What is TLS Encryption and How it Makes Your Email More Secure?
As interest in the more commercial and public use of the Internet started to grow in the 1980s and 1990s, it soon became apparent that it would be necessary to somehow secure communications between web applications and servers.
As such, many companies released their communication protocol standards, but the problem with those is that they were often incompatible with each other.
That is until Netscape came with its own Secure Sockets Layer (SSL) protocol in the mid-1990s.
The first SSL, 1.0 was never even released publicly, but the second one, 2.0 was, although it suffered from some serious vulnerabilities, so Netscape very soon released the third and final version of the SSL protocol, 3.0 in 1996.
Three years later, in 1999, the next version of the protocol, this time standardized by the Internet Engineering Task Force (IETF) was released, but this time under a new name.
From then on, the protocol would be known as Transport Layer Security or TLS.
What is TLS or SSL?
So, what is TLS and how is it different from SSL?
We can use these two terms interchangeably because TLS is pretty much a continuation of the SSL protocol as you can see. TLS was originally intended to be named SSL 3.1, but IETF wanted to make it clear that the protocol was no longer run by Netscape, hence the change of name.
The purpose of the protocol, however, remained the same.
To promote data security and privacy over Internet communications. This includes communications between web applications such as web browsers, but also other communications over the Internet like messaging, voice over IP (VOIP) and, what we are the most interested in, email encryption.
How Does TLS Work?
TLS has three main components:
- Encryption;
- Authentication;
- Integrity.
Each TLS connection goes through a process called a TLS Handshake, which creates a cipher suite, or a set of algorithms that specify which encryption or session keys will be used for that communication session and this is the encryption part of the TLS.
Next up comes the authentication part in which the server needs to prove its identity to the client using public keys. Only the sender can encrypt data using his private key, but anyone else can decrypt it to verify if the sender is authentic and who they say they are.
Finally, after the data is encrypted and the sender is authenticated, data is signed using a message authentication code, or MAC, which the recipient needs to verify. This way the integrity of the data is ensured and the recipient knows that no one tampered with it.
What is a TLS/SSL Certificate?
To initiate a secure connection, the client needs a public cryptographic key. However, these don’t just grow on trees so to speak.
Instead, they are provided by TLS or SSL certificates.
TLS or SSL certificates are issued by Certificate Authorities or CAs.
Let’s say your organization wants to encrypt its data using TLS. To do that you will first need to purchase a certificate from a CA.
However, before they can issue you a certificate, the CA will first need to verify that your organization is who they claim to be and that you control that particular domain.
For instance, if you own a website called mywebsite.com, and you wanted a TLS certificate to secure it, the Certificate Authority will first need to verify that you indeed own and control it and not someone else.
This is done to prove that you’re the legitimate owner and to prevent man-in-the-middle attacks.
There are several SSL authorities out there. Some are more legit, some less. We’ll go over a few of the legitimate ones here:
- Comodo SSL
Quite possibly the most popular SSL certificate, Comodo SSL offers several types of certificates at affordable prices and a good 24/7 customer support, however, the validation can take a while.
- GlobalSign
Next up is GlobalSign, which takes a slightly different approach to Comodo SSL as it is more oriented toward enterprises, meaning that it is not as cheap. However, the scalable and flexible solutions more than compensate for that.
- GoDaddy
GoDaddy is much better known as a web hosting provider, but it dabbles in other areas as well such as SSL certificates. Are they good at it though? Yes, GoDaddy spared no effort on security and the pricing is quite affordable. The biggest issue seems to be that, while the initial installation is very cheap, the renewals tend to be more expensive.
- RapidSSL
RapidSSL is a CA owned by GeoTrust (more on them later), which focuses on the small businesses looking for a low-cost, simple SSL certificate, but backed by strong infrastructure. What’s also impressive about RapidSSL is that all installation tools are included in the package.
- GeoTrust
Speaking of GeoTrust, this is a more enterprise-oriented CA. As such, if you’re looking for a single site certificate, GeoTrust is probably not the best choice, but if you need an EV or OV level product, GeoTrust is worth trying.
6. Let’s Encrypt
Let’s Encrypt is a non-profit TLS certificate authority that provides certificates to 225+ million websites. As of February this year, Let’s Encrypt has issued one billion certificates. LE is run by the Internet Security Research Group and was launched in 2016.
TLS Email Encryption
TLS is the standard email encryption protocol and is for instance used by Gmail. It protects email messages “in transit”, ensuring their integrity between the client and the server.
In other words, if both sides have TLS, it becomes very difficult for a third party to eavesdrop on their communication.
The problem, however, is that it doesn’t work if the other side is not using TLS. In that case, the communication between the sender and recipient will not be encrypted or secure.
TLS only protects email data in transit. Once they get to the recipient and are “at rest”, the data is no longer protected by TLS encryption and are vulnerable to hackers.
Because of this, while we at CTemplar believe that some encryption is better than no encryption, a much safer solution is PGP or OpenPGP encryption. We are using 4096-bit encryption to protect your email messages, attachment, contacts, content and subjects both in transit and at rest and also have Zero-Knowledge Password protection that ensures that only you and no one else knows your password.