When using SSL in an email client, do email attachments travel through an encrypted tunnel?
All traffic that travels over an SSL connection is encrypted, whether it's a Web page, a file or, in this case, an email attachment traveling between a mail client and a SMTP (Simple Mail Transfer Protocol) or IMAP server. Over an SSL connection, the email message and attachment both use SMTP and may travel between several machines before ending up in the recipient's email inbox. This works differently than a protocol like FTP, where the file is transferred directly between two machines.
When you send an email and an attachment via SSL, it travels from the PC to the office email server. Once the recipient collects the email, the message and attachment travels again via SSL to their PC. However, if an email is sent to someone outside the organization, the email is likely to be sent in plaintext. Despite this limitation, it is certainly better to use SSL for all SMTP connections that cross the Internet and other public networks.
To use SSL, you must install a digital certificate on your mail server and encrypt both mail collection as well as mail delivery. Encrypting only the SMTP protocol protects just the mail that's delivered to a Microsoft Exchange server, and not, for example, the POP3 or the IMAP4 mail collection. It's also important to remember that your message, even when sent over an SSL connection, is only encrypted during transit. The message will appear in plaintext while at rest on the mail server or the recipient's PC and on any backup media.
Therefore, to ensure email messages and attachments are secure, it is wise to encrypt them before they are sent. Using file encryption not only protects the attachment while in transit, but also protects the file as it is stored on a PC, while it passes through any mail servers and when it arrives at the recipient's machine. I also recommend signing any important messages. However, never blind carbon copy (bcc) someone an encrypted email because most email clients make it easy for the recipient to see who was bcc'd!
Related Q&A from Michael Cobb
Expert Michael Cobb explains how free Web application security scanning tools can help secure Web apps for budget-strapped organizations.continue reading
Expert Michael Cobb explains how password change frequency and reuse for third-party apps should be addressed in enterprise password policies.continue reading
Learn how a Web-based free spam-filtering service can secure email and prevent spam from attacking your enterprise.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.