Email Security: TLS and S/MIME
Asked Answered
O

2

6

My understanding is that TLS is an encryption technique that allowing two STMP servers to communicate with each other securely. If HTTPS is used to connect to an STMP serve is that the same as using S/MIME?

Osmond answered 11/10, 2010 at 14:17 Comment(0)
H
15

No. TLS encrypts the communication channel. S/MIME encrypts the message. I.e., it's the difference between "talking openly on a secure line" and "talking in code on an insecure line."

Halophyte answered 11/10, 2010 at 14:22 Comment(2)
is the entire communication channel encrypted if both the clients connect to the servers via an encrypted channel and both SMTP servers communicate with TLS?Osmond
Yes. You can typically inspect the headers on the recipient side to see if the message had been sent over a TLS link. Note a few things however: the contents of the message will not be encrypted on the recipient's server's disk and you can not guarantee that all three of those steps (sender sending, server exchange, recipient receiving) will use encryption. If you need end-to-end protection, then you have to encrypt the message itself (via S/MIME, GPG, etc.)Halophyte
M
7

HTTPS is used to connect to an STMP

There seems to be a misunderstanding regarding what HTTPS and SMTP are. HTTP and SMTP are two distinct protocols. HTTPS is essentially HTTP over SSL/TLS, which secures the communication between the client and the server. Similarly, communications between an SMTP client and an SMTP server can be secured using SSL/TLS (there are two variants: SMTP over SSL/TLS directly, on a specific port, or TLS initiated via STARTTLS within the SMTP protocol; either way, HTTPS isn't used to connect to an SMTP server). In both cases, this is transport-level security.

In contrast, S/MIME is about message-level security, where the messages are encrypted (even when they've been received and are sitting in your inbox).

What can be relevant to both SSL/TLS (for HTTP, SMTP, ...) and S/MIME is the notion of certificates and PKI (Public Key Infrastructure), which is what helps make decision regarding the trust in the remote party, necessary for security.

Mandy answered 11/10, 2010 at 16:52 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.