When using SSL in an email client, do email attachments travel through an encrypted tunnel?
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
All traffic that travels over an SSL connection is encrypted, whether it's a Web page, a file or, in this case, an email attachment traveling between a mail client and a SMTP (Simple Mail Transfer Protocol) or IMAP server. Over an SSL connection, the email message and attachment both use SMTP and may travel between several machines before ending up in the recipient's email inbox. This works differently than a protocol like FTP, where the file is transferred directly between two machines.
When you send an email and an attachment via SSL, it travels from the PC to the office email server. Once the recipient collects the email, the message and attachment travels again via SSL to their PC. However, if an email is sent to someone outside the organization, the email is likely to be sent in plaintext. Despite this limitation, it is certainly better to use SSL for all SMTP connections that cross the Internet and other public networks.
To use SSL, you must install a digital certificate on your mail server and encrypt both mail collection as well as mail delivery. Encrypting only the SMTP protocol protects just the mail that's delivered to a Microsoft Exchange server, and not, for example, the POP3 or the IMAP4 mail collection. It's also important to remember that your message, even when sent over an SSL connection, is only encrypted during transit. The message will appear in plaintext while at rest on the mail server or the recipient's PC and on any backup media.
Therefore, to ensure email messages and attachments are secure, it is wise to encrypt them before they are sent. Using file encryption not only protects the attachment while in transit, but also protects the file as it is stored on a PC, while it passes through any mail servers and when it arrives at the recipient's machine. I also recommend signing any important messages. However, never blind carbon copy (bcc) someone an encrypted email because most email clients make it easy for the recipient to see who was bcc'd!
Dig Deeper on SSL and TLS VPN Security
Related Q&A from Michael Cobb
C&C servers have been replaced with Twitter accounts, which spread the Android Trojan Twitoor to user devices. Expert Michael Cobb explains how to ...continue reading
Two-factor authentication systems require more than using codes sent through SMS and smart cards. Expert Michael Cobb explains how to properly and ...continue reading
A Linux vulnerability that affects 80% of Android devices allows for attacks on TCP communications and remote code execution. Expert Michael Cobb ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.