When using SSL in an email client, do email attachments travel through an encrypted tunnel?
All traffic that travels over an SSL connection is encrypted, whether it's a Web page, a file or, in this case, an email attachment traveling between a mail client and a SMTP (Simple Mail Transfer Protocol) or IMAP server. Over an SSL connection, the email message and attachment both use SMTP and may travel between several machines before ending up in the recipient's email inbox. This works differently than a protocol like FTP, where the file is transferred directly between two machines.
When you send an email and an attachment via SSL, it travels from the PC to the office email server. Once the recipient collects the email, the message and attachment travels again via SSL to their PC. However, if an email is sent to someone outside the organization, the email is likely to be sent in plaintext. Despite this limitation, it is certainly better to use SSL for all SMTP connections that cross the Internet and other public networks.
To use SSL, you must install a digital certificate on your mail server and encrypt both mail collection as well as mail delivery. Encrypting only the SMTP protocol protects just the mail that's delivered to a Microsoft Exchange server, and not, for example, the POP3 or the IMAP4 mail collection. It's also important to remember that your message, even when sent over an SSL connection, is only encrypted during transit. The message will appear in plaintext while at rest on the mail server or the recipient's PC and on any backup media.
Therefore, to ensure email messages and attachments are secure, it is wise to encrypt them before they are sent. Using file encryption not only protects the attachment while in transit, but also protects the file as it is stored on a PC, while it passes through any mail servers and when it arrives at the recipient's machine. I also recommend signing any important messages. However, never blind carbon copy (bcc) someone an encrypted email because most email clients make it easy for the recipient to see who was bcc'd!
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading