I had an interesting dialog with Michael B. of ThemeFusion support. (ThemeFusion is the developer of our much-loved Avada theme for WordPress.) It was centered around whether or not it was OK (i.e. secure) to send administrator passwords via email. I contended it wasn’t and he contended it was. It turns out we were both right, but he was “more” right than I was in this case.
The secret ingredient is a cryptographic protocol called Transport Layer Security (TLS for short). This is the protocol that makes modern “https” websites secure (replacing the now deprecated SSL protocol). What I didn’t realize was that TLS is widely supported by email servers as well. So much so, that if you use email from most modern providers, TLS is “baked in” to the process. Here’s my simplified explanation of the dialog between the sending and receiving email servers:
1. Sender: Hi.
2. Receiver: Hello.
3. Sender: Do you support TLS?
4. Receiver: Yes.
5. Sender: Let me have your public encryption information (SSL certificate) so I can be sure you are who you say you are and encrypt my message to you.
6. Receiver: Here’s my SSL certificate.
7. Sender: It looks good to me. Here’s an encrypted email for you.
8. Receiver: Got it. Thanks!
So, when the “ordinary” plain text email is sent from the sender to the receiver, it is encrypted and essentially impossible to “sniff” (intercept) and decode by any computer or router along the way.
But, what happens if in step 4. the receiver says “No” (I don’t support TLS)? If the server goes ahead and sends it anyway (called “opportunistic TLS”), then there is no encryption and the password could be “sniffed”. For higher security, “forced TLS” would be used and the email would NOT be sent (and perhaps another would be sent in its place warning of the missing TLS support).
Also, it is important to note that once the email gets to your server, it is once again unencrypted. So if someone gets access to the server, they could see the contents of the email. So TLS is different from “end-to-end encryption” where the email is encrypted from start to finish and is never stored on the server decrypted.
How to Test for TLS
How can you tell if you email server supports TLS? It’s easy… Just enter your email address in the form at CheckTLS.com. If you are secure, you’ll get a summary like this:
When we first ran this test, there was a warning under “Cert OK” because our SSL certificate server name didn’t match our MX record server name. I updated our MX record to match the server name being reported in the SSL certificate and then we got our “100” score.
Here are my take-aways from this little investigation:
- Check that your incoming mail server supports TLS. (If it doesn’t, try to fix it.)
- Ask the sender if their outgoing mail server supports TLS (because you can’t test it directly). Ideally, they would use a “force TLS” protocol for truly secure emails. But “opportunistic TLS” might be acceptable for ordinary email.
- Don’t assume TLS gives you total security. It only secures transport of the message, not storage.
- Be nice to support people, even when you know you are right. You might learn something.