Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

The Other Things You Can Do With TLS

TLS, Transport Layer Security, is a means of securing the transmission of email between two MTAs (mail transfer agents). It prevents an eavesdropper from capturing the headers and body of an email in clear text. TLS is a near-universal feature of MTAs (there are some MTAs that privilege speed over security that lack the feature), and mail administrators usually have it enabled such that anyone attempting to send an email can request its use and negotiate a TLS session.

TLS, Transport Layer Security, is a means of securing the transmission of email between two MTAs (mail transfer agents). It prevents an eavesdropper from capturing the headers and body of an email in clear text. TLS is a near-universal feature of MTAs (there are some MTAs that privilege speed over security that lack the feature), and mail administrators usually have it enabled such that anyone attempting to send an email can request its use and negotiate a TLS session. In this column, I’ve highlighted some of the other things that can be done with TLS besides this opportunistic encryption of email. Transport Layer SecurityThey include:

  • Setting policy on the strength of encryption used
  • Verifying identities of machines
  • Authenticating permission to relay email

These address various business problems that might otherwise be solved with another technology, may reduce the risk a specific vulnerability, and comply with regulations and industry best practices.

Setting encryption policy

Under the TLS standard, the SMTP server decides the cipher suite (a key exchange algorithm, an encryption algorithm that includes a key size, a message authentication code, and a pseudorandom function for creating the master secret to use between the sever and the client) that will be used. When a TLS session is being negotiated the client sends a cipher suite list to the server. The server then picks from the list the preferred method to be used. The client is free to decide whether it is acceptably strong or not. A sender that is concerned about securing the connection from eavesdropping will want a large (128 bit or greater) key, which will put the content beyond the capabilities of most nefarious persons from brute-force decrypting the content. For example, AES-256 (Advanced Encryption Standard with a 256 key length) is a cipher suite that has been approved by the NSA for use in securing Top Secret information. Several financial services firms require the use of AES-256 for customer communications that contain financial information. They configure their outbound MTAs to require a negotiated TLS session with AES-256.

Verifying identities of machines

During the TLS negotiation an SMTP server can request an X.509 certificate from the SMTP client. This may be used to establish the identity of the sending machine. When the server receives the certificate from the client, the server may then verify the chain of authority of the certificate to determine that the certificate is valid and the SMTP client is who they say they are. This permits an organization to construct essentially a VPN for email, where receivers can know that a message is coming from where it claims to come from and is not being spoofed. For example, military supply chains are very complex with prime contractors sourcing parts from many different sources and there is a lot of collaboration between firms. They can exchange CA certificates or use client certificates from well-known CAs, like Verisign. Once client certificates can be verified the firms may establish TLS policy such that TLS is required and a valid certificate be presented, when communicating amongst themselves.

The MTAs used for external relay by external agents should be separate from the main inbound MTA infrastructure for the organization. The reason is that under the Internet standards, a primary Internet mail exchanger cannot require authentication in order to accept email.

Authenticating permission to relay

Many companies face the problem of permitting external relay of email for remote employees, contractors and independent agents. They need to allow an external person to send email as if they are from inside the organization when they are not. One solution is to grant external users VPN access to effectively become part of the internal network in order to send email. This has the drawback of requiring client-side software to be deployed and maintained to the external machines. It also requires authentication credentials be maintained. An organization could use SMTP authentication to permit relay, but here again, authentication credentials need to be maintained. A sender needs to remember to use a password to relay email. It leaves the organization vulnerable to end users choosing poor passwords that could easily be guessed. An alternative is to authenticate permission to relay with certificates presented as part of a TLS session rather than using SMTP authentication. The organization issues certificates to the end users that they install in their email clients. Then, when they connect to send email off the organization’s DMZ email servers, the DMZ email server can require TLS and a certificate and validate that certificate to permit relay. This way, passwords are not required any longer.

Leveraging existing infrastructure

Advertisement. Scroll to continue reading.

TLS provides these features that many organizations don’t take advantage of when they could. They have access to military-grade encryption and authentication that is built into the way Internet email works and could effectively reduce cost and complexity of alternative VPN solutions. When deployed internally, TLS helps deal with internal threats of disclosure of sensitive and secret information in military, intelligence, and financial services in particular. Furthermore, it can radically improve the communication security with external representatives prevalent in the mortgage and insurance industries.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...