TLS is Present, But Is It Working?


Thought Leadership

TLS is Present, But Is It Working?

Dena Bauckman

Most email traffic is sent using Simple Mail Transfer Protocol (SMTP), an internet standard created before the start of cybercrime. Although SMTP is an incredibly efficient protocol for sending emails, it is also incredibly insecure. To understand just how insecure SMTP is, simply relate it to a postcard traveling through the mail that’s available for anyone to read.

Realizing that SMTP lacks security and considering how much sensitive information travels through email, many enterprises choose to add email encryption technology to their systems. Some email encryption solutions are complicated to implement and difficult to use, and all too often, organizations find that users bypass email encryption for the sake of speed and simplicity, undermining an organization’s security efforts.

To bridge the gap between security and ease of use, organizations increasingly rely on Transport Layer Security (TLS) to provide encryption that is transparent to users. TLS takes two forms: mandatory, when two organizations have agreed to enforce the use of TLS and bounce emails if TLS is not available; and opportunistic, when the system checks if the receiving organization uses TLS but sends the message regardless.

While TLS is a good step toward stronger cybersecurity, neither basic form of TLS offers organizations assurance of secure communication.

How Basic TLS Creates Security Gaps

Mandatory TLS is great when it is set up correctly, but it requires all parties to configure their email servers properly and manage them effectively over time. If the servers are not set up correctly or are not managed properly, critical business communication may be bounced. And if an email is going to multiple recipients, ensuring TLS is available for all recipients prior to sending can be a management nightmare.

Opportunistic TLS has the opposite problem. Emails containing sensitive data are sent regardless of whether TLS is available. Another security problem with opportunistic TLS is that it does not properly authenticate that the connection is completed with the intended recipient’s system and is not a hacker. Hackers can perpetrate a man-in-the-middle (MITM) scheme and intercept sensitive data. Even worse, they can redirect your email traffic to their own servers. Opportunistic TLS provides none of the confidence and certainty that a cybersecurity strategy requires.

Obviously, TLS is an effective and important security measure when compared to alternatives. Yet it’s incomplete, and in order for TLS to provide the ironclad encryption that enterprises require, it must be combined with additional encryption capabilities.

Understanding Policy-Based TLS

ZixEncrypt offers superior, easy-to-use email encryption. It’s also unique in offering policy-based TLS, which eliminates the mandatory/opportunistic distinctions, allows organizations to define when the use of TLS is appropriate, and ensures TLS is not vulnerable to MITM attacks.

Policy-based TLS provides the benefit of opportunistic TLS to “try” for a TLS connection with the security of mandatory TLS. If TLS is not available, an alternative encryption method is used to ensure emails are not bounced. When both sender and recipient use TLS, for example, their communications are secure. And when TLS is not available, emails are directed through a secure web portal.

Such flexibility transforms TLS into a precise and comprehensive security tool and allows organizations to leverage it for end-user transparency. Because TLS is defined as part of the encryption policies, administrators also get a consolidated view of all their encrypted email traffic. Best of all, the user’s email experience is simple and seamless while the message is secure.

TLS is a security asset when it’s implemented and administered correctly. Policy-based TLS ensures the security without the management burden. This allows organizations in highly regulated industries like healthcare the ability to rely on TLS to provide mandated protections to larger volumes of data.

Privacy and confidentiality of data are too important these days to be treated lightly, where convenience means emails may be sent in the clear or security means emails may bounce and interrupt business communication. At Zix, we make using TLS both easy and secure.

To learn more about TLS vulnerabilities, industry proposals to fix its flaws, and how Zix can help to enhance TLS and encrypted email, check out our whitepaper Emails in Silent Danger.