Kudos to Google for alerting Gmail users when they are about to send or receive mail that is not protected by Transport Layer Security (TLS). It’s certainly a step in the right direction, but it promotes the idea that TLS equals encryption.
If you’ve ever ordered a product or service online and had to give your credit card number or other sensitive information, odds are you did so through a secure server. This connection likely relied on secure socket layer (SSL) protocols to encrypt your information from the time it left your server until the time it reached the company’s. A hacker who intercepted that message somewhere in between, would find it nearly impossible to decode.
Transport Layer Security (TLS) is a secure email system based on the SSL protocol that many predict will become the standard for insurance companies, lawyers, accountants, doctors and others who send and receive sensitive data from their clients. However, there are some weaknesses within TLS that users — especially industry groups — should be aware of before blindly adopting it for compliance reasons.
The issue with TLS isn’t so much the level of security it offers, but more so where that security ends. TLS is a server-to-server protocol that encrypts messages in transit. As an analogy, think of it as having a valuable package delivered in an armored car. However, that car stops at the end of your driveway, leaves the package and drives away. Likewise, with TLS, you have secure email right up until it reaches the receiving server. At that point, anyone can access it.
In other words, someone who hacks your mailbox would be able to see and read the unencrypted message, even though one who intercepts it between servers cannot.
With TLS, your email is only as secure as your server. For some companies, that might not be a huge problem, but for small companies — think doctors’ offices, insurance agencies, individual lawyers and accountants — it could be a huge issue. This is especially true if TLS becomes the standard and these companies are led to believe that’s all they need to have a secure email system.
Make no mistake, TLS is a step in the right direction. It’s always better to have some security than none. However, if your company deals with sensitive information, CipherPost from AppRiver might be a better, more reliable way to protect your customers. CipherPost protects data from user to user rather than server to server.
Based on the analogy above, CipherPost offers the same kind of “armored car” protection in transit. But with CipherPost, it’s like having an armed guard come knock on your door, check your ID and place the package in your hands.
The practical effect is that someone who hacks your server will find the information as useless as the one who steals your data en route.
Do you need this level of protection? That all depends on how valuable your clients’ information is to someone who fraudulently receives it — or, more to the point, how valuable your customers are to you.
Hopefully industry organizations will consider the effectiveness of TLS vs. that of services like CipherPost before adopting new secure email standards.