Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1273
Views
0
Helpful
4
Replies

TLS and Encrypted Email

jwiegert1
Level 1
Level 1

‎02-11-2009 08:09 PM

We have a message filter to catch any Social Security Numbers that are sent outbound. We also have content filters to catch certain PHI terms or emails that contain the term {secure}. If the email is caught, it is encrypted and sent out with CRES. We are setting up TLS Required with most vendors especially now that they have TLS alerting. Is there a way for a message not to be Encrypted with CRES if the email establishes a TLS connection?

Labels:
0 Helpful
4 Replies 4

kluu_ironport
Level 2
Level 2

‎02-12-2009 09:32 AM

The decision making to encrypt a message based on the email's "sensitive" information or privacy terms occurs somewhere in the middle of the email pipeline. Establishing a TLS connection generally occurs towards the end of the pipeline.

Since these two are occurring at different stages in the pipeline, it would be difficult to make the determination to not encrypt a message that was going over a TLS connection, because if you didn't encrypt it earlier on, it would be to late.

I would say it is better to be safe than sorry and just expend the resources and encrypt the data and then if you do or do not transmit over a TLS connection, at least you can rest assure that if someone intercepted the email in tranmission, they would only be getting encrypted data.

0 Helpful

jwiegert1
Level 1
Level 1

‎02-19-2009 04:01 PM

We are setting it up for TLS required, so the email will not deliver unless we have a definite secure connection. This would seem like a good feature where TLS required would trigger a message to not encrypt

0 Helpful

Donald Nash
Level 3
Level 3

‎02-23-2009 06:37 PM

Message encryption (via CRES or other methods like PGP and S/MIME), is different from encrypted message transmission via TLS. The former encrypts the message from the origin all the way to the recipient's eyeballs. The latter only encrypts the message while it is in flight on one SMTP connection. The message is not protected on any other SMTP hops it may encounter (for example, if the destination mailbox is forwarded), nor is it protected when it is at rest in mail queues or the recipient's mailbox.

It is dangerous to assume that TLS provides message security. It does not. Even if the entire Internet switched to encrypted SMTP today, it still wouldn't, since messages would still be in the clear while at rest. If the content you want to protect is sensitive enough to warrant encryption via CRES, then don't bother worrying about TLS.

So what is TLS good for? It's very useful for encrypting passwords on authenticated SMTP connections. It can also thwart traffic analysis, since it encrypts the message envelope (which message encryption does not do). But the latter is only useful when you use TLS on the connections that the eavesdropper is likely to intercept.

0 Helpful

jwiegert1
Level 1
Level 1

‎02-23-2009 06:49 PM

Good post. We did make the decision to do both TLS and CRES.

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents