08 Dec 2010

Understand Potential Security Gaps When Considering TLS Encryption

Author:

Many of RPost’s customers are turning to RPost’s email encryption service today for the end-to-end privacy, ease of use for both sender and recipient, and auditable proof of compliance with the rules of the regulators.  When considering implementing RPost services, if one is to choose one of RPost’s services (or any secure email service) that involves TLS encryption, we recommend you keep in mind the following observation.

BACKGROUND: With RPost service, the sender can opt to send encrypted messages by Message-Level Encryption, Transport Layer Encryption, or a combination. As such, there are four scenarios for encrypted transmission.  In all cases, the encrypted message is delivered direct to the recipient’s desktop; RPost never requires the recipient to visit a website to collect their email.

SENDER   —— Path A ——>    SERVICE PROVIDER (RPOST)   —— Path B —–>  RECIPIENT

RPost Services:
Encrypted Data Flow
Path A Path B
1. Desktop-to-Desktop Message-Level Encryption Message-Level Encryption
2. Desktop-to-Server Message-Level Encryption Transport Layer Encryption
3. Server-to-Desktop Transport Layer Encryption Message-Level Encryption
4. Server-to-Server Transport Layer Encryption Transport Layer Encryption

CONSIDERATION IF CHOOSING TRANSPORT LAYER ENCRYPTION FOR PATH B:  In this scenario, where you are relying on encrypted delivery to the recipient’s servers using TLS encryption, you should consider that if the end user intends to download email from the recipient server using an IMAP or POP method, for example, that the data transmitted the last step to the recipient’s desktop is also through a secure channel – a VPN, SSL, or other method.

This is an important consideration – especially for the small business user who is using Outlook’s standard POP/SMTP protocols with a hosted email box.  For this reason, as John Oates-Larsen, CEO of Greendays Group points out, they believe their users in most cases should use options 1 or 3 as noted above – such that the last mile connection is ensured to have been encrypted.  Greendays Group offers RPost’s email encryption services to its customers.