Zix Email Encryption Protects Against Faulty TLS Implementations


Thought Leadership

Zix Email Encryption Protects Against Faulty TLS Implementations

Zix Staff

A new study from researchers at the University of Michigan, Google and the University of Illinois-Urbana Champaign has confirmed what we at Zix have known for a long time: some ISPs create a situation where emails intended to be encrypted are actually sent across the network unencrypted; meaning that they can be intercepted and read by hackers.

The STARTTLS instruction is used by networks to initiate TLS secure sessions, thereby ensuring that encrypted emails are sent securely. Unfortunately some ISPs have been choosing to remove the STARTTLS instruction, while others have been setting up encryption improperly, thus making it easy for hackers to defeat it. The study researchers found that much of the growth in email encryption seen in the past year is due to the larger providers such as Outlook and Yahoo Mail recently adopting TLS. However most of the smaller providers still lag behind in adopting properly configured and authenticated TLS encryption for email. This means that the STARTTLS instruction can be switched off by hackers who have network access. These hackers can then use man-in-the-middle techniques to intercept and read the email traffic.

Best Method of Delivery

Zix customers are protected from this risk. Firstly, Best Method of Delivery (BMOD) uses the resources of ZixDirectory to look up the details and receiving capabilities of almost 50 million email addresses and domains to determine the best way to deliver each email to every recipient. This means that not only is every email delivered securely, but also each is delivered in the way most easy for the recipient to access and read. Secondly, and most relevant to this blog, Zix has already blacklisted ISPs who cannot guarantee secure TLS delivery. For them, Zix uses an alternative secure delivery method for emails being routed to recipients served by these suspect ISPs. The BMOD delivery method is illustrated in the figure.

The unique architecture of BMOD, combined with the community approach of ZixDirectory, enables Zix to deliver encrypted email in the most secure, most easy manner. To learn more about Best Method of Delivery, watch our short whiteboard session here.