many people still use the term “SSL” because it’s more common and has stuck in the general public’s minds.
SSL/TSL works by initiating a connection (handshake) with your mail server. It is essentially an agreement between the two parties about the details of their connection, such as the encryption algorithm and cryptographic keys to be used.
After the handshake goes through, the mail server provides a digital certificate and public encryption key to the client (the calling party). The client verifies the certificate and creates a shared secret key (SSK) for the current session. Without the key, the recipient won’t be able to decipher the incoming traffic.
StartTLS
A prominent feature of many internet technologies, including email, is the ability to support older systems. Backward compatibility may be the only practical reason to allow unencrypted connections. But as soon as such a connection is established, both parties would negotiate the possibility of switching to a secure one. This is where StartTLS comes to the rescue.
Here’s how StartTLS works as part of the SMTP protocol:
- A handshake takes place as the server and client establish an insecure connection.
- Early into the session, while nothing sensitive has been transmitted yet, the client issues a 250-STARTTLS command to the server, requesting to know whether it will accept a secure connection.
- The server responds with a go-ahead, informing it that it is ok with a TLS connection.
- The client immediately restarts the connection. After restarting, it becomes an encrypted connection protected by TLS protocol.
Conclusion
With the information above, you now understand the most basic concepts related to email security. TLS and SSL are security protocols used by mail servers for data transmission, and StartTLS is an SMTP command informing servers to switch from an insecure connection to a secure one.
