Encrypting Emails vs. Encrypting Mail Servers
– What’s the Difference?
Is Encrypting a Mail Server Enough?
The most straightforward answer is no. Let us explain.
When you host your site or your email service with EvolvingMedia.com, we provide a free Basic Level Domain Name SSL Certificate to safeguard your hosting account and your website. This security protects your email and sFTP access too.
What if I don’t have an SSL Certificate?
If you do not want a certificate on the mail server:
- There is no way of guaranteeing that you’re connecting to the correct mail server.
- Any emails sent between your browser or email client and the server are not encrypted,
- Your email is sent as plain text,
- Your email can be read by anyone who gains access to the server,
- Your email can be intercepted with a man-in-the-middle (MITM) attack,
However, while an SSL Certificate will protect your emails in transit to and from your server, it does nothing to protect your emails as they pass through other servers, which may not have SSL. Additionally, securing your mail server doesn’t protect the emails at rest. For example, a hack where attackers gain access to email systems, like the famously large one at Sony in late 2014, would not be prevented by a server certificate.
Is Email Encryption the Answer?
For starters, I’m talking about S/MIME (Secure/Multipurpose Internet Mail Extensions) encryption here, though I’ll cover some other options in a future post. Similar to the server encryption discussed above, S/MIME is based on a public key, or asymmetric, cryptography and uses pairs of keys to encrypt and decrypt content (unlike symmetric cryptography which uses the same key for both). The key pair consists of a public key, which is meant to be shared and is used to encrypt and a private key, which is kept secret and used to decrypt.
How does S/MIME encryption protect your emails?
The technology underlying S/MIME means that only the intended recipient of your email can read it. How? Well, it comes back to that key pair – your public key is used to encrypt the email, and ONLY the corresponding private key can decrypt it. Assuming your private key isn’t compromised, you are the only one who can decrypt and read the email.
If you decide to use S/MIME when sending email, hackers wouldn’t be able to read your emails even if they got access to your corporate email systems because they wouldn’t have your private key to decrypt them. Or if you didn’t have a certificate on your mail server, your emails were intercepted in transit; they’d still be safe. The same applies for any other unprotected servers they may pass through – because you’re encrypting the emails themselves, they’d stay safe from prying eyes.
Authentication and data integrity
In addition to encryption, S/MIME enables you to add digital signatures to your emails, thus protecting your emails from falling into the wrong hands. Plus it will prove that your email came from you (i.e. is not a spoof or phishing email) – the digital signature is applied with your private key and verified with your public key, which is unique to you. Your identifying information is included in the signature, which most email clients display prominently.
Valid Digital Signature
Prevent changes to your email after being sent – when a digital signature is verified (in this case, when a recipient opens your email), a process takes place behind the scenes that compare the email contents at that moment to when the signature was applied. If the content doesn’t match, an error will display, so your recipient knows something is wrong and not to trust the contents of the email.
So where does this leave us in the server vs. email encryption debate?
Let’s agree that installing an SSL Security Certificate on your host and mail server is the right thing to do to protect your clients and your site– why leave yourself vulnerable to “Man In The Middle” attacks when a proven solution exists? If you’re really concerned about your emails being intercepted or read on your server, then consider encrypting your email as well.
What do you think?