Server-side SSL boosts security

E-mail is rarely secure, but users rarely care. E-mail is secure enough for most users under most circumstances, even those involving transmission of sensitive content. People leave most messages unencrypted and unsigned because they believe the risks of eavesdropping and tampering are minimal – until someone proves otherwise. Customers have voted with their dollars in favor of e-mail products and hosted services that skimp on end-to-end security.

Even in this post-Sept. 11 environment of heightened alert, the secure messaging market has not been a runaway success, although it’s by no means on the decline. Vendors continue to provide innovative secure messaging products and attract customers in high-sensitivity vertical markets, such as government, finance, healthcare and legal.

We won’t see a universal end-to-end security protocol for e-mail any time soon. None of the contenders for that distinction have broken out of their narrow market niches, and none of the underlying conditions that have kept them in these niches have changed substantially. Public key infrastructure (PKI) products continue to be complicated to implement, administer and integrate with messaging systems, especially at the client side. Alternatives to PKI have achieved some success, but suffer from a lack of open, nonproprietary standards.

However, the situation for secure e-mail usage isn’t as bleak as it would appear. The market for secure Webmail services continues to expand, based on the server-side Secure Sockets Layer (SSL) feature built into all Web sites and browsers. Server-side SSL might be regarded as the principal secure e-mail protocol in use worldwide. It is the basis for stand-alone Webmail environments, as well as for messaging products and hosted services. It is the security protocol for browser access to corporate e-mail systems such as Microsoft Exchange and Lotus Domino. And it is an alternate delivery mechanism for Secure Multipurpose Internet Messaging Extensions gateways to push content securely to non-S/MIME-enabled recipients.

Server-side SSL is the predominant security protocol used in many other niches of the collaboration market. SSL over HTTP is the primary front-channel client/server security protocol used in secure instant messaging, mobile e-mail access, Internet-facing collaboration environments, Weblogs, Web conferencing and secure file transfer. (Its sister protocol, server-side Wireless Transport Layer Security, also is broadly used in mobile messaging.)

In the back channel between infrastructure components, SSL over SMTP is widely used to encrypt sessions between message routers, relays, gateways and content filters. SSL is being used increasingly as a VPN protocol, an alternative to IP Security, Point-to-Point Tunneling Protocol and other standards.

One big advantage of server-side SSL is reliance on a simple but ubiquitous PKI-based trust infrastructure. Under server-side SSL, the server, but not clients, is provisioned with X.509 certificates. Clients trust the root certificate authority that issued the certificate, usually a public certificate authority such as VeriSign. Clients then authenticate the server cryptographically, and authenticate themselves to the server using ID and password. The SSL-enabled server then sets up secure, encrypted sessions with clients on the fly.

But server-side SSL doesn’t provide an end-to-end secure messaging protocol, so it can’t compete directly with S/MIME, Pretty Good Privacy and secret-key-based approaches. One of its limitations is that it encrypts only on a particular channel usually client-to-server or server-to-server. Another limitation is that it doesn’t support signing of individual messages within an encrypted session. S/MIME, by contrast, supports end-to-end per-message encryption and signing.

But it’s not clear that many users need these end-to-end security features. Server-side SSL isn’t the ultimate solution for all secure messaging needs, but it addresses users’ most pressing concerns with insecure transmission channels. It is a universal, flexible standard for securing network services at the application level, and its role in secure collaboration environments will continue to grow.