SSL also provides the ability for both the client and server to
identify themselves and enables applications to prohibit
communications with unknown parties. This is accomplished by
digital certificates which are exchanged between the sockets
before they are secured. The entire topic of digital
certificates is beyond the scope of this article, however I
will touch on it briefly.
During the initialization of the SSL communication, the server
sends its certificate to the client. The server's
certificate includes identifying information and also an
encryption key which this client should use for the encrypted
communication to follow. The client is able to verify the
authenticity of the certificate to prove to itself that it is
indeed communicating with the correct mail server, otherwise an
error is thrown.
After the client has authenticated the server, the client may
also supply a certificate to identify itself. This step is
optional, but its purpose is to enable the server to authenticate
the client. In an email system for example, the server may
be configured to only communicate with known clients. This level of security is not usually implemented because it
requires special setup on each client as well as more
administrative work on the server, thus negating the transparency
of SSL to the end user. Perhaps as email clients
and servers get more robust they might make client authentication
easier for the users and administrators.
There is a big bonus to using SSL to secure email. Since SSL encrypts the entire client / server communication, not only
the contents of individual email messages, other data
sent between client and server, such as account names and
passwords are also encrypted and thus protected. This is
really important because what good does it do to encrypt your
message in route to the server, only to have your account name and
password intercepted and used to gain access to the server itself?
To use SSL with email, both the client and the server must have
built-in support. The sample code to follow will show you
how to easily include this support into your .Net client applications
with just a few lines of code! The server must also support
SSL. If your mail server does not support SSL, you may be
able to use SSL gateway software, or a relay server which supports
SSL. The gateway/relay server accepts mail over an SSL
encrypted connection and then passes the data on to your server
over a standard unencrypted channel. If the gateway/relay
and your server reside on the same system, or behind the same
firewall, most of the benefits of SSL may be retained. The
server will also need a digital certificate for SSL communications
which can be obtained from a certificate authority.
There are two important things to be aware of when using SSL to
Caveat One. SSL
does an excellent job protecting your data while it travels
between application doorways, but its protection ends there - at the doorway.
SSL does not protect data in either application, only on its path
between them. For example, someone who obtains your email
account and password may still be able to access your messages on
the server, although it should be noted that SSL client
authentication, if employed, might make this impossible.
Also, since SSL protects passwords as they are sent across the
network, they are virtually impossible to intercept, at least during the
encrypted conversation between the client and server.
Caveat Two. As an
email message travels across the Internet it will pass through one
or more SMTP servers. For example, if you are at a.com and
sending mail to someone at b.com, your message will normally go to
the a.com SMTP server first. The a.com SMTP server will then
contact the b.com server and relay the message to it. If
your client application and the a.com SMTP server both support
SSL, your client will be able to send secure mail to the a.com
server. However if the b.com server does not support SSL,
the a.com server may send the message to the b.com server without
encryption. There may be many servers involved with the
delivery of a message, and unless they are all under your control,
it will be impossible to ensure that your message is delivered via
SSL along the entire path. Also important to note is that
if the recipient's mail client application does not support SSL,
your message will be retrieved without SSL protection no matter
When can SSL help?
After reading the caveats you may be wondering how SSL can help
anyway. Actually there are some really good uses for SSL.
Intraorganizational is by far the greatest and best use of SSL
email security that I can think of. SSL email can easily protect intraorganizational communications
such as corporate, educational, government, military, healthcare,
etc... This is especially important where confidentiality/privacy concerns
are high, in fact recent privacy laws and
legislation such as HIPAA may require that certain email
SSL works well in these environments because all of the
communication systems can be placed under the central, internal
control of the organization. Intraorganizational mail can be handled by one
or more servers which all support SSL. The servers may be setup to
require all incoming connections to be encrypted with SSL, and all
mail clients can very easily be configured to connect to their
company server via SSL.
This is a fairly easy situation to
implement and administer and will provide excellent email security
within the organization. Communications between Employees, Executives, Board
Members, Contractors, those on the road and those working from
home are all easily protected by a very high level of security.
If you are building a web mail application or any mail
application that gets its data from web forms, etc, you can use
the HTTPS protocol so that the data can not be intercepted as it
travels between the user's browser and the server. In this
situation the mail client is actually a combination of the browser
and web server. HTTPS (SSL encrypted HTTP) protects data
between the browser and the web server, and the web server process
can also use SSL over SMTP, POP3, IMAP4, etc... to communicate
with the actual mail server, if necessary.
Up Next: Sample Code - and you won't believe how easy this is!