Home Page

Firewalls

Email & Spam

Security Terminology

Security Topics

VPN & Cryptography

Wireless

 

Email Security and Spam Terminology

Zero Day Window

BATV

Bayesian Algorithm

Content and Connection control

Directory Harvesting Attacks

Email Encryption

Email Archiving

File attachments

Image scanning

Email Load balancing

Port forwarding and MX records

Reputation filters

Encrypted attachments

Grey Listing

Email Monitoring

Internal Email Security

Open Relay

Outbound email filtering

Per user quarantine area

Reverse DNS lookup & SPF

RFC Compliant emails

SMTP IMAP4 or POP3

Spoofed email

Stopping spam for Networks guide

Email Throttling

What is Spam

Which Spam filter

Whitelists and Blacklists

 

Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?

 

What is Guide

What is a Firewall?

What is a Virus?

What is Spam?

 

Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security

 

Other

Top 8 Internet Security Tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?

 

 

 

 

E-Mail Encryption

 

Email plays a massive part in today’s business. However email relies on an insecure transport protocol. The TLS (Transport Layer Protocol) can be used to resolve this problem, and provide some security and privacy for email messages.

We use TLS to protect web traffic as well as email, usually known in the form as SSL. The benefits from using TLS are, each email server authenticates to the other and reduces the chances of spoofing. Also the content of each email message is encrypted when in transit, and the encrypted conversation makes it difficult for an attacker to tamper with.

Many spam filter software products support e-mail encryption. This will ensure e-mails are in a none-readable format from sender to receiver. Usually banks and other data sensitive organisations would require the use of this feature within a spam filter. TLS and PGP are two common methods used to encrypt e-mails.

Transport Layer Security (TLS) is a cryptographic protocol which provides secure communication, preventing eavesdropping, tampering and message forgery. TLS with authentication requires a digitally signed certificate, signed by a certificate authority (CA). It provides endpoint authentication and communication privacy. Key benefits from TLS are;

TLS works from gateway to gateway. If there are hops between the protected gateways, then the protection is broken. For example two businesses that communicate frequently, then TLS is a good choice, assuming both gateways talk directly. If email from one company hops to another server before arriving at the other company, (usually a common scenario when using email protection in the cloud as a first layer of defence) then you would need to first secure your email using TLS from your gateway to the upstream host in the cloud, and then from the upstream to the other company. Your business partners would need to do the same if they are using a host in the cloud. A real world example of this is Message Labs, who provide a hosted spam and web security in the cloud.

Both gateways would need to support the use of TLS, inbound and outbound for full protection. The peer server can be identified by the domain name or IP address. Note, TLS supports authentication and encryption. However you would need to use a signed certificate for strong authentication. Without a signed certificate you would only be able to encrypt your email messages, there would be no authentication and non-repudiation.

Also to note your peers should use the same level security settings, so if you set your TLS with a 256 bit key then your peers will need to use 256 bit key or else the TLS will fail and NO email's will be exchanged.

However there is a less secure way around this, in opportunistic TLS. This feature looks to see if the peer uses TLS and if they don’t use TLS it will fallback to unencrypted email. However using this method your guaranteed you will not fall into TLS conversations problems, although it is less secure.

 

PGP (Pretty Good Privacy)

Pretty Good Privacy (PGP) also provides cryptographic privacy and authentication. PGP avoids centralised authorities, and implements direct trust with other hosts. A term used in this scenario is “Web of Trust”. If Host A trusts the certificate of Host B and Host B trusts the certificate of Host C, then in turn Host A would trust Host C and vice versa. Using this method would result in tighter security, but more work to do.

Further Reading

Wikipedia's guide to Email Encryption