Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
/

How can TLS increase e-mail security?

Related linksToday's breaking news
Send to a friendFeedback

Sign up to receive this and other networking newsletters in your inbox.

Now that you know what TLS is, this is the next obvious question.

Most Internet-based e-mail systems use a combination of three main protocols: SMTP (for message delivery) and POP and IMAP (for message retrieval). Of course, for proprietary systems (such as Exchange or Notes), there are other, different, protocols that take the place of these standardized ones. Nevertheless, when it comes to pulling and pushing e-mail across the Internet, these three are the dominant ones.

Since TLS is a "transparent" protocol, you can run any other protocol on top of it. In the Internet world movement is generally geared towards every client/server protocol having two entries into a system (TCP or UDP ports, really). One is the "standard" one -- unencrypted, and the other is the encrypted version. Although there are thousands of protocol port numbers defined in the Internet, really only a few major ones dominate Internet traffic --- and, as mentioned above, three of them (four if you count http) do most of the e-mail.

Thus, for IMAP, which is normally run over port 143, there is now an encrypted port: 993.

The table below gives some of the mappings for protocols that are defined to run over TLS:

 Protocol	Normal Port		Encrypted Port
 http		80				443
 NNTP		119				563
 LDAP		389				636
 FTP-data	20				989
 FTP-control	21				990
 Telnet		23				992
 IMAP		143				993
 IRC			194				994
 POP3		110				995
 SMTP		25				465 (revoked)  
 

Notice in the chart that SMTP port 465 is marked as "revoked." This is because there has been a lot of debate within the Internet community about whether or not each protocol now needs two ports. The obvious problem with this is that there are a lot of protocols and defining a second port for each one is going to be a long and ugly process.

An alternative to this is to have an "upgrade" built-in to each protocol. With an upgrade, two sides start to communicate on the normal port. Then one of them decides to "upgrade" the connection to a higher level of security. The two sides negotiate this and, if the upgrade is successful, begin to communicate using a more secure channel.

The problem with the upgrade idea is that it is very susceptible to "man in the middle" attacks --- a kind of security attack where someone is able to insert a receiver and transmitter into a connection, receive and then retransmit the data out to the other side. If the man in the middle is properly situated he may be able to convince both sides that they are running a secure channel, when in fact he is able to read everything sent over the connection.

In any case, many protocols --- including SMTP --- are being retrofitted with an "upgrade" feature that allows cooperating client and server systems to jump from unencrypted to encrypted on the same channel.

Right now, the most popular way to run SMTP is to use port 25 and then use the SMTP extension "STARTTLS" to upgrade the protocol from unencrypted to encrypted. This is the problem that Exchange and the PIX have: Exchange offers to upgrade and PIX gets in the way.

Support for these encrypted protocols is growing. I use the Netscape 4.5 client at home, with encrypted IMAP and SMTP. Servers such as Exchange and PMDF support it, so depending on how your system is configured, you may be getting encrypted e-mail without knowing it (at least from MTA to MTA). Of course, just installing Exchange isn't sufficient to get TLS --- you must follow Microsoft's lengthy instructions and get a certificate to enable the security features.

This is one of the first areas, though, where firewalls may be decreasing (instead of increasing) security. If your firewall will let through unencrypted IMAP traffic on port 143, but won't let through encrypted IMAP traffic on port 993, then your firewall may be forcing users who want to read mail across the Internet to expose their usernames and passwords to the world. Similarly, for SMTP, if your firewall relays your mail or if it proxies SMTP but blocks TLS, then you could be losing security, rather than gaining it!

Your action items: find out if your POP and IMAP clients support encryption over TLS, and if they don't either upgrade or pressure your vendor for support. Next, find out if your servers support encryption, and do the same -- upgrade or get the vendor to fix it.

RELATED LINKS

Joel Snyder is a senior partner with Opus One, a consulting firm in Tucson, Arizona. He spends most of his time on the road helping people build larger, faster, better, and more reliable networks. His professional travels have taken him from San Francisco to St. Petersburg, where he always carries his trusty Macintosh and modem, neither of which have cute names. He is also a member of the Network World Test Alliance and writes extensively on networking topics. Reach him at joel.snyder@opus1.com.

More information on the SMTP-over-TLS RFC: RFC 2487

Review: IMAP clients
Network World, 11/30/98

IMAP makes messaging simple
Network World, 11/30/98

When transparent LAN service may be right for you
Network World, 4/14/98

Transparent LAN service as an alternative to frame relay
Network World, 4/10/98

Archive of Network World on Groupware and Messaging newsletters


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.