It recently came to my attention that some in the financial services industry believe that the TLS transmission of e-mail from one service provider to another is imposing “extra security measures” to protect a customer’s financial information. I wanted to take a moment to reflect on this and provide a small blog post to those concerned about protecting critical information to them – be it personal or commercial financial information, passwords, or intellectual property being sent via e-mail.
Obviously, there is some information that should never be transmitted via email. We highly recommend the use of internal, secure file sharing platforms in-house to protect intellectual property.
To burst the security bubble for most e-mail users out there that believed in some way their e-mail was “secure” even at rest-
Email is only TLS encrypted in transmission from one service provider to another. In fact, TLS transmission of e-mail is pretty standard practice in the hosting industry. However, it’s a practice which is pretty irrelevant in most cases unless an attacker is sitting between the two service providers watching for the transmission (“Man in the Middle Attacks”).
Your e-mail messages are still stored unencrypted at-rest on both service providers, and your local computer. This means that if either hosting provider is compromised (internally or externally), or your computer falls into unwanted hands, the e-mail is sitting there in plain-text for anyone to read. That is, unless you’re utilizing your own Encryption mechanism (what we in the industry call “host-proof hosting”).
Well, that’s great, so how do I get this so-called “host-proof hosting” for e-mail?
If security is a concern in transmission and at-rest for your e-mail data, I highly recommend utilizing S/MIME Encryption (essentially, the SSL protocol for E-mail – the same level of security you’d expect when visiting a site with https://). The difference is that the SSL encryption/decryption is occurring on the client machines instead of the server (when sent and received . It’s also possible to use another encryption technology called GPG. But for most end-users, the setup for GPG is too complicated and there’s not wide enough adoption.
When using S/MIME signatures and encryption between two parties – you’ll get peace of mind because of the following:
1) You know the person that sent you the message is who they claim they are. This is verified by an accredited Certificate Authority with different levels of verification (either by just their email address at the most basic level, by their name (Personal documents are required), or by Organization (Business documents are required)).
2) If the message is sent as S/MIME Encrypted, it’s fully encrypted at rest on the server(s) the message resides on. So even if an attacker were to gain access to your e-mail message, they would need the private key (which resides on your computer) in order to decrypt the message.
With all of that said, I would highly recommend that everyone gets an S/MIME certificate through Comodo, or GlobalSign, which are all universally supported S/MIME certificate providers. But getting a certificate for yourself doesn’t mean messages are encrypted, both the sending and receiving side need a certificate installed before you can start sending encrypted messages to each other. This is why some CA’s such as Comodo even offers these certificates free of charge for individuals! Tell your friends. 🙂
Some reference sites to get Email Signing Certificates:
Comodo Free E-mail Certificate
GlobalSign Personal Sign
Enjoy!
Team Sliqua