We use email every day without giving much of a thought to how secure it is. Here’s the bad news: most email systems are terrible when it comes to hiding sensitive information. And here’s the good news: it’s possible to make your email much more secure by encrypting it.
How is that done?
Well, the easiest way of encrypting email, and the method that has become standard, is TLS, which stands for “Transport Layer Security.” Transport Layer Security (TLS) is a cryptographic protocol that encrypts data sent over the internet. This ensures that the data you exchange with the web cannot be read by hackers or surveillance agencies, whether this data is in an email or any other form.
In this blog, we’ll take a look at email encryption, the various methods that have been used for it, and then at the method that we use at Zoho Mail: TLS.
Let’s start with a basic definition: what is email encryption?
Encryption is a method for encoding information so that it cannot be read by hackers (or anyone else). It is important when you send sensitive information like your banking details, login credentials, and social security numbers. But it’s also important even when your emails don’t contain obviously sensitive data: if a hacker can read your emails, they can start building a profile on you that can be used for future attacks.
Email is a particularly vulnerable medium for attacks, especially when you send emails over public WiFi networks. This is because emails can be intercepted at three main points: when you send them, when your email provider is delivering them, and when they are being stored on a server.
A personal email certificate is one method for encrypting emails. This process digitally signs your messages, which allows a recipient to check that the email actually came from you. Emails that are sent from a spoofed account will not have the right signature, making it easy to detect them.
Almost all practical methods of email encryption rely on the Public Key Infrastructure (PKI) system. In most types of encryption, those sending emails will make use of a public key to encode their messages, and these can then be decrypted using the recipient’s private key. In the PKI model, anyone can use a public key to encrypt email, but each encrypted message can only be decrypted by a unique private key.
The best practice for most users is to encrypt all of their emails as a matter of course. If you encrypt only the email messages that contain sensitive information, this raises a flag to hackers. It can highlight the messages that are most likely to contain valuable, sensitive information – the very information you’re trying to prevent outsiders from gaining access to in the first place.
Instead, it’s best to encrypt everything. Decrypting thousands of email messages one by one in the hope that one of them contains sensitive information is a daunting and tedious task, and even the most dedicated hackers may feel is not worth the effort.
When it comes to implementing this encryption, users have a variety of options. But one has become the standard way to encrypt emails: TLS. So let’s take a look at how that system works.
How TLS Works
TLS is most familiar to users for its ability to ensure secure browsing – indicated by the padlock icon in a browser’s address bar for those sites that use the system. Implementing TLS on websites is now standard practice, and has many benefits beyond enhanced security, such as increasing search engine traffic and preventing session hijacking. That’s why, at Zoho, we use TLS to ensure account security.
The applications of TLS don’t stop there, though. The system can (and indeed should) also be used for other web applications such as protecting your emails, file transfers, video/audio conferencing, instant messaging and voice-over-IP, as well as internet services such as DNS and NTP.
TLS uses a combination of symmetric and asymmetric cryptography. This is a compromise approach that takes advantage of the benefits of both types of cryptography.
Symmetric cryptography is very efficient in terms of computational resources, but having a common secret key means it needs to be shared securely. The big advantage of asymmetric cryptography is that the process of sharing encryption keys does not have to be secure. However, the mathematical relationship between public and private keys means that much larger key sizes are required, and much more computation needs to be done.
For this reason, TLS uses asymmetric cryptography for making and sharing a session key. This key is then used for encrypting data transmitted by the sender, and for decrypting the data received by the recipient. Once the session is over, the key is thrown away and never used again.
The History of TLS
The current TLS protocol can be traced back to the original implementation of SSL (Secure Socket Layers), which was developed by Netscape back in 1994. TLS was first specified in RFC 2246 five years later.
In the mid-1990s, almost all internet traffic was unencrypted. Where encryption was used, it was typically called on infrequently in order to hide sensitive data such as credit card details or passwords. Since that time, the capabilities of hackers (and governments) to access private information have increased alarmingly. This led to calls for all information sent over the internet to be encrypted, and not just data seen as confidential.
The IAB, therefore, released a statement in November 2014 calling on protocol designers, developers, and operators to make encryption the norm for Internet traffic, essentially making it confidential by default. This was an early manifestation of the move from DevOps to DevSecOps, in which security is built into web apps at the design stage. It also recognized the growing importance of the Software as a Service (SaaS) business model, in which far more commercially sensitive data is shared over the web than with traditional software models.
Since 2014, all major web browsers have supported TLS, and many will warn users when they try to visit a web page that doesn’t use the protocol. However, usage of TLS in other applications – such as for email or VOIP – has lagged behind. As such, it is not always apparent to users when their data is being encrypted, and when it is not.
Why Is TLS Important?
Despite the patchy uptake of TLS in contexts outside web pages, it is nonetheless a very important security consideration for web app developers. It is recommended that all users use TLS to encrypt their email.
That’s why we’ve integrated TLS into Zoho Mail and made it easy to encrypt your emails using TLS. Email, however, is just one application of encryption. You should also ensure that all the other data you exchange online is encrypted using a reliable VPN service, and use end-to-end encrypted messaging apps wherever possible.
Ultimately, using encryption — whether for emails or anything else — is a way of reducing the amount of data that can be collected on you, and thereby reducing your exposure to cyberattack. If no one can read the information you send in your emails, no one can use it to cause you harm.
Despite the still-limited uptake of TLS outside web apps, it is about to become more important than ever. That’s due to significant security concerns about the Internet of Things (IoT), which is still highly insecure in comparison to more established connectivity technologies. In this context, TLS has been identified as a way to improve the security of the IoT. The only catch is that, as with smartphones, this will require all IoT devices to have the requisite processing power to handle TLS encryption algorithms.
For now, however, TLS remains a cornerstone of email encryption, and is not likely to be replaced anytime soon. It’s an important component of the way that Zoho is caring for your data, but should also be part of the security measures used by everyone who takes their online security seriously.
For more updates and tips, stay tuned to our Zoho Mail YouTube channel.
Gary Stevens is the CTO of Hosting Canada, a website that provides expert reviews on hosting services and helps readers build online businesses and blogs. Besides, Gary is also a full-time blockchain geek, a front end developer, and a volunteer working for the Ethereum Foundation as well as an active Github contributor.