The fact that VPNs and end-to-end encryption are becoming common topics in everyday conversations shows just how much we are starting to rely on technologies that keep our data secure and private.
One of the common points of failure in this regard is email. It’s easy to secure email these days, and we will now compare two common systems: TLS vs. encrypted email.
TLS encrypts your email while it’s in transit, but not while it’s on a server or once it’s reached its destination. There are also other inherent vulnerabilities and pitfalls with TLS. Encrypted email is secured end-to-end, ensuring that not even mail server operators can view your email contents.
When email was invented in the 1970s, security was the slightest concern. Since then, email technology has exploded with everyone pretty much doing their own thing at one point and only relatively recently became standardized.
Now there are attempts to standardize email security too, and Transport Layer Protocol (TLS) is being pushed as the standard. But TLS still has its problems.
TLS – The Good, The Bad, And The Standard
TLS is a web encryption protocol that is based on older SSL technology. It is used to encrypt not only email communications but also website access.
Essentially a certificate authority issues a TLS certificate to a server based on the domain name. This certificate allows for exchanging encryption keys and enables secure communication between users, websites, and email servers.
Purely on an email level, TLS allows an email to be encrypted while it’s in transit.
This means the email is encrypted between the sending device and the sender’s mail server, then again between the sender’s mail server and the recipient’s mail server, and then finally between the recipient’s mail server and receiving device or email client.
It sounds perfect, and it is better than having no security.
But TLS is far from perfect. For TLS security to work correctly, all devices, servers, and client software have to support the TLS standard.
Though most servers support it, very few email users configure TLS when they set up their mailboxes. Wherever TLS is NOT used, the email is sent in plain text and can easily be read. This allows for several areas of weakness that can be exploited.
Add to this that most email service providers store emails in an unencrypted format for whatever reason.
This also means that anyone who can gain access to the email server (including support staff) can access and read your private email conversations.
Even if you configure the use of TLS in your email client, the service provider can decide how to store the mail on the server.
This is because TLS does not encrypt the email itself; it actually sends the email over an encrypted connection.
Each connection is encrypted, but not the contents of the email message itself. This repeated encryption and decryption process during each phase is the primary weakness of TLS, though there are also other issues. These include:
- High latency. Sending emails over TLS connections slows it down considerably.
- Support for different platforms. There are a few TLS versions, and not all platforms support the latest version, leading to potential technical difficulty or security breaches.
- Cyber attacks. Because TLS is such a commonly accepted standard, it has several known weaknesses and vulnerabilities that can be exploited.
- Cost of implementation. TLS is not free. Though it isn’t overly expensive, certificate authorities have to operate, and this costs money. TLS can turn into a substantial expense in large and complex network environments.
- Complex networks can cause problems. Though TLS is generally very scalable, the fact that it’s really based on older technology can cause problems and difficulty when implemented in large or complex network environments, leading to slower adoption of the standard.
Encrypted Email – An Inconvenient Necessity
Actual encrypted email, also known as end-to-end encrypted email or E2EE, refers to the process of actually encrypting the contents of the email itself before sending it.
This way the message can only be opened or read by the intended recipient or whoever has the necessary encryption keys to decrypt it. Encrypted emails can still be sent over TLS as an additional layer of security.
Many encrypted email providers offer proper end-to-end encryption. These include ProtonMail, Hushmail, CounterMail, Tutanota, Mailfence, Runbox, Posteo; the list goes on.
Some of these provide free services; others are premium only. Some are focused on business or corporate emails; others offer their services to private users. But they all differ in some fundamental ways.
Services like ProtonMail and Tutanota have a platform that you have to log into using a double login process, one password to log in, and the second password to unlock (decrypt) your mailbox.
An email is sent in proper end-to-end encrypted format if you send it to another ProtonMail user. Any emails sent to other email services arrive in an unencrypted state on the recipient’s end.
You can force it to send the email as end-to-end encrypted, though. All this will do is send a message to the recipient with a link to click to access the email.
After they click on the link, they will be asked for a password, which you have to send to them in some other way.
This ensures that the email cannot be opened by anyone else and will never be unencrypted; so, ultimate security.
This is also one primary reason why encrypted email has not really taken off as it should have. It’s inconvenient, and many people don’t understand how it works.
Especially in a business environment, if you are bombarded with hundreds of emails containing only links and receiving passwords for those emails from all your clients, that will lead to mass confusion and irritation.
Because of this, proper encrypted email is still far from being an accepted standard. But it is becoming more and more essential for many people.
Encrypted email should be the default way to send sensitive or personal communications.
Any other way is simply not secure enough and can be leaked much more quickly than most people believe. E2EE has become a necessary inconvenience.
Conclusion
Encrypted email is very different from TLS. Encrypted email means that the message itself is encrypted, while TLS encrypts the message’s connection.
Though TLS is fast becoming an enforced standard, encrypted email still has a way to go before it gets there. If at all possible, use both. But at least make sure that you use TLS. Some protection is better than none.
