When it comes to email security, it is not enough to enforce protection at just the sender’s and receiver’s end. Emails can be tampered with in transit. Both the content and headers of an email can be meddled with while the email is being sent. Besides active tampering, hackers can also cause a lot of harm by just eavesdropping on email communication and then injecting themselves into the conversation, causing serious incidents of BEC. This is where Transport Layer Security (TLS) comes into the picture.
What is Transport Layer Security?
TLS is a potent email security protocol implemented to secure the connection between an email sender and receiver. It has evolved from its parent protocol, Secure Socket Layer (SSL).
TLS works on the mechanisms of secured, designated ports. Port numbers 587, 2525, and 465 are typically used by the transport layer security protocol to establish highly secured email communication channels.
TLS can use any of these ports, depending on whether you are using IMAP or POP3 email sending protocols. Your IT team can easily verify this for you.
A Brief on STARTTLS
Any discussion on TLS is incomplete without a mention of STARTTLS. It is an encryption protocol command which nudges the mailing server that the email client needs to upgrade the email communication channel from an unprotected one to a secure one.
In other words, it is the job of the STARTTLS command to convert an unsecure connection channel to a secured channel via the TLS protocol.
In order to send mails securely through your mail servers using TLS, it is necessary that STARTTLS be enabled on the server.
The Effectiveness of TLS
While the Transport Layer Security Protocol is a highly efficient means of email protection, it is not a complete solution in itself to guarantee your complete security. Before we move ahead on understanding the working of TLS, let us see what TLS can and cannot achieve.
TLS is not capable to handle:
- Phishing attempts through emails that were used sending lookalike domains (as technically, the TLS confirms that the email was not tampered with). As per its working, TLS cannot make out whether the email was faulty right from the sender’s domain.
- Malicious attachments or links in the email body.
- Social engineering emails designed to trick users into revealing sensitive information.
- Email domain spoofing attempts.
On the other hand, the TLS protocol can very effectively handle:
- Man in the Middle (MitM) attacks.
- Email communication eavesdropping.
- Email forwarding while in transit.
How does the TLS Protocol work?
Now you know that Transport Layer Security is designed to handle very specific email vulnerability scenarios. Let us understand how exactly it works.
TLS uses asymmetric encryption (encryption and decryption via separate set of keys) to keep emails secure while being delivered. Because the public and private keys are distinct, TLS can virtually guarantee that emails cannot be accessed before reaching the recipient’s servers. This adds a layer of authentication to the email sending process.
Secure TLS connections are established using a defined set of steps, technically called as the TLS handshake. Two parties are involved in this handshake. The handshake process begins as soon as an email is sent.
- Client and server both specify the version of TLS that will be used for the session.
- A cipher for deciphering the keys is decided.
- A TLS certificate authenticates the identity of the server.
- Once identified, session keys are generated which encrypt the email.
Confirming whether you are using TLS
Recognizing the need for email encryption, a majority of the emails (90% in fact) are being sent with the added security of TLS. However, it does no harm to actually check whether your email servers are implementing the TLS protocols or not.
Your IT administrator can do this easily. All they need to do is check the certificate store and verify that the certified is installed and up-to-date.
For checking one single email, you can verify the TLS implementation by checking the email headers. Different emailing platforms offer different tools to unwrap the email headers. Again, your IT team can help you with this. But for common platforms:
Gmail: open the email in question and click on the tiny arrow beside your name underneath the sender’s address.
Microsoft Outlook: opening the email you want to verify, and then go to File > Properties. This will display all email header information, including the TLS information if TLS is successfully being applied.